Last week I wrote about the risk of malware to industrial systems that control critical infrastructure such as gas and oil pipelines, chemical plants, and water and sewage treatment facilities. These sites are increasingly subject to computer control, and therefore potential targets for worms and trojans that could wreak major damage. The security technology that protects industrial computers is very primitive compared to the monitors and barriers that are available to users of home PCs. I shared my conviction that the risk is “imminent and dire.”
I've continued researching this issue, and uncovered a vulnerability that I hadn't previously considered. We are even more vulnerable than I initially thought.
It turns out that electrical utilities throughout the country – all over the world – are in a mad rush to replace the electromechanical meters that have recorded home and business electricity usage for decades with new “smart” meters.
Smart meters make a lot of sense. They allow utilities to read customers' usage figures without the need to send a technician door-to-door to read meters. They alert utilities to power outages and energy theft. Utilities see them as hubs that coordinate the activities of energy-consuming appliances, scheduling them to run at off-peak hours when electricity is plentiful and inexpensive. Smart meters allow utilities to cut off electrical power without an on-site visit. Innovative pricing plans could be set up, in which customers play a low flat fee for baseline consumption plus a premium price for overages, for example. Overall electrical savings of up to 10 percent have been reported. Studies demonstrate that the cost of upgrading to smart meters is quickly recouped in increased efficiency.
The problem is that smart meters enable two-way communications between customers and utilities over pipelines that are at present minimally encrypted at best. In the U.S., most utilities are standardizing on wireless links based on the ZigBee spec. However, other sections of the wireless spectrum are also in use. In Maine, customers found that smart meters interfered with the use of wireless routers, cordless phones, electric garage doors, and answering machines.
Application code for smart meters is written as if it will be run in a secure sandbox. Monitor and control messages are relayed without authentication. Researchers have demonstrated that they can take over smart meters and inject malware that propagates from customer to customer. They can then turn power on or off, reveal power usage, or uncover sensitive system-configuration settings.
It would be a simple matter for a determined but relatively unskilled hacker to exploit these vulnerabilities to turn off the power to hundreds of thousands of customers at once – perhaps during the coldest days of winter, when the need for electricity to control and fuel heating systems is vital. The stakes are much higher than a virus infection on a home PC.
Less dramatic but still troubling is the potential for privacy loss. Utilities will no longer take once-a-month snapshots of electrical usage. They'll be updated on a minute-by-minute basis. Researchers have demonstrated that different devices within the home generate recognizable signatures in detailed usage records. Electric companies, which have previously had minimal reason to maintain data-security policies, will be in possession of terabytes of potentially sensitive information. In an October 2010 report, the U.S. Department of Energy declared that smart meters “could significantly increase the amount of potentially available information about personal energy consumption…whether their (customers’) homes are equipped with alarm systems, whether they own expensive electronic equipment such as plasma TVs, and whether they use certain types of medical equipment.”
Smart meters are being installed by the millions, both in the U.S. and around the world. The U.S. has invested about $8 billion in the transition so far. Utilities are eager to install the meters, in part because peculiar aspects of their regulation agreements specify that the amount they charge customers is related to the amount they spend on infrastructure improvements. (Don't get me started.)
In August, California's Public Utilities Commission drafted regulations that required its three largest utilities to implement baseline security measures in smart meters. But this legislation is lacking elsewhere.
I would worry even if security guidelines were universally implemented. Electric meters may get periodic firmware updates, but the basic hardware is replaced only after 15 or 20 years of use. History teaches us that encryption methods and other security measures that seem sufficient according to today's standards will be laughably inadequate in years to come.
The good news, I suppose, is that all of this technology deployment means more employment for software developers. Including, I predict, those with a solid background in implementing data-security measures.
Web recommendation: Programming blogs are a dime a dozen. Most start strong with a couple of long-overdue, comprehensive rants, then subside into irregular griping. Jeff Atwood's Coding Horror is an exception. Jeff shares enough personal detail to surface as a real human being, and his technical articles are well-written and interesting. Very good stuff. J.D. say check it out.
J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He is slowly warming (no pun intended) to the Serbian notion of heating with wood.