Monday Jun 24, 2013
- Tuesday Jun 25, 2013 -
Philadelphia, Pennsylvania - USA
Data Informed´s Marketing Analytics and Customer Engagement provides marketing, sales, and customer support managers with the information they need to create an effective data-driven customer strategy. more...
Monday May 20, 2013
- Saturday May 25, 2013
- 8:30 AM Eastern -
Stowe, Vermont - USA
Legal Essentials for Utility Executives: May 19 to 25, 2013 and October 6 to 12, 2013 This rigorous, two-week course will provide electric utility executives with the legal foundation to more fully understand the utility regulatory framework, the role of more...
We know you have something to say!
There is an immediate need for articles on
the hot topics in the Power Industry!
EnergyPulse, like no other publication,
also provides a means for our readers to
immediately interact with experts like you.
The push for greener, more efficient energy distribution is driving the rapid development and deployment of Advanced Metering Infrastructure (AMI) technology, or smart meters. Smart meters are considered to be just one technology platform within an overall suite of maturing smart grid energy management technologies. These technologies will foster the modernization of the nation's electrical power infrastructure into what will ultimately become the cornerstone for the power grid of tomorrow. In conjunction with the approved $4.5 billion economic stimulus package, the need to create U.S. jobs and a rapidly evolving market space, this long-awaited advancement to the U.S. power infrastructure has become a reality today. But is the technology ready?
This new generation of energy distribution technology promises to deliver real-time information, and enable the near-instantaneous balance of supply and demand. Utilities and consumers alike will benefit from the smart grid's ability to sense system overloads and reroute power to prevent, or minimize, potential outages. Yet, as with any new innovation promising such benefits, there is both opportunity and associated risk. Without considering the risks, we may never truly see the benefits.
In April, IOActive researchers were able to identify multiple programming errors on a series of smart meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues. The research team was able to "weaponize" these attack vectors, and create an in-flash rootkit, which allowed them to assume full system control of all exposed smart meter capabilities, including remote power on, power off, usage reporting, and communication configurations. The initial attack vector could also be leveraged to deploy a worm, much like the Blaster worm that wreaked havoc on computer systems in 2003. The consequences of such threats are potentially widespread and devastating.
And hardware attacks are on the rise, due in large part to the relative ease with which they can be launched. While most software developers build base-level security into their products, hardware level has long been overlooked. Simply acquire a smart meter, and it is easy enough to reverse-engineer the device due to the lack of encryption at the hardware level. Or decode the device's communications by listening to the spectrum of radio patterns emitted by the smart meter. Neither method requires an overspecialized background or significant financial investment. Consider that most utility meters sit outside private residences and businesses, with little or no physical security to prevent access, and you have a recipe for tampering.
Think this scenario is unlikely? Unfortunately, it's far more likely than people care to imagine. A Department of Energy lab recently published a statistic showing that there were roughly 250 exploits for control systems on any given day in 2006-2007. It was reported to take roughly 131 days to patch and remediate those vulnerabilities -- leaving the window open for exploitation.
Beyond the ease of threat, the reality is that utility companies are viewed as recession-proof, and thus always earning money. This makes them an attractive target for criminals. Vulnerabilities in the smart grid could cause utilities to lose system control of their metering infrastructure to unauthorized third parties, exposing them to fraud, extortion attempts, lawsuits, widespread system interruption, massive blackouts or worse. The severity of the situation is driving the release of the Critical Electric Infrastructure Protection Act (CEIPA), a new bill solely focused on addressing cybersecurity concerns of the U.S. power grid. And it's only just beginning.
All of this indicates that the security maturity of the smart meter market warrants immediate inquiry and evaluation. With more than two million smart meters in field use today, and an additional 17 million devices on order by over 73 participating utilities, the threat is not a localized concern. Furthermore, smart meter technology is expected to last 10 to 20 years in the field.
So can the smart grid be saved? While there are clearly challenges ahead, it's not too late. The utility sector can, and should, protect their investment by demanding that smart meter devices come equipped with the types of security protection afforded to computers on a standard enterprise network.
The challenge to building a secure smart grid power infrastructure is to quickly enact methods that support both asset owners and smart grid vendors. Typical of most emerging industries and first-to-market initiatives, the smart grid AMI community lacks a formal Secure Development Lifecycle (SDL) to guide and govern the release of sound quality technology and products. Including a requirement to conduct independent third-party security assessments of all smart grid technology will further enable the smart grid AMI industry to deploy their technology in a secure, mindful fashion without causing significant time-to-market delays.
The SDL is a proven tool for saving money, and decreasing exposure to risk. Studies show that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development cycle, as opposed to projects where security is implemented in the design phase. Championed by Microsoft, the SDL contributed to a massive reduction in the number of security bulletins issued for Windows Server 2003 and SQL Server 2000.
In light of where we are with the application of smart grid technology, there is still time to stop. Private industry is ready and well positioned to take on this challenge to help pave the way towards a secure smart grid infrastructure that will benefit generations to come. Already at the forefront of the research efforts around AMI security, the industry has been intimately involved in the development and refinement of the SDL.
And as the old saying goes, "measure twice, cut once." Utilities should embrace their role as the stewards of the energy "ecosystem," and hold smart meter vendors accountable for the security of their products. By demanding that their suppliers adopt secure development practices, and requiring them to undergo third-party security auditing, energy utilities can thrive from the benefit of the smart grid while insuring the future safety of the nation's critical infrastructure.
For information on purchasing reprints of this article, contact sales. Copyright 2013 CyberTech, Inc.
"utility companies are viewed as recession-proof, and thus always earning money. This makes them an attractive target for criminals." -- Typical of the (absence of) logic in use in the article. Why not simply throw a sheet over your head and stand in the corner going "Whooo Whoooo"?
Bob Amorosi 5.20.09
Len,
If the utility industry is reading this article, or have been thinking this way for a long time - which I suspect is the case, is it any wonder why there has been so little support for introducing real-time electricity markets for all consumers as in your IMEUC proposals.
Besides fighting over who would bear the costs for the in-home technologies, it would require consumers to communicate with THEIR smart meters to get access to the grid. The latter I'm sure conjures up nightmares for utility officials of security breaches, especially given THEIR meters are their only billing mechanism that determines their income.
In essence my perception has been most utility companies have shuddered at the concept of anyone communicating with THEIR smart meters, and will only allow it if governments or industry regulators force them to.
Times are a changin’ though. I read on another EP article lately that Texas is passing state legislation that will force all Texas utility companies to provide all customers smart meters equipped with a standardized communication portal into their homes (like Itron’s Open-Way system, or similar Zigbee radio transceivers). I don’t recall exactly by when but it is something like by 2015, presumably at least to enable consumer real-time energy monitoring and also enable utility demand response capabilities through AMI systems.
Bob Amorosi 5.20.09
Len,
The article is "Advanced Meters in Texas Provide Billing Benefits" by Steve Schugart, just published on EP May14th. The rollout completion date for the whole state is by 2014. Another primary function enabled by the communication portal into residential homes will include customer pre-paid energy billing.
Len Gould 5.27.09
Bob. Agreed, a lot of resistance there. To the point where Google has teamed up with Toronto Hydro to develop a widget to add to the Google toolbar which communicates with the utility central database in order to display meter data. Apparently it can only access the previous days readings..... what nonsense. No doubt utilities will try to use it to show regulators that they are providing the data to customers, though. Day-old meter readings are almost as usless for customers as no meter readings.
Bob Amorosi 5.28.09
Len,
The previous day's meter data is all that Toronto Hydro is allowed to make available to customers because the mandate given to Ontario's utility companies (by the Ontario government's smart meter initiative) was to collect meter readings only once or twice a day. The data must be ready to access by customers by 8:00am the next morning to view if desired, typically on the utility's website.
Real-time feedback to all customers is not part of their current plans unless government forces them to provide it through new legislation, or if given the money (by someone) to do so.
Interestingly some utility people have told me in the past they believed real-time feedback to all customers will be eventually needed in the future, which can be many years out for the traditional pace change in their industry and by our government. Governments take many years to react because they will want to study its benefits to death before committing any tax revenues to implement broad-based new mandates.
