by Vince Welage, SWORT board member
Cyber Security Vital to Smart Metering Deployment
As the adoption of “Smart Meters” and advanced metering infrastructure (AMI) has become more widespread, its appeal to cyber attackers has increased significantly.
This means that utility companies must address security vulnerabilities across multiple layers from the start. For the most part, utilities often rely on service providers and vendors to comply with cyber security regulatory requirements.
For this reason, many security compliance efforts have neglected the newly built “smart” infrastructures in power grids which suggest that electric utilities should expect them to have weaknesses.
In regard to cyber security – Duke Energy – has already been the target of cyber attacks and had to pay fines because of cyber security violations. Duke reported 650 million attempted cyber attacks in 2017. Another Ohio utility, First Energy, has confirmed the need for frequent replacement due to the meters being computers.
Because AMI allows for 2-way communication and remote management of in-field devices, security breaches could allow unwanted changes to be made to device configuration and settings. IBM has reported that millions of Smart Meters are already vulnerable and could be wrecked by hackers. If Smart Meters move to 5G networks, there is a more significant cyber security risk because the 5G technology is software based. This means the meter is subject to hackers using backdoor or calling home mechanisms that can go undetected when installed during regular software upgrades.
An electric Smart Meter is much the same as other Internet of Things (IoT) based products like a Smart TV or Smart refrigerator wrapped in privacy and security concerns. Federal IoT Guidelines that establish minimum security standards for IoT devices procured by the federal government is moving closer to becoming law. However, the Smart Meter can’t be disconnected and discarded unless the homeowner wants to lose total electric power to the home. Residential Smart Meter installations result in both unwanted and forced surveillance. Currently, utility Smart Meters aren’t safe. They don’t have surge protectors and are prone to fires and explosions. Advanced meters must be properly grounded and have surge protection that is adequately rated in order to divert a lightning strike or some kind of short-circuit incident.
All of these new power grid infrastructures are essentially large, distributed networks of computers that can be hijacked for financial gains. This means that criminal organizations have an ongoing mission to steal utility assets and sell them back to the utility. These bad actors go after what a utility relies on the most to operate: data and grid infrastructure.
Malware can be developed to target Smart Meters, launch it, and take control of tens of thousands if not millions of Smart Meters. The attackers then change the targeted utility security keys, pushing the utility out of their own infrastructure. Utilities are accepting of these types of security risks via remote software update because they expect the newly built computerized infrastructures will gain new capabilities, thus increasing the return on investment.
Smart Meters are often not just used for billing consumers for energy and water they use. Electric utilities use Smart Meters to remotely switch power off or use Smart Meter data in a series of business processes that base their decisions on information received from the Smart Meters in the field – such as signal and power quality levels used for fault detection and load balancing. By manipulating this data, attackers can directly change the view of a grid to their advantage.
In addition, Smart Meters are increasingly being used as grid sensors in Smart Sewers through real-time monitoring and control of overflow conditions inside the sewer system. This is an extremely insightful data point from a Smart Grid perspective.
Like other Smart infrastructure, there have been problems with Smart Sewers. For example, in South Bend IN, Smart Sewers have been overwhelmed which has led to sewage being directed into the river.
The Need for Early Detection and Response Planning
Despite the risks, Smart Meters are installed into the grid in an effort to keep companies competitive in the race to the Smart Grid. The switch-over to Smart Meters is in part due to federal mandates that promote Smart Grid projects which established a national policy for grid modernization. Efforts to secure these new technologies have largely focused on trying to prevent attacks from being successful. Therefore, utilities must invest in early detection and incident response, especially for their newer technologies that may not be procured, developed, or operated with a bad actor in mind. Attacks can be significantly hampered by early detection and pre-planned disaster response playbooks.
However, as of right now, solutions aren’t being applied quickly enough to the latest grid technologies. In May, President Trump issued an Executive Order to make the Smart Grid more secure. He ordered beefed-up efforts to secure the U.S. grid saying, “The unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.” However, new stories of cyber attacks hit the headlines almost every day which portends that not every attack can be blocked.
For more details on problems that persist with other Smart Meter components, read my August article in the OSHN archive.
Editor Notes: What to do if you have a smart meter and you don’t want it.
Make a Call (or better yet, write a letter via certified mail) to your utility and tell them you demand an analog meter.
If you have been made ill by your “smart’ meter,” tell them about it in detail. Tell them you know of the people who have gotten analogs. Tell them you are going to the press if they don’t do the same thing for you they have done for others.
Do not accept a digital non-transmitting meter— be aware they also have problems, and are not stable and secure like analog meters.
Do not take “No” for an answer.