Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Smart Meters Widely Considered Vulnerable to False Data Injection

A new survey of 104 security professionals in the energy sector gave a big thumbs down to smart meter security.

A new survey of 104 security professionals in the energy sector gave a big thumbs down to smart meter security.

According to the survey, when asked, “Do smart meter installations have sufficient security controls to protect against false data injection?” 61 percent said no. The report was sponsored by vulnerability management and compliance auditing firm nCircle and EnergySec, a public-private partnership funded by the U.S. Department of Energy. Its findings come roughly two weeks after NSA Director and US Cyber Command chief Gen. Keith Alexander spoke before the Senate Armed Services Committee about the importance of the government and private sector working together to stop security threats to the nation’s critical infrastructure.

Power Grid SecurityAccording to nCircle, system monitoring is a necessary fact of life for managing power grids and ensuring reliability. Analysis of smart meter measurements and power system modles that estimate the state of the power grid are a routine part of this, and false data injection attacks could introduce arbitrary errors and bypass techniques for detecting bad measurements.

“A false data injection attack is an example of technology advancing faster than security controls,” said Elizabeth Ireland, vice president of marketing for nCircle, in a statement. “This is a problem that has been endemic in the evolution of security and it’s a key reason for the significant cyber security risks we face across many facets of critical infrastructure. Installing technology without sufficient security controls presents serious risks to our power infrastructure and to every power user in the U.S.”

According to security blogger Brian Krebs, the FBI published a cyber intelligence bulletin that estimated that hacks against smart meter installations during the past several years may have cost an electric utility in Puerto Rico hundreds of millions of dollars annually. Citing confidential sources, the FBI said former employees of the meter manufacturer and employees of the utility were reprogramming the meters for money and then training others in how to do the same.

“These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” Krebs reported the FBI alert as stating.

Branden Williams, global CTO of marketing for EMC’s RSA security division, said that there is a mixture of technologies in the energy sector with vastly different life expectancies that have now been mashed together. This has impacted security, as industrial systems have life spans of 30 to 50 years, while IP-based systems find themselves obsolete after five to ten years. Depending on how interconnected those machines are, it may be either impossible or too costly to upgrade those IP systems in ways that will protect them from current threats, he explained.

“I suspect that once people dig into the dollars associated with the problem, action will take place,” he said. “For example, if a utility company learns they are losing 25 percent of their revenue to fraud, they would be much more willing to take action now that the number is real. Qualitative analysis will just spark discussions, no action.”

Advertisement. Scroll to continue reading.

Smart meter manufacturers should take care to ensure they provide communication capabilities that meet basic integrity and confidentiality standards, such as rejecting non-authenticated traffic, he added.

“Smart meters vary widely in capability and many older meters were not designed to adequately protect against false data injection,” noted Patrick Miller, the founder, CEO and president of EnergySec, in a statement. “It doesn’t help that some communication protocols used by the smart meter infrastructure don’t offer much protection against false data injection either. Together, these facts highlight a much larger potential problem with data integrity across the smart grid infrastructure. Because our nation relies on the smart grid to deliver robust and reliable power, we need to make sure that all systems that process usage data, especially those that make autonomous, self-correcting, self-healing decisions, assure data integrity.”


*UPDATE: This story was updated to include commentary from RSA, EMC’s security division.


Related Reading: Fun and Games Hacking German Smart Meters

Related Reading: Smart Meters Interfering With Home Electronics

Related Reading: Grid Cyber Security – Removing the Reality Distortion Field

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...