Deployments of smart grids should be slowed until security vulnerabilities are addressed, according to some cybersecurity experts, citing tests showing that a hacker can cause a major blackout after breaking into a smart-grid system.
The idea behind smart grids, a burgeoning energy sector in which even Google is playing a role, is that automated meters and two-way power consumption data can be used to improve the efficiency and reliability of an electrical system's power distribution. A washing machine in a household hooked up to a smart meter, for instance, could be set up to run only at lower-cost, off-peak hours, and a home sporting solar panels could give power back to the grid.
Through the U.S. economic-stimulus package, the Department of Energy is set to invest $4.5 billion in smart-grid technology. And while many utilities are embracing the initiative by installing smart meters in millions of homes nationwide, security experts and others caution that the technology may not be ready for prime time. According to a CNN report published Friday evening:
Cybersecurity experts said some types of meters can be hacked, as can other points in the smart grid's communications systems. IOActive, a professional security services firm, determined that an attacker with $500 of equipment and materials, and a background in electronics and software engineering, could "take command and control of the (advanced meter infrastructure), allowing for the en masse manipulation of service to homes and businesses."
Experts said that once in the system, a hacker could gain control of thousands, even millions, of meters and shut them off simultaneously. A hacker also might be able to dramatically increase or decrease the demand for power, disrupting the load balance on the local power grid and causing a blackout. These experts said such a localized power outage would cascade to other parts of the grid, expanding the blackout. No one knows how big it could get.
"Industry is working to make meters more secure. They have done a good job," said Joe Weiss, an expert on utility control systems.
Still, experts like Skoudis recommended that smart-grid deployment be slowed until security vulnerabilities are addressed. Otherwise, he said, smart-grid equipment deployed now may have to be replaced later.
"Before we go rushing headstrong into a Smart Grid concept, we have to make sure that we take care of business, in this case cybersecurity," he said.
Industry regulators and industry executives earlier this month echoed concerns to Congress about rapid smart-grid deployments, cautioning that a lack of industry standards for security, reliability, data sharing, and privacy could result in government money wasted on proprietary smart-grid technologies that are not interoperable with each other and that are destined to soon become obsolete.
"I don't think the sky is falling," William Sanders, principal investigator for the National Science Foundation Cyber Trust Center on Trustworthy Cyber Infrastructure for the Power Grid, told CNN. "I don't think we should stop deployment until we have it all worked out. But we have to be vigilant and address security issues in the smart grid early on."