Infosec 2010: Smart Meters Bring Security Risks

Utility companies and governments are pushing ahead with ambitious deadlines for the deployment of smart meters in Europe and the US, but security may suffer as a result say experts.

Speaking to eWEEK Europe UK at the Infosecurity Europe 2010 event in London this week, Joshua Pennell, president and founder of security company IOActive, said that the relatively little time alotted to deploy smart meters and associated smart grid technology could compromise the infrastructure.

Short time frame

In particular, Pennell pointed out the short time-frame available for utilities to access a $4 billion (£2.6bn) government fund to roll-out smart infrastructure.

“The crux of the problem in the US is with the American Recovery and Reinvestment Act – they have to spend the money in like 48 months. So they are in a different mode now,” he said. “If they don’t spend the money then it goes away, so they have to roll out the technology in some state or lose the funding, which is not in their normal mode of operations.”

In March 2009, researchers from  IOActive created a worm that could spread from one smart metering device to another, thanks to the wireless technology that is used to connect them.

Conservative Utilities

Christian Feisst, director, Smart Grids, Cisco Internet Business Solutions Group told eWeek Europe UK last year that making energy grids “smarter” comes with inherent security risks. “As soon as a system is digitalised, there is always the question of security…it is one of the most important aspects and before you start to roll out smart grid technology, you definitely have to have a security concept in place,” he said.

According to IOActive’s Pennell, the whole approach to smart meters in the US and Europe would probably be one of rolling out the technology and focusing on security afterwards.  “In California alone they are installing 15,000 meters a day and that is one utility that is doing that and that is pretty agressive in my mind,” he said.

Utilities and governments are addressing some security concerns however and both the US Department of Homeland Security and the UK government are working with IOActive on securing smart infrastructure.

Pennell also said that smart meter makers are also taking the issue of security more seriously but faced cost constraints. “There are two smart meter manufacturers that are doing a pretty good job of securing the smart meters themselves, whereas last year if you asked me that question I would have said no one is giving it enough attention,” he said. “They are doing a pretty good job considering each smart meter has to be built for less than a $100 to make it affordable to the utilities.”

In line with European law, the UK has committed to roll-out smart meters to every home by 2020 in a move which the government says will help generate jobs.

Some of the technical challenges of rolling out smart meters to consumers and upgrading utilities’ infrastructure to become smart grids was compounded by the conservative nature of utilities and the costs involved, according to IOActive.

“A lot of guys say welcome to the energy sector set your clock back 15 years. They are held to a different standard. They are held to  the five nines uptime which makes them incredibly conservative,” said Pennell. “The utilities are looking to save money too because they have to roll-out 50 million of these things – that is how many the UK alone has committed to.”

Asked whether he thought the UK’s target was achievable, Pennell admitted that there was significant work ahead. “I don’t know. There are around 50,000 meters deployed already in the UK. But getting to 50 million is a lot of meters.”