Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

Black Hat: Smart Meter (In)Security Spotlighted in Talk

Black Hat 2012

Security researcher Don C. Weber spoke about OptiGuard, a tool that can be used to assess the security of smart meters. The talk was pulled earlier this year at the ShmooCon conference.

Black Hat 2012

Security researcher Don C. Weber spoke about OptiGuard, a tool that can be used to assess the security of smart meters. The talk was pulled earlier this year at the ShmooCon conference.

LAS VEGAS – BLACK HAT USA – Six months after calling off his talk at another security conference, researcher Don C. Weber stepped in front of an audience at the Black Hat conference in Las Vegas.

His subject: smart meter security, and how the devices on the sides of homes across America could be potentially vulnerable to attack.

“What we’re happening these people understand…where they can improve – help them identify risk and help them prioritize that so they can address these issues in a cost-effective [fashion],” Weber said during remarks to the media after his presentation.

Six months ago, Weber, who works for the security consultancy InGuardians, was set to discuss smart meter security in front of an audience of attendees at ShmooCon security conference in Washington, D.C. He pulled the talk at the request of a vendor.

Power Grid Security

Today, he discussed a tool he created known as OptiGuard, which he said is designed to help utilities assess the optical port on their smart meters. The optical ports are used by field technician working for utility companies to pull configuration data from the meter, or to configure it. By attacking the optical port, an attacker could potentially access it and obtain free energy, commit corporate espionage tied to energy-usage levels or commit other acts, he said.

“These are publicly facing devices,” he said. “They can’t have somebody standing at every single meter to make sure you don’t mess with it. They can’t have a camera at every single meter.”

SecureState, another critical infrastructure consultancy, released a similar tool last week. While SecureState released the tool publicly, InGuardians opted to only make their tool available to utilities and the researchers that work with them.

Advertisement. Scroll to continue reading.

Optiguard supports is a tool that supports the ANSI C12.18 communication protocol, and enables users to potentially run procedures and read and write to tables.

“One of the things that came out of this testing is that… not every single meter manufacturer protects every table,” Weber explained during his presentation. “There might be some configuration data that they think doesn’t necessarily need to be protected by a security password…What our tool is doing is it’s providing the utilities with the capability to look to see on these meters what information can I pull off without a security code. And then they can turn back around to the third-party service provider or to the meter vendor, and say, hey, why aren’t we protecting this?”

Weber said that there are a number of security mechanisms companies can pursue to protect smart meters, ranging from tamper alarms, toggle the optical port and secure data storage of information on the meter.

Though he was reluctant to give the smart grid a grade in terms of safety citing the number of factor s involved – from the products being used to implementation – he told members of the media that he was confident that companies are doing their best to implement the technology securely.

“Nobody likes you to tell them that their baby’s ugly,” he said. “We might say that your baby’s ugly but we’re also showing you that when your baby grows up, if it grows up properly… and you do the proper things, then it will be a beautiful baby, it will be a beautiful adolescent and an adult.”

Related Reading: Smart Grids Need to be Updated, Rebuilt With Security to Reduce Vulnerabilities

Related ReadingFun and Games Hacking German Smart Meters

Related ReadingSmart Meters Widely Considered Vulnerable to False Data Injection

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.