Report: Smart-grid hackers could cause blackouts

Deployments of smart grids should be slowed until security vulnerabilities are addressed, according to some cybersecurity experts, citing tests showing that a hacker can cause a major blackout after breaking into a smart-grid system.

The idea behind smart grids, a burgeoning energy sector in which even Google is playing a role, is that automated meters and two-way power consumption data can be used to improve the efficiency and reliability of an electrical system's power distribution. A washing machine in a household hooked up to a smart meter, for instance, could be set up to run only at lower-cost, off-peak hours, and a home sporting solar panels could give power back to the grid.

Through the U.S. economic-stimulus package, the Department of Energy is set to invest $4.5 billion in smart-grid technology. And while many utilities are embracing the initiative by installing smart meters in millions of homes nationwide, security experts and others caution that the technology may not be ready for prime time. According to a CNN report published Friday evening:

Cybersecurity experts said some types of meters can be hacked, as can other points in the smart grid's communications systems. IOActive, a professional security services firm, determined that an attacker with $500 of equipment and materials, and a background in electronics and software engineering, could "take command and control of the (advanced meter infrastructure), allowing for the en masse manipulation of service to homes and businesses."

Experts said that once in the system, a hacker could gain control of thousands, even millions, of meters and shut them off simultaneously. A hacker also might be able to dramatically increase or decrease the demand for power, disrupting the load balance on the local power grid and causing a blackout. These experts said such a localized power outage would cascade to other parts of the grid, expanding the blackout. No one knows how big it could get.

"Industry is working to make meters more secure. They have done a good job," said Joe Weiss, an expert on utility control systems.

Still, experts like Skoudis recommended that smart-grid deployment be slowed until security vulnerabilities are addressed. Otherwise, he said, smart-grid equipment deployed now may have to be replaced later.

"Before we go rushing headstrong into a Smart Grid concept, we have to make sure that we take care of business, in this case cybersecurity," he said.

Industry regulators and industry executives earlier this month echoed concerns to Congress about rapid smart-grid deployments, cautioning that a lack of industry standards for security, reliability, data sharing, and privacy could result in government money wasted on proprietary smart-grid technologies that are not interoperable with each other and that are destined to soon become obsolete.

"I don't think the sky is falling," William Sanders, principal investigator for the National Science Foundation Cyber Trust Center on Trustworthy Cyber Infrastructure for the Power Grid, told CNN. "I don't think we should stop deployment until we have it all worked out. But we have to be vigilant and address security issues in the smart grid early on."

[H4MM3R]

7 years ago the PBS program Frontline covered this same story. Frontline: Cyber War!

[bob1xxxx]

This is old old old news and it wasnt cyber hackers that did this most effectively it was energy traders,remember the California blackouts caused by manipulating energy trades , remember ENRON? hmmmm, gods what next stories that the earth really isn't flat. Wow please blog something really news worthy or not at all, stories like this just makes Cnet looks dumber and dumber by the minute and the sale to cbs has only accelerated the process.

[Lerianis3]

Yeah, it's more likely that blackouts will be caused by shenanigans on the market than by anything else, including someone hacking into power companies.

[H4MM3R]

The Pros and Cons of the smart meter

Pros
Better security
Stronger Grid
More flexibility
Knowledge of usage
Remote control of usage

Cons
Allowing Utilities to have a surcharge to pay for the smart grid
decoupling= Higher cost per KWh.
Carbon tax
Green tax

[robertmacewan]

jesus not this freaking ghost chase again

[rafaluis]

this story is no doubt paid for by a consortium of utility companies and fossil fuel producers - its a joke - digital technology is good enough for telecommunications and even our banks but not the grid ... oh golly gee it probably gets especially vulnerable to mayhem if you connect the system to a wind farm

[Lerianis3]

WEll, there are some people who have said that telecommunications equipment at the banks is insecure as well: look at all the **** that happened when people hacked into the banks on numerous occasions.
This kind of stuff needs to be bulletproof, with multiple layers of redundancy built into the system and multiple firewalls to get past if it is going to be used on the electric grid.

[akiba_freak]

The original post came from Travis Goodspeed's blog on a side channel attack for 802.15.4. He has talked about vulnerabilities in wireless sensor networks. I've written up an a post that responds to this at http://www.freaklabs.org .

Akiba
FreakLabs Open Source Zigbee Project
http://www.freaklabs.org

It may be a rehash of an old story, but we need not forget the 2003 blackout caused by the Microsoft worm. rafaluis: "Good enough" for banking, airlines, etc. is not a good comparison when without power nothing else matters.

[screamapillar]

Agreed, lives are at stake when power goes out...

[quackledork]

More FUD from IOActive. Whenever I see this company quoted for security, I know its going to be BS. I saw their wonderkid Kaminsky speak at SecureWorld a few months back. His presentation was insulting. Its no wonder IOActive wants us all to believe there is a big problem here - they are in a position to make big money from helping fix the problem. I am so sick and tire of 'consultants' like this. When it came time for a security audit at our firm, I made darn sure IOActive was NOT on our short list of vendors. I have no interest in their brand of FUD.

[TheGeekReview]

Yea and the Y2k bug will create havoc.

FUD you got to love it.

[Maarek Stele]

Die Hard 4 anyone?

with the smart grids, you'll start seeing firewalls next to transformers. :)

[johnfranks1234]

Regarding systems: The bigger they come, the harder they fall. Run to the library and read the last chapter of the book "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." That chapter is called "What's At Stake", and is a treatment of huge vulnerabilities involving utilities (water, power, policing, etc.) and systems (banking, communications, hospitals, food production and distribution, etc.) in the event of natural and man-made attacks and disasters (including EMP - Electro-magnetic Pulse). This interview is phenomenal, and touches on it at the end - http://www.businessforum.com/DScott_02.html - but you really need to read that last chapter - Chapter 21 - in the book. Highly recommended - and really, it's a word to the wise - in the realm of risk, unmanaged possibilities become probabilities; the whole book is a solid investment for business.

[MD_Willington]

- FUD -

NERC is already mandating CIP encryption, many utilities already use encryption.

The biggest threat to the grid is direct interactions. A length of pipe, several feet of chain, or a well placed round from a rifle can mess up a substation faster than someone with a computer.

[billcoughlan]

Once again an Expert says we should continue on, even though we are not quite ready. There is a system just begging for a hacker to work his magic and say " I told you so "

[Jamer63]

Here's an idea. Perhaps if more people installed solar and wind generation on their own homes. Staying off the grid. Not rselling back to it where only a fractional payment is given. This cyberterrorism would not be so realistic. In addition to using this self generated power to use on household appliances. Extra power stored could be used to produce your own hydrogen for home heating and automobile fuel cells. Thus, reducing fossil fuel consumption needs.