“Smart” Power Grids May Be Rife With Dumb Security Bugs

We may earn revenue from the products available on this page and participate in affiliate programs. Learn more ›

New “smart” electricity meters, beginning to be rolled out across the country, may be rife with bugs that could pose security risks. The new meters create a smart communication network between the user and the local power plant. The software that powers some of the smart meters, however, is coming under fire from security experts for its lack of adequate protections against malicious hacks. One expert, hoping to illustrate the risks involved, claims to have created a worm program that infects one of the popular meters, taking control of its functionality and propagating itself further throughout the grid.

The new meters supposedly require no authentication or encryption whenever running functions such as software updates. These vulnerabilities are what the worm, written by the security furm IOActive as a proof of concept, will exploit using peer-to-peer technology to spread. Using it, hackers could potentially control the workings of the grid, turning on and off power to users, or even reconfiguring the entire system’s settings.

These smart meters were a result of a $4.5 billion stimulus plan by the Obama administration to update electrical grids across the country to make them smarter and more efficient. This could allow meter values to be sent directly to the company rather than requiring a meter reader to stop off at each user’s house. It also can shift, in real-time, the demands on the power grid to provide electricity where needed and change rates based on the electricity being used and what is available. However, in order to receive larger chunks of the stimulus money, companies raced each other to create a smart meter that worked. Perhaps in the rush, the amount of testing needed was reduced and security issues may have been compromised.

Several companies have created their own smart meter products and it is as yet unclear which ones, if any, are affected by a lack of security. The worm described will only be shown at a security conference occurring next month, so we’ll have to wait to see if the claims are true and on what scale.

The Register