HP Tightens Smart Grid Security

HP has launched a new audit service for smart grid technology, in response to a series of successful hacking attempts against energy meters and other infrastructure.

Announced at HP’s Executive Energy Conference 2009 in Budapest, the HP Smart Grid Security Quality Assessment (SGSQA) service is aimed at utility companies and smart grid operators. It is based on existing security audit methodology HP has used internally for over six years to test its own software and hardware in sectors such as defence – and is consequently “highly mature”, the company said.

“There is a lot of concern about the security in this field,” Ian Mitton, world wide director of utilities at HP said at the event. Recent successful hacking attempts against some smart meter technology had led some energy company’s to reconsider the security aspects of the technology, he said. “That has caused a lot of concern in the market and this is our response to that.”

In March this year, researchers from US security consultancy IOActive created a worm that could spread from one smart metering device to another thanks to the wireless technology that is used to connect them. “A lot of the security issues that are popping up are kind of frightening, and we’re sort of pushing the idea of more security review, more generalized security engineering… reviews, source code audits, the whole sort of works has to apply to these meters as well as they apply to everything else,” said Mike Davis, senior security consultant at IOActive earlier this year.

HP said the new audit service would only take around 2 weeks to ascertain the security vulnerabilities of a smart grid system and would not require any specific code to be developed. “There are no overheads in terms of a special lab and this really doesn’t expand the time-frame of the smart grid roll-out,” said Mitton. “This is mostly a desktop exercise but we look at processes inside and out.”

The service is currently being trialled with three utility companies, two of which are in the US but HP refused to provide any more detail on the trials. However the company maintains that the audit works in “multi-vendor environments”.

HP maintains that it is important that utility companies try to ensure that their smart grid infrastructure is as secure as possible before moving ahead with a full deployment as plugging security holes after role-out is extremely costly. “You have to get security right the first time,” said Mitton. “You cannot afford to go back – it will cost the same as the first time if retrofit.”

The UK has been investigating the potential of smart metering and has set a target of rolling out the technology to all households by 2020 based on wider European targets. Commenting on the project in May, Energy and Climate Change Secretary Ed Miliband said the meter roll out is estimated to cost between £2.5bn and £3.6bn over the next 20 years . “This is another part of our Great British refurb,” he said. “The meters most of us have in our homes were designed for a different age, before climate change. Now we need to get smarter with our energy.”

Although the UK government has yet to release any concrete information on what smart grid infrastructure would look like, a spokesperson told eWEEK Europe UK earlier this year that it was monitoring the security aspects of the technology, and utiliities have been expressing concern about the proposals.

“The UK Government announced its intention to mandate a roll out of smart meters for all households in Great Britain last year. We are now considering more detailed plans for how smart meters should be rolled out. The specifications of the technology have yet to be decided but of course security will be a priority,” the government spokesperson said.

Networking specialist Cisco is also involved in developing smart grid technology and working with utilities. Speaking to eWeek Europe UK, earlier this month, Christian Feisst, director, Smart Grids, Cisco Internet Business Solutions Group said that making energy grids “smarter” comes with inherent security risks.

“As soon as a system is digitalised, there is always the question of security…it is one of the most important aspects and before you start to roll out smart grid technology, you definitely have to have a security concept in place,” he said.

Read the full interview with Feisst at: Cisco: Smart Grids Mean More Security Risks For Utilities