As California's utilities roll out millions of "smart meters" in the coming years, they're creating, for the first time, the possibility that the electricity infrastructure could be hacked through a home, security consultants say.
With San Diego Gas & Electric Co. and Southern California Edison installing 7.3 million smart meters — upgrading their entire customer base — they're essentially attaching small computers to each house, each equipped with wireless communications back to the utilities.
Utilities say they have been hardening the smart meters since they began development, but security consultants say they are worried: If criminals cracked the system, they could remotely install a virus that could shut down power for millions of customers.
The new smart meters will have a host of capabilities: They will credit homeowners who produce their own electricity via solar cells or wind turbines, be able to wirelessly communicate data to the utility and let utilities turn off the power remotely, among other functions that could be added.
"Were it telemetry only, then the only compromise is privacy," said Mike Davis, senior security consultant for the security service IOActive. "When you add remote disconnect, then you increase the attractiveness of the meter as a target."
Davis and his team hacked into smart meters last spring as part of a proof-of-concept they showed off at a Las Vegas security conference last summer.
They reverse engineered meters they bought on eBay and found in trash bins near installation sites. Then they installed a computer virus that would replicate itself across the wireless network and block the utility from each meter as it went.
Representatives from Edison and SDG&E said that the demonstration didn't change their work at all; that they've been working on security since they started development three years ago.
But Davis noted that utilities now require secure recycling of old meters, and eBay won't allow that sort of gear to be sold on the site any longer. Davis said they have done such a good job keeping the meters out of his hands that he hasn't hacked the most recent meters because he can't find one through legal means.
The demonstration may have also driven the federal government to create standards for smart meters in the previously unregulated smart meter arena. The National Institute of Standards and Technology, a branch of the Department of Commerce, released a draft of standards in September.
"Our security complies with the emerging smart grid standards in NIST," said Paula Campbell, director of the Edison Smart Connect Program.
"There's unique encryption, all designed with the goal in mind of minimizing the vulnerabilities."
The encryption would apply primarily to over-the-air communications from the devices. In theory, a criminal could sit in a car up to a mile away from a site and attempt to hack the WiFi signal of the devices.
Baker said that would be pretty hard.
"It's called security in depth," Baker said. "The old technology is there's one key that could open every door in the neighborhood. In the systems employed today, you need a different key for every room in your house."
Alternatively, a hacker could just try to wire directly into a meter.
All the devices will include a detector that sends an alert to the utility if the meter is shaken, removed or even if the front cover is taken off.
"How you respond to that, isolate that, control that in an organized fashion, it's part of our overall security program," said Chris Baker, chief information officer for SDG&E.
Davis, though, said he thinks the utilities are just buying a product, and it's the manufacturers who are rushing to market.
Itron Inc., the Washington-based supplier of smart meters to both Edison and SDG&E, pooh-poohed Davis' demonstration this summer.
"We believe our implementation is very secure and cannot be subjected to the kind of attacks shown by IOActive in their demonstration of unsecured equipment," company spokeswoman Kim Papich said in an e-mailed statement.
In a separate statement, Itron said it hired outside companies to test their systems. Both SDG&E and Edison said they also had contracted with third parties to conduct "penetration tests," in which security professionals search for holes in the security.
Davis said he is pleased that there is third-party testing, but he is still worried about creating a monoculture of devices. Because all the smart meters installed by SDG&E and Edison will be made by the same company and use the same software, they're only as strong or as weak as any one unit.
"If the attacker finds the vulnerability in one, the entire network is vulnerable," he said. "That's a catastrophic failure."