If you cannot view this email, view it online here
Click here to add EnergyCentral to your Safe Sender list
JANUARY 2010 VOLUME 5 ISSUE 1
INSIGHT & COMMENTARY

Smart Meter + Slot Machine Security

Mike Breslin
Freelance Writer
When Tommy Carmichael -- the world's greatest slot machine cheat -- wanted to illegally coax coins out of Las Vegas slot machines, his first step was to get his hands on the machine he wanted to cheat. He was successful at beating the best electronic security that slot machine engineers could design and milked hundreds of thousands of dollars before he got arrested.

Coincidentally, Las Vegas was the scene last July where supposed security flaws of smart meters were unmasked. The event still has meter makers, utilities, standards organizations and federal regulators talking or hard at work improving security.

At the Black Hat security conference, Mike Davis, a senior security consultant for IOActive, demonstrated how his security team simulated the hacking of 16,000 out of 22,000 smart meters over a 24-hour period. They used a worm, a software patch, that gave IOActive the control to turn power on and off t one-second intervals at 16,000 homes.

"We could have put anything in that worm we wanted as a payload," said Davis. "We did not have enough room in the smart meter to fit our code so we had to dump some functionality out for our worm to work. The functionality we dumped was the ability to wirelessly update our devices. That would have locked out the utility from wirelessly updating the devices."

Like Tommy Carmichael, IOActive had to get its hands on a meter before starting to compromise it. In 2008, the first meters they examined came via a penetration test for a utility. "This is how we initially found some vulnerability," Davis explained. Later, IOActive bought different models on eBay, and got others by dumpster diving at the back of utility meter shops. The discarded meters provided all they needed -- radio communications and firmware. Since Black Hat, Davis no longer sees smart meters on eBay and noticed that defective units are now being sent to secure recycling facilities.

"As much as I'd like to say I am a professional, I'm really a geek at heart. I'm only in it to play with the toys," Davis admitted. IOActive used two smart meters to build the worm and it did not take expensive equipment. Davis confessed that the most valuable tool he used cost $200, a JTAG interface.

Davis reflected on industry reactions since Black Hat. "I'm sure someone inside our company assumed that if we are talking about this we would be the go-to guys for this particular issue. A lot of the feedback we got was that we were not telling the truth about the vulnerabilities, or no meter vendor would ever release their devices without encryption enabled, or even if this were possible, the propagation rate of the worm would be so slow that it would not matter. When our research hit the news it was about the same time the stimulus package came out with funding for meters. People acknowledged us, but no one really wanted to work with us. They just wanted to get their product out."

Of course, a malicious hacker would only have to rip a meter off a house to get started. And what could a criminal or terrorist with reverse engineering skills do? One feature in many devices is a remote disconnect that allows the utility to wirelessly disconnect an individual meter from the grid. "The nature of the worm we demonstrated is the danger that we were able to propagate it without the need for the utility. If we propagated it to hundreds of thousands of meters, we would have the ability to disconnect those," Davis said.

Because meters are wirelessly linked by radio frequency with a one- to two-mile range, worms or disabling viruses could hop from service area to service area on interoperable metering systems.

What are the consequences of hundreds of thousands without power? Someone would have to figure out how the meters are being exploited, create and test a corrective patch and, if firmware is compromised, individually deploy patches to every affected household. "We will continue our research as soon as I get my hands on another device. These devices were made to be sensors, not security devices, and that's what we are seeing in the state of hardware security everywhere, except for devices like Xbox, or PlayStationr where they really care about tampering," Davis concluded.

But the major meter manufacturers are improving security. Philip Mezey, North American senior vice president and COO for Itron, had this to say: "Security of advanced metering and smart grid networks is very much something that Itron and the utility industry has taken, and will continue to take, seriously."

Subscribe to Intelligent Utility magazine today.
Intelligent Utility magazine is the new, thought-leading publication on how to successfully deliver information-enabled energy. This article originally appeared in the November/December 2009 issue.


More Articles in Metering Topic Center >>

WHITE PAPERS
More White Papers>>
CASE STUDIES
Please submit your Case Studies to topiceditor@energycentral.com
 
More Case Studies>>
RESEARCH REPORTS
Please submit your Research Reports to topiceditor@energycentral.com
 
More Research Reports>>
  
TOPIC EDITOR
Kate Rowland
Editor-in-Chief
Intelligent Utility Topic Centers

Email The Editor
Read Kate's Blog

IN THE NEWS
More News >>
First Step: Communications Architecture
01/04/2010 at 07:50 AM  |  Jose Gambande - IEC-61850 Blog
The first definition that one should take to implement the recommendation IEC61850 is to define the architecture of communication systems to be used i ...[read more]
A Better Decade Require the End of the P...
01/02/2010 at 01:33 PM  |  Jose Antonio Vanderhorst-Silverio - Electricity Without Price ... Blog
As suggested by W. Edwards Deming, the main barrier to basic innovations, like the EWPC-AF, and an increased standard of living, is the prevailing sty ...[read more]
IEC 61850: a real case, not a dream.
12/29/2009 at 03:06 PM  |  Jose Gambande - IEC-61850 Blog
During last five years or more, we read papers and articles showing the advantages of IEC new protocol (61850) implementation in High Voltage Substati ...[read more]
BUYERS GUIDE
Products and Services
EnergyCentralJobs.com - Thousands of Power Industry Jobs


ENERGY CENTRAL
POWER NETWORK
 
ABOUT THIS E-NEWSLETTER
  		• This e-mail service is provided FREE to qualified professionals in the power industry.
    This E-Newsletter may be redistributed provided it is kept in its entirety.
    To republish the full article, please contact Mark Johnson at mark@energycentral.com.

    Visit Member Services to START, STOP, or CHANGE FORMAT for all of your e-mail subscriptions.

     

  		•  If you do not wish to receive this E-Newsletter you may cancel your subscription by following one of the steps below.
  		• Visit Member Services, and click on E-mail Management, then cancel your subscription.
    OR
  		•  Reply to this e-mail with the word UNSUBSCRIBE in the subject line.
    MEMBER SERVICES - ADVERTISING - CONTACT US  

    Copyright © 1996-2010 by CyberTech, Inc. All rights reserved. Energy Central® is a registered trademark of CyberTech, Incorporated.

    CyberTech does not warrant that the information or services of Energy Central will meet any specific requirements; nor will it be error free or uninterrupted; nor shall CyberTech be liable for any indirect, incidental or consequential damages (including lost data, information or profits) sustained or incurred in connection with the use of, operation of, or inability to use Energy Central.
    Contact: 303-782-5510 or service@energycentral.com
    Or write us via U.S. Mail - 2821 S. Parker Rd Suite 1105, Aurora CO 80014.