On February 13th, 2015, President Obama convened a summit on cybersecurity and consumer protection at Stanford University to respond to the rise in major data breaches at U.S. companies, including recent attacks on Anthem and Sony.
In the lead-up to the summit, on February 12th, Michael Krasny, Ph.D., hosted an episode of San Francisco’s KQED “Forum,” a news and public affairs program that concentrates on the arts, culture, health, business, and technology. This episode was devoted to examining the cybersecurity and privacy issues to be addressed (or not addressed) at the summit.
Guests for the radio program included:
- Kim Zetter, senior writer who covers cybersecurity for Wired;
- Herb Lin, senior research scholar for cyber policy and security at the Center for International Security and Cooperation at Stanford University;
- Dave Garrett, managing director of Stroz Friedberg, a global cybersecurity firm specializing in digital forensics, data breach and cybercrime response.
An audio excerpt of the radio program is provided below, and the portion of the transcript that deals specifically with smart meters is as follows:
“Shouldn’t they be talking about the electric power grid?” …
“It’s going to be you and me and all the other people listening that will have smart grid meters in their homes and so on, and so an interesting question is, does connecting these smart grid meters provide a way into hack the quote ‘smarter’ unquote electric power grid. But I think you are right. There is no explicit attention to the protection of electric power grid or anything else in the critical infrastructure explicitly in this because it’s a consumer oriented panel.”
“You all brought up the fact that critical infrastructure is not included. The summit is very targeted for specific purposes, but it does raise this issue that while the government is having these kind of showy summits with CEOs in Silicon Valley, there are equally important issues that they seem to be ignoring. … Herb brought up the smart meter issue. The government is pushing a lot of technologies out into the consumer realm that aren’t secure.
And so there is this sort of two-handed policy going on where they’re making cybersecurity a top priority, and yet they’re also enabling technologies like voting machines, and Internet voting, and smart meters that are not secured yet. And so they’re at the same time simultaneously creating additional security problems.”
Did you catch that? The government is touting cybersecurity as a top priority while they are simultaneously pushing a lot of technologies on us which are not secure, like smart meters.
Audio Courtesy: KQED, National Public Radio in San Francisco, CA
Kim Zetter, a guest for the radio program, has recently written a book called Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. In her new book, Ms. Zetter writes on the topic of smart meters:
“One way to target electricity is to go after the smart meters electric utilities have been installing in US homes and businesses by the thousands… One of the main problems is that smart meters have a remote-disconnect feature that allows utility companies to initiate or cut-off power to a building without having to send a technician. But by using this feature an attacker could seize control of the meters to disconnect power to thousands of customers in a way that would not be easily recoverable. In 2009, a researcher named Mike Davis developed a worm that did just this. …”
“The vendor scoffed at Davis’s simulation, … That’s when Davis delivered his final blow and told the vendor that his malicious software didn’t just turn the power off, it also deleted the firmware update on the meters so they couldn’t be updated again to restore power. …”
“Since conducting the simulation, Davis has seen vendors improve their meters. … But the remote disconnect is still a problem with most smart meters, since an attacker who breaches a utility’s central server could do what Davis’s worm did, but in a much simpler way.”
As quoted by Zetter in her book (and based upon an author interview), Mike Davis of IOActive says that:
“In my opinion, if it’s got the remote disconnect relay in it, whether it’s enabled or not … it’s a real big, ugly issue.” [emphasis added]
The content of this article is consistent with that of another recent article at this website entitled, Cyber Hackers Can Now “Harm Human Life” Through Smart Meters. How long will it take before enough people realize that smart meters are in fact a serious threat to human life and national security?
Source Material for this Article
“Obama to Announce Executive Action to Combat Cyberattacks at Stanford Summit,” at http://www.kqed.org/a/forum/R201502120900
“Obama at Stanford: Industry, Government Must Cooperate on Cybersecurity,” at http://fsi.stanford.edu/news/obama-stanford-ceos-must-commit-cyber-security
“Obama’s New Order Urges Companies to Share Cyber-Threat Info With the Government,” at http://www.wired.com/2015/02/president-obama-signs-order-encourage-sharing-cyber-threat-information/
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter; Publication Date: November 11, 2014; available at: http://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital-ebook/dp/B00KEPLC08/ref=dp_kinw_strp_1.
“Black Hat: Smart Meter Worm Attack Planned,” at http://www.darkreading.com/risk-management/black-hat-smart-meter-worm-attack-planned/d/d-id/1081747
The video below shows the Davis worm simulation where an infection spread to about 20,000 smart meters over a 24-hour period.