Smart Meters Ripe for Attack

Thursday, October 28, 2010 @ 08:10 AM gHale


Smart meter usage continues to gain momentum in nearly all regions of the world, but the problem is cyber security was never a thought when the first devices came out.
Now, utilities, governments, systems integrators, device manufacturers, standards bodies, and nearly everyone else involved realize smart meters and their surrounding networks can suffer from an attack, and cyber security measures are necessary to protect the meters and their environment, according to the “Smart Meter Security” study by Pike Research.
There are effective countermeasures to mitigate those attacks, or at least make them survivable, according to the study.
Smart meters represent a worst-case scenario in terms of security: the devices lack sufficient power to execute strong security software; they usually go in physically nonsecure locations; and installation occurs in volumes. Therefore, the only valid cyber security approach for smart metering is to assume from the outset some devices will fall victim to an attack and there needs to be sufficient resiliency to allow the remainder of the network to survive. While no one has completely solved this problem, there are enterprises working toward a solution, according to the report.
This report assesses in considerable detail the security risks of smart metering by using ISO 27002:2005 as a baseline to identify topics for consideration. The ISO standard is extremely thorough and considers not only the standard cyber security risks but also intangibles such as intellectual property risk, reputation risk, and human resources risk.
Perhaps the most critical finding of this report is end-to-end protection of private consumer or commercial usage data is impossible. At the local end, home area networks (HANs) and building networks perform well in terms of keeping data encrypted within their domains. Similarly, utility networks including neighborhood area networks do a good job of keeping data encrypted within their domains. However, both domains terminate at the smart meter, and the only way for data to pass from one to the other, from a HAN to a neighborhood area network (NAN), is for the smart meter to decrypt the data from one side and re-encrypt it on the other, according to the study. Consequently, the data are, for a short while, unencrypted on the meter and could be successfully eavesdropped.
The standard concern regarding eavesdropped consumer data is the loss of privacy. This is a valid concern, especially in jurisdictions with severe penalties for violation of data privacy laws, according to the study. However, a greater concern is attackers could obtain a steady stream of data in its encrypted and unencrypted forms. Over time, this makes possible a known-plaintext attack, which could enable an attacker to discover the smart meter’s encryption keys and use those to pose as a trusted member of the networks in which the meter participates.
There are concerns about individual fraud, but even more worries about sophisticated attackers that could attempt to gain control of a grid via attacks on its smart metering environment, according to the study.
Attacks against the grid have two obvious motivations: rendering an opponent powerless or obtaining a ransom payment, according to the report. Ransomware attacks against private industry have increased in the past two to three years, and hold the potential for a far greater payout than meter fraud. Multi-factor authentication and event correlation plus intelligent management systems can play a significant role in mitigating these risks.
The increased awareness of cyber security issues leads to a number of opportunities to solve the problems. The smart meter security market should mirror the deployment of meters themselves, with a slight increase in security awareness still to occur during the coming 12 months, according to the report.



One Response to “Smart Meters Ripe for Attack”

  1. […] Smart Meters Ripe for Attack Smart meters represent a worst-case scenario in terms of security: the devices lack sufficient power to execute strong security software; they usually go in physically nonsecure locations; and installation occurs in volumes. Therefore, the only valid cyber security approach for smart metering is to assume from the outset some devices will fall victim to an attack and there needs to be sufficient resiliency to allow the remainder of the network to survive. While no one has completely solved this problem, there are enterprises working toward a solution, according to the report. http://www.isssource.com/smart-meters-ripe-for-attack/ […]


Leave a Reply

You must be logged in to post a comment.