Smart meters, not-so-smart security

With all the recent talk of smart grids of smart meters as a key M2M app for operators that can also help countries combat climate change through more efficient energy usage, it’s worth passing on this piece from Wired’s Threat Level blog that raises a key question: just how secure are IP-based smart grids?
Not very, according to a panel at last week’s RSA Security Conference in San Francisco.
Matthew Carpenter, a senior security analyst at InGuardian who has done penetration testing on smart-meter systems, said the most common vulnerability is susceptibility to “cross-site request forgery” on control systems, in which an attacker hijack an authentication cookie stored in a web browser used to (in this case) authenticate a user to access a utility control system.
Another potential weak spot is the remote shut-off capability in smart meters. And yet another is the aggregation points that receive the data from large groups of meters:
“In some circumstances they’re simply going to give you a denial-of-service if you tamper with them because the crypto is done appropriately from the head-end control system down to the meters and the aggregation point really can’t tinker much with it,” Carpenter said. “But in other [cases] there’s a great deal of control that that aggregation point has, and they’re sitting on the top of a [utility] pole — not in a brick building [with] guard dogs and razor wire … and [they have] an ethernet cable.”
None of this should be surprising, of course. If it can be connected to a public network, it can potentially be hacked, given enough resources and time.
What’s less clear from the article – and something I’d be interested in finding out – is whether these vulnerabilities could lead to a something serious like a major infrastructure shutdown, or something less catastrophic like tricking the power company into underbilling customers.
Also, if I’m reading this right, it seems they’re talking about utility companies building out their own smart grids using the public internet for connectivity. If that’s the case, surely there’s an opportunity here for operators to step forward with smart-meter networking solutions with value-added security guarantees at the top of the sales pitch.