Security researcher Don C. Weber spoke about OptiGuard, a tool that can be used to assess the security of smart meters. The talk was pulled earlier this year at the ShmooCon conference.
LAS VEGAS – BLACK HAT USA – Six months after calling off his talk at another security conference, researcher Don C. Weber stepped in front of an audience at the Black Hat conference in Las Vegas.
His subject: smart meter security, and how the devices on the sides of homes across America could be potentially vulnerable to attack.
“What we’re happening these people understand…where they can improve – help them identify risk and help them prioritize that so they can address these issues in a cost-effective [fashion],” Weber said during remarks to the media after his presentation.
Six months ago, Weber, who works for the security consultancy InGuardians, was set to discuss smart meter security in front of an audience of attendees at ShmooCon security conference in Washington, D.C. He pulled the talk at the request of a vendor.
Today, he discussed a tool he created known as OptiGuard, which he said is designed to help utilities assess the optical port on their smart meters. The optical ports are used by field technician working for utility companies to pull configuration data from the meter, or to configure it. By attacking the optical port, an attacker could potentially access it and obtain free energy, commit corporate espionage tied to energy-usage levels or commit other acts, he said.
“These are publicly facing devices,” he said. “They can’t have somebody standing at every single meter to make sure you don’t mess with it. They can’t have a camera at every single meter.”
SecureState, another critical infrastructure consultancy, released a similar tool last week. While SecureState released the tool publicly, InGuardians opted to only make their tool available to utilities and the researchers that work with them.
Optiguard supports is a tool that supports the ANSI C12.18 communication protocol, and enables users to potentially run procedures and read and write to tables.
“One of the things that came out of this testing is that… not every single meter manufacturer protects every table,” Weber explained during his presentation. “There might be some configuration data that they think doesn’t necessarily need to be protected by a security password…What our tool is doing is it’s providing the utilities with the capability to look to see on these meters what information can I pull off without a security code. And then they can turn back around to the third-party service provider or to the meter vendor, and say, hey, why aren’t we protecting this?”
Weber said that there are a number of security mechanisms companies can pursue to protect smart meters, ranging from tamper alarms, toggle the optical port and secure data storage of information on the meter.
Though he was reluctant to give the smart grid a grade in terms of safety citing the number of factor s involved – from the products being used to implementation – he told members of the media that he was confident that companies are doing their best to implement the technology securely.
“Nobody likes you to tell them that their baby’s ugly,” he said. “We might say that your baby’s ugly but we’re also showing you that when your baby grows up, if it grows up properly… and you do the proper things, then it will be a beautiful baby, it will be a beautiful adolescent and an adult.”
Related Reading: Fun and Games Hacking German Smart Meters
Related Reading: Smart Meters Widely Considered Vulnerable to False Data Injection