Big business ignores smart meter security risks for short term profit

Smart meter vendors are ignoring the cyber security risks associated with this technology, pushing it on the masses mostly to drive profits.

A recent FBI report highlighted a number of cyber attacks against smart meter installations over the past several years. It said the attacks could have cost the US hundreds of millions of dollars per year.

According to the Krebsonsecurity blog, the report warned that insiders and individuals with only a moderate level of computer knowledge could hack meters with low-cost tools and software, which could be bought quite easily over the internet.  This could then be used to change the details of the smart meter and ramp up electricity bills for households.

According to a security expert, speaking under anonymity, this isn’t a new threat.

“We’ve been saying for years that smart meters are targets for hackers but companies looking to make money from this technology have ploughed ahead regardless,” our source said. “Now it seems that governments and the legal authorities are finally waking up to what a big threat this is”.

Back in 2009, the Georgia Tech Information Security Centre warned that cyber tactics could be used to defraud utilities or perhaps cause power outages. They said the threats applied to water and gas systems, which are rolling out smart meters and advanced metering infrastructure. A further warning was issued that hospital infrastructure could be caught up in the attacks either through a direct attack, or accidentally through unpatched software on critical systems.

“There is a problem and this latest FBI finding is just bringing it to the surface,” TechEye heard. “The fact that most small time hackers can break into one of these shows there’s a huge gap in the regulatory market”.

Earlier this year, E.ON got heavy handed and criticised the UK parliament for citing cyber security fears as delaying the UK’s smart meter roll out.

However, our source told us this “may have been one of the most sensible things parliament had done in a very long time.”

“Ruled by big businesses,” our source said, “governments are having their hands forced into signing requirements for this technology without being 100 percent sure about the cyber security consequences”.

“They are ruling the roost and putting huge pressure on authorities and businesses.

“Until big business butts out and stops forcing authorities to make rash decisions we’ll have a problem on our hands. And as this technology grows and companies and vendors continue to push on regardless of the consequences, then we could see a lot more problems.”

Krebsonsecurity agreed: “Two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference earlier this year, but agreed to pull the presentation at the last minute at the request of several vendors and utilities that they declined to name.”

According to our source, there are other worrying implications, which suggest that big business is being short sighted and, most likely, is in danger of shooting itself in the foot.

“If the smart meter has personal information, such as names and addresses, these could be used for ID theft,” TechEye was told. “Secondly, if they can hack a residential meter, then hackers can also move onto big businesses, smart grids and much more.”

Vendors need to “for once” put cash aside and “really think about consequences” – or they could team up and create security regulatory and research into how these abuses can be curbed. “Of course,” our source said, “this will never happen.”