Buggy smart meters can infect the Smart Grid

June 17, 2009

In a report published June 12th, Register.com's Dan Goodin reports, "The newfangled meters needed to make the smart grid work are built on buggy software that's easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse."

In a report published June 12th, Register.com's Dan Goodin reports, "The newfangled meters needed to make the smart grid work are built on buggy software that's easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse."

Davis will present at the Black Hat Conference next month, and will demonstrate a worm that he has developed that he claims easily infects the current generation of smart meters. "We can switch off hundreds of thousands of homes potentially at the same time," Davis, who has spent the past few months analyzing a half-dozen smart meters, told The Reg. "That starts providing problems that the power company may not be able to gracefully deal with."

For more details read the rest of the article here.

Is this a surprise to anybody? It certainly isn't a surprise to Unfettered. We've been warning and just waiting for a report like this to surface. I've spoken to many functional security experts who believe that the real benefits of smart grid aren't going to come from household smart meters anyway, but from the generation systems and the transmission and distribution systems and interconnecting them properly.

Most of the functional security experts I know won't have a smart meter in their house for any money-- certainly not now.

Eric Byres warned of this 10 yeas ago when he started developing edge device security appliances, like his Tofino device. If we've known that this was probably going to happen for a decade, there's no excuse for the development of smart meters that are penetrable easily and quickly by the script kiddie who lives in the house, or next door, or around the block.

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.