Recently, the Insurance Journal weighed in on the threats introduced by smart meters. While I agree that smart metering presents risks both cyber and financial, I submit that many of those risks are merely new flavors of risks that have existed for decades. And smart meters also introduce benefits that more than offset those threats.
The article seems to equate smart meters with the Internet, though we have yet to find any utility that is actually connecting its meters to the Internet. (There are utility control systems connected to the Internet, most of which are known to hostile nation-states.) And it also conflates a number of unrelated topics. For example, the author cites the recent Havex Trojan, which attacks SCADA systems, not smart meters. Likewise, the article mentions Stuxnet, which was directed at uranium enrichment centrifuges. Stuxnet is a cautionary tale for anyone managing a control system, but smart metering networks are not control networks. Still, the Insurance Journal explores situations worth considering.
Uneasy in the Islands
The successful meter attack described, citing Brian Krebs’ excellent analysis (written 2 years ago), occurred in Puerto Rico. In that case, former employees of a local utility offered to reprogram residents’ smart meters via the meters’ optical diagnostics port. For a fee ranging from $300 to $1,000, the technicians would reprogram the meters to under-report energy usage, resulting in a lower electricity bill every month. This attack had nothing to do with the Internet.
The key to dealing with cyber risks is taking a big picture view of the situation. In Puerto Rico, the fraud would have been easy to detect. Utilities can put an additional smart meter at each transformer to measure total energy distributed to the customers on that transformer’s circuit. When the total energy metered for all the individual customers is less than the total measured at the transformer, clearly something is wrong. It may or may not be fraud, but it can be identified quickly by the technology described in Navigant Research’s report, Meter Data Management. The $400 million lost in Puerto Rico indicates that the fraud may have persisted for months or years. That sum is about 10% of Puerto Rico Electric Power Authority’s (PREPA’s) annual revenue – which seems awfully large to fly under the radar.
Finding Walter White
Smart meters provide other fraud detection capabilities that their electromechanical forebears do not. One example is credit and collections. Smart meters typically report energy consumption every 15 minutes. So, for a customer who is already delinquent and is currently having a large spike in energy consumption (this is a common attribute of illegal activity, such as meth labs), smart meters enable utilities to detect these situations and initiate collection or disconnect activities immediately. This approach is impossible with monthly-read electromechanical meters. Plus, remotely disconnecting criminal activities is safer for the utility workforce.
For sure, smart meters introduce attack vectors that did not exist before. This is a common byproduct of new technology. Identity theft was much more challenging before we had the Internet – yet, there are few, if any, movements to shut down the Internet because of identity theft.
The Insurance Journal article does quote Navigant Research’s market forecast for global smart meter deployment. The 1.1 billion smart meters expected to be deployed by 2022 should indicate that it’s time to stop worrying about smart meter security and just get on with it.
Tags: Cyber Security, Policy & Regulation, Smart Grid Security, Smart Meters, Smart Utilities Program
| No Comments »