Security Experts:

Paranormal Activity: A Possible Reality?

It won’t be long before attackers discover that your home automation system is connected to everything.

A man is stuck in traffic on his way to work. His mind wanders and his OCD kicks in: Did I leave the toaster plugged in? He pulls out his smart phone and taps the app labeled "Home Automation", then taps "Kitchen" and "Toaster" from another list including "Stove", "Lights", and "Refrigerator". The screen shows that the toaster is off and the temperature is 70°, the same as the ambient temperature of the kitchen. The man rolls his eyes and grins at his obsessive concern.

Smart Home Cyber Attacks?Back at home, however, the same man’s refrigerator is shooting ice cubes across the room into the glassware rack. The freezer is off and food is thawing; the refrigeration section's temperature is cranked up to disco and is turning into an iceberg. The dishwasher is overflowing and suds are 10 inches deep on the kitchen floor. The ZoomBot bumps against the pastry rack, sending the smoking toaster inch by inch toward the towel rack and curtains.

Okay, so the scenario is a disaster straight from a movie plot, but is it Stephen King’s “Maximum Overdrive,” where you have to suspend disbelief as animated trucks take over the world, or a Jules Verne future prediction?

Smart grids aim to use better telemetry on the distribution side of the power infrastructure to better balance the electric load, leverage consumer energy generation (solar panels, small wind turbines, micro-grids), and promote cheaper and greener energy choices. At the moment utility companies are focused on rolling out smart meters, which not only measure and send usage statistics on a near-real-time basis, but allow utility companies, and possibly third party data monitoring and service providers, to control smart appliances. For example, if the utility company detects a surge in electricity demand to a particular section of the grid, it can opt to turn off lower priority devices, such as swimming pool pumps, to reduce the load for non-essential consumer electric needs. This is enabled by integrating home area networks (HANs) with smart meters on the utility side, and smart appliances on the consumer side.

There are plenty of utility system compromises to alarm not only consumers, but security experts and government agencies:

• In 2000, when Vitek Boden was turned down for a job at an Australian water services company, he hacked into the Maroochy Shire SCADA system and released raw sewage into rivers, parks, and the grounds of a Hyatt Regency hotel.

• In 2005 and 2007, two widespread electric outages in Brazil are blamed on hackers by the CIA. While the official explanation for one of the outages was sooty insulators, many believe the story to be a cover-up.

• In 2009, an informal report, including testimony from current and former CIA and DHS officials, claims foreign countries, notably China and Russia, have surreptitiously penetrated the U.S. electrical grid over the last 5 years. Purported evidence includes time-bomb software.

• And who can forget Stuxnet, the worm virus launched by Israel in the 2010 attack on Iran's uranium enrichment facility

More to the point of smart grid security, IOActive, a security research firm, reverse-engineered the smart meters from a particular manufacturer and created a worm that spread throughout a simulated smart grid infrastructure, compromising 15,000 smart meters. In real life, a similar worm or bot would give the herder the ability to wreak havoc on consumers, and possibly even the electric grid itself. Imagine if the worm or bot sent false usage information demanding more power to an electric sector and caused an overload leading to a cascading failure. Granted, a systemic failure is theoretical, as is the kitchen pandemonium scene. In truth no one really knows what the smart grid will eventually look like or what the specific threats may be. The smart grid is like the Cloud: still evolving and amorphous.

What we do know, however, is that utility companies are not used to thinking in terms of data security; they've been historically concerned with the protection of hardware like transformer stations, utility poles, and electric wires, as well as consumer fraud. As information security professionals, we're used to the Confidentiality, Integrity, and Availability model, in that order. Utility companies have approached it in reverse: they're mostly concerned with availability, providing uninterrupted electricity to consumers and avoiding blackouts. To some extent they've been concerned with data integrity, but mostly on the safety end, ensuring the status of lines is clearly marked so workers don't touch electrified lines.

Now they'll have to change their mindset to protecting not only billing information, or what we think of as traditional consumer personally identifiable information (i.e., user names, addresses, social security numbers, credit card numbers), but surveillance information that can let burglars know to target homes where the electric consumption drops for a few days, a clue that the homeowners are away on holiday or visiting sick Aunt Bertha, or even when you run your electric shaver or what you watch on television.

Privacy risks are only one facet. While many smart meters use radio frequency (RF) connections to send data back to the utility company, some utility companies are running their own fiber alongside electric lines. In my mind’s eye the consumer premises becomes a pass-through from the internet back to the utility data infrastructure. Think about all your relatives who ask you to clean malware off their computers because you’re a “computer guru.” Statistics from Microsoft claim that 5 percent of all scanned computers are infected, and maybe my friends and relatives don’t practice safe clicking, but that number is low from an empirical standpoint. Now imagine all those owned computers as staging areas to attack the utility companies’ data networks through millions of back door entry points.

The majority of utility companies will likely form new partnerships with information infrastructure providers and with third party data monitoring services. Some are already using data lines leased from telcos, and are talking about partnerships to leverage consumer cable and fiber data services for telemetry acquisition. I smell possible merger opportunities, which could be disastrous as infrastructure providers who don't fully understand each other’s industry try to manage the other as they would their own. Comcast managing an electric grid? Central Maine Power as an ISP? Ignoring the corporate management side of the equation, the technical security details give pause. While the exact connection points aren’t clear yet, in order to control your smart meter and smart appliances, I imagine your electricity provider will have access to your HAN through your Verizon router/firewall. The rules will be on by default and not overly restrict the connection source for the convenience of the utility company.

It won’t be long before attackers discover this path into your house and that your home automation system is connected to everything: it dims the lights and closes the blinds when you turn on the television and lights up the gas fireplace when you play soft rock. Perhaps you have one of those fancy Japanese toilets jacked in, the ones that automatically raise the toilet seat and activate a bidet arm after you flush.

Or maybe you just have your dishwasher, toaster, and refrigerator connected.

Chris Poulin brings a balance of management experience and technical skills encompassing his 25 years in IT, information security, and software development to his role as Chief Security Officer at Q1 Labs. Prior to joining Q1 Labs in July 2009, Poulin spent eight years in the U.S. Air Force managing global intelligence networks and developing software. He left the Department of Defense to leverage his leadership and technical skills to found and build FireTower, Inc., an information security consulting practice.