Smart Grid Today conducted an interview last week with Cris Thomas, a strategist at Tenable Network Security and a founding member of the L0pht Hacker Collective. L0pht was a hacker “think tank” active from 1992 to 2000, and Thomas (aka Space Rogue) and other founders of the group testified at the US Senate in 1998 about the risks of the internet, the Washington Post reported in June of this year.
Normally available only to paid subscribers of Smart Grid Today, selected content is available for a limited period of time to others as a promotion. Some portions of the interview as featured in today’s newsletter with an article titled, “Hacking expert urges security fundamentals,” includes the following:
“the fundamentals of cybersecurity that we learned about years ago” – is still largely ignored in the utility sector said Thomas.
The current baseline level needs to be jacked up higher, especially where it concerns smaller power providers, Thomas said. As smaller providers deploy “internet of things” (IOT) devices, such as smart meters, some are “just buying them off the shelf and deploying them to customers without looking at the security features of those devices.”
“And they’re not installing them with the level of security the manufacturer actually offers, so they basically leave it wide open, even though the manufacturer may have added security features that the installer needs to implement.”
Larger power providers are “guilty of the same problem” when they hire third parties to install equipment and do not conduct due diligence to make sure security features are set, because most of the time, “the installer just wants to set it up and make sure it works and get out of there and get paid,” Thomas warned.
A utility’s internal and external communication systems are supposed to be separate. “But a lot of times they are connected, allowing an attacker to get from the smart meter to the power generation grid and cause havoc in that way,” he added.
At this website we have continued to chronicle and document the significant risks related to smart meter technology. The utilities essentially ignore the problem as documented in the above referenced Smart Grid Today article as related to cybersecurity threats. Thus, the evidence continues to mount on the risks despite the continued deployment of smart meters.
One of the criticisms mentioned in the Washington Post report from June is that there was “little action” in response to a Congressional Hearing in 1998 about the vulnerability of the Internet to hackers, stating that “17 years later the world is still paying the price in rampant insecurity.” Several days ago this website reported on a story, Congressional Hearing: Smart Meters Present Vulnerabilities to the Grid Due to “Smart Technology” and “Lots of Access Points”. With smart meters, Cyber Hackers Can Now “Harm Human Life”, i.e., the risks are even greater due to the involvement of the electric grid. Will the latest Congressional Hearing be just another missed opportunity?
Primary Source Material for this Article
“Hacking expert urges security fundamentals,” at http://www.smartgridtoday.com/public/Hacking-expert-urges-security-fundamentals.cfm [link likely available for public viewing for a limited period of time as a promotion by Smart Grid Today].
Note: As the Smart Grid Today article is copyrighted, only a small portion is highlighted here and is represented as “fair use” under the provisions of 17 U.S.C. 107. Quoted content is provided in the public’s interest for non-commercial purposes.