Jason Tuck of Providence GIS Solutions
This week the blog KrebsOnSecurity, authored by Brian Krebs, detailed an FBI investigation involving a utility in Puerto Rico in which there has been a substantial loss in revenue to the tune of $400 million dollars loss due to hacking into the meters and using the tried and true method of magnets. The customers were hiring former employee(s) of the smart meter manufacturer or the utility to hack into the meters at $300 – $1000 per residential meter up to $3000 per commercial meter. Krebs goes into very specific details as to how this occurs through devices which are readily available online.
It does not shock me that smart meters have been hacked or consumers have figured out how to steal electricity from the utility. This little cat and mouse game has been going on for a very long time; I suspect it will always be an issue. I find it hilarious that with all the technology at our disposal we still can affect a meter reading by the use of a strong magnet. The use of magnets does not shock me nor does the hiring of former employees to pull this off either. The one area of Krebs’ article which shocked me is the lack of encryption in some of the smart metering software where the access is allowed. My question is why is not all the data encrypted? At the end of the day companies like Cisco can provide all the security solutions in the world but if the smart meter manufacturers do not encrypt their data fully, what is the point of spending the money on expensive security solutions?
It is easy to get caught up in the big numbers of the how much money the utility lost or the hacker(s) gained in the manipulation of the meters. Do not let those figures cloud the real issue where for a $400 piece of equipment which allows a meter to be linked to a laptop on-site. If the hacker knows where to look in the software the access codes to the meter is not encrypted making for easy access to manipulate the meter. The fortunate part of this process is the hacker must be on-site with the meter. This cannot be done remotely according Krebs.
Electric utilities that are deploying the smart meters across their system must develop a high security standard forcing the smart meter manufacturers to encrypt all the data in their hardware and software. These same utilities must also hold cyber security for the entire smart grid technology roll out at a much higher standard than has previously been held. Corners cannot be cut.
One last cyber security item to think over is tying the cyber security solution for the smart grid hardware to the security with the data being sent to the geographic information system (GIS) for the utility. This data as it is distributed out to the end users or consumers in many different forms must also be protected. This is sensitive information and must be handled in such a way as to not compromise the utility as well as the customer’s personal information. Data is currency in today’s world and we cannot afford for it be compromised. The liability to the utility is astronomical if the unthinkable happens and the data is hacked with consumer data being compromised plus the utility’s sensitive backbone data being compromised. It is at this point that losing $400 million no longer sounds so bad.