by K.T. Weaver, SkyVision Solutions
The Associated Press National Investigative Team today published a comprehensive article detailing the vulnerabilities of the US power grid to hackers. Here are selected excerpts from that article, “AP Investigation: US power grid vulnerable to foreign hacks”:
“Security researcher Brian Wallace was on the trail of hackers who had snatched a California university’s housing files when he stumbled into a larger nightmare: Cyberattackers had opened a pathway into the networks running the United States power grid.
Digital clues pointed to Iranian hackers. And Wallace found that they had already taken passwords, as well as engineering drawings of dozens of power plants, at least one with the title ‘Mission Critical’. The drawings were so detailed that experts say skilled attackers could have used them, along with other tools and malicious code, to knock out electricity flowing to millions of homes. …”
“[H]ackers have gained access to an aging, outdated power system. Many of the substations and equipment that move power across the U.S. are decrepit and were never built with network security in mind; hooking the plants up to the Internet over the last decade has given hackers new backdoors in.”
“Distant wind farms, home solar panels, smart meters and other networked devices must be remotely monitored and controlled, which opens up the broader system to fresh points of attack. …”
“The rush to tie smart meters, home programmable thermostats and other smart appliances to the grid also is causing fresh vulnerabilities.
About 45 percent of homes in the U.S. are hooked up to a smart meter, which measures electricity usage and shares information with the grid. The grid uses that information to adjust output or limit power deliveries to customers during peak hours.
Those meters are relatively simple by design, mostly to keep their cost low, but their security is flimsy. Some can be hacked by plugging in an adapter that costs $30 on eBay, researchers say….”
“[C]ybersecurity experts say the protective gaps between computer systems that manage utilities’ business operations and machines that manage their grids are not always as wide or as unbridgeable as utilities say they are. And even the utilities’ own experts, who maintain it would be extraordinarily difficult for a hacker to knock out power to customers, admit there is always a way in.”
Yes, and with smart meters, there are now millions of access points for hackers to find “a way in.” Does that sound like a good idea? With traditional non-communicating meters, this was not a problem.
The most dangerous “feature” included in the majority of smart meters deployed today is the remote disconnect option. As documented in the book, Smart Grid Security: An End-to-End View of Security in the New Electrical Grid:
“What if [smart] meters are told to disconnect by a worm or virus? Among all the services AMI [Advanced Metering Infrastructure] offers, the disconnect function is the most controversial in information security circles as it is the only one that directly controls the flow of power to the home or business.”
“The greatest concern is that a successful attack could allow someone to gain control of customers all at once. In addition to causing widespread blackouts, repeatedly switching the power off and on could create frequency imbalances and surges in the grid that could damage loads and destabilize the entire grid, potentially causing damage to generators, transformers, and other equipment in the path [including the smart meters themselves and major appliances in homes and other buildings]. Such a consequence would be much more severe than a simple power outage, resulting in damage to expensive equipment with replacement times of more than a year in some cases. Effectively taking temporary control of a meter network could lead to widespread power outages lasting weeks or perhaps longer.”
As quoted in a book by Kim Zetter (and based upon an author interview, August 2012), here is what Mike Davis, Senior Security Consultant at IOActive, says about smart meters:
“In my opinion, if it’s got the remote disconnect relay in it, whether it’s enabled or not … it’s a real big, ugly issue.”
For more information, refer to Smart Meters Are Not Secured and Cyber Hackers Can Now “Harm Human Life” Through Smart Meters. As stated by an expert respondent highlighted in a recent Pew Research Center report:
“The ‘smart grid’ is the most substantial danger. Cyber attacks that target a ‘smart grid’ will result in loss of power to large numbers of places simultaneously, causing infrastructure damages. … No single instance will be ‘widespread harm,’ but all of these together will add up to that in only a short period of time. Unless there is some unforeseen major new technological development …, the only way to prevent this will be to refrain from adopting ‘smart grid’ technologies.”
Source Material for this Article
“AP Investigation: US power grid vulnerable to foreign hacks,” December 21, 2015, by Garance Burke and Jonathan Fahey; full article available at: http://bigstory.ap.org/article/c8d531ec05e0403a90e9d3ec0b8f83c2/ap-investigation-us-power-grid-vulnerable-foreign-hacks
Smart Grid Security: An End-to-End View of Security in the New Electrical Grid, by Gilbert N. Sorebo (Author), Michael C. Echols (Author), Michael Assante (Foreword); Publisher: CRC Press; 1 edition (December 5, 2011). Book available from amazon.com at http://www.amazon.com/dp/1439855870/ref=wl_it_dp_o_pC_S_ttl?_encoding=UTF8&colid=JQVO0DK288NY&coliid=I3HT55J613FATM
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter; Publication Date: November 11, 2014; available at: http://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital-ebook/dp/B00KEPLC08/ref=dp_kinw_strp_1.
Pew Research Center, October 2014, “Cyber Attacks Likely to Increase”; Expert Opinion of Andrew Chen, Associate Professor Computer Science at Minnesota State University-Moorhead; report available at: http://www.pewInternet.org/2014/10/29/cyber-attacks-likely-to-increase/.
In this report, “widespread harm” was defined as “significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.”