SAN FRANCISCO — Computer-security researchers say new smart meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways.
At the very least, the vulnerabilities open the door for attackers to jack up strangers' power bills.
These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else's power on and off.
The attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians.
The firm was hired by three utilities to study their smart meters' resistance to attack.
These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright said.
There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.
There are few public studies on the meters' resistance to attack, in part because the technology is new. However, last summer, Mike Davis, a researcher from IOActive, showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.
Houston-based CenterPoint Energy is not using InGuardians for security work, but CenterPoint spokeswoman Alicia Dixon said the company is using an independent third-party security consultant to work on the issue.
The company won't divulge the findings of that work, if any, because it could compromise security, Dixon said.
CenterPoint Energy has installed about 268,000 smart meters in the Houston area, although it is testing 111,000 of them for accuracy in response to a request to all power distributors from the Texas Public Utility Commission.
Terry Hadley, a PUC spokesman, said he is unaware of any incidents of hacking smart meters in Texas.
He notes the PUC's smart meter rules require all companies to conduct a security audit of their systems.
The rule states electric utilities will have “an independent security audit” of the smart meters done within one year of giving customers access to their smart meter data. They must promptly report the results of the study to the PUC.
Chronicle reporter Tom Fowler contributed to this report.
No comments:
Post a Comment