When I moved to Davis in the late 1980s, I settled into a little boxy apartment with wall to wall carpeting and cottage cheese ceilings. My possessions included a futon, card table, clothes and a smattering of kitchenware. When I got a couch, I threw a party to celebrate the event. Opening the first utility bill sent to my new abode delivered quite the shock. It was for more than $200. I went down to the nearby Pacific Gas & Electric office (which it had in those days) to complain. I pointed out that I didn’t use the apartment air conditioning because it roared and spewed out warm air, that I cooked stove top meals, and used the computer at the university. After far too many debates with customer service, it was finally acknowledged that I got slapped with the previous tenant’s bill. That was not the only erroneous bill I received. The next one came a few years later at another address, this time from a water utility. It claimed my household water use soared, although we were rarely home that month. I spent numerous hours dealing with that vastly inflated bill. So, I’m a little touchy about utility bills. I want assurances that safeguards are in place to protect the integrity of the system in and out of my home, particularly as utilities switch over to wireless electric and gas meters that connect to the mysterious cyberworld. The three investor-owned utilities in California are in various stages of installing meters in all their ratepayers’ dwellings and places of business. A number of munis, including the Sacramento Municipal Utilities District and cities of Burbank and Anaheim, are also planning smart meter deployment. They are moving in phased stages, starting with the largest customers to test them. I’ve heard a lot about the benefits of these meters that track customers’ energy consumption and I’m impressed. The plusses range from faster service and access to real time energy and price information that could motivate ratepayers to curb their energy use during sweltering days. And, the risks? So far those have been largely kept under wraps. Given that billions of dollars of ratepayer money is being spent on these systems and that millions of people could be affected we should be informed of the possible downsides. After two weeks of interviewing information technology and industrial control experts, I no longer question that swapping in high-tech meters increases the odds of hacking and cyber screw-ups, intentional and unintentional. Automated wireless control technologies to manage and control infrastructure—be it by the utilities, oil refiners or railroads—are similar. They are called Supervisory Control and Data Acquisition systems, or SCADA. According to the Cyber Security Industrial Alliance, these computer networks are vulnerable to “hacking, intrusions, viruses, data loss, data alteration and the like.” As proof, just this week the California Energy Commission approved a half a million dollar grant to beef up transmission cyber security research (see sidebar). Although security infringements of smart meters are possible, the probability is relatively low because the devices are loaded with encryption and authentication technology. As noted in last week’s column, a far more serious problem is the connection from the meter to the poles and substations, which are said to be unprotected. It is challenging to add in needed security, such as antivirus software and firewalls, to existing systems not built to accommodate quickly changing high tech components. New meters come with complex digital keys, which limit access to commands, such as load shedding, and/or information, be it about a customer’s hourly, daily or monthly energy use. There can be a few or dozens of these digital keys associated with meters, which can be changed, said Jim Alfred, director of product development for Certicom. The company, based in Toronto, develops cryptography for wireless meters, other devices and software. In most areas, meters have the same keys, but in other regions, such as the United Kingdom, each meter has a distinct key that provides additional protection, he added. It appears that vulnerability cracks are the biggest during the changeover to advanced meter infrastructure. The extent of vulnerability arising from a mix of old and new equipment, according to Alfred, “depends on the existing infrastructure.” Potential problems that could affect millions of ratepayers were acknowledged by very few. Investor-owned utilities either wouldn’t or couldn’t specifically address the issue. Pacific Gas & Electric provided a generic response. “The move from the current version to the next version does bring an increase in functionality and we are taking comprehensive steps to ensure that this additional functionality does not result in increased risk for our customers or to our operations,” PG&E spokesperson Paul Moreno said in a statement. My efforts to get some idea of the protections were met with, “We don’t like to discuss security because the more we talk about it the less we have.” I understand that, but we are talking about more than PG&E’s security here. I and millions of other utility customers could be affected. In contrast, Burbank Water and Power acknowledged the potential risk inherent in the existing and new metering systems. Burbank assistant manager Fred Fletcher pointed out that the biggest security risks arise from human mistakes, including the “inadvertent trip offs.” He added, “There are so many ways to screw up.” His point was driven home by Joe Weiss, Applied Control Systems managing partner. “Statistics over the past 20 years in mainstream IT have consistently shown that about two-thirds of all cyber security incidents originate from within an organization, and that the cause of those are unintentional human error,” Weiss told the U.S. Congressional Homeland Security Subcommittee on Emerging Threats, Cyber Security and Science and Technology last fall. He claimed that numerous cyber incidents—meaning unintentional—”have occurred in transmission, distribution, and generation including fossil, hydro, and nuclear power plants.” The consequences, he said, ranged from “trivial to significant.” Weiss and Fletcher are not the only ones raising the issue. “Although some progress has been made recently, the Cyber Security Industrial Alliance believes that critical infrastructure protection and SCADA security are important issues that have not been given enough attention globally by governments or the private sector.” There are also intentional security compromises, or the “human weakness” element, noted Steven Healey, an independent corporate security consultant. That includes revealing confidential information, such as passwords, for various reasons, be it to repay debts or feel important, he said. My queries about personal training to boost cyber security and utility practices, including the amount of resources dedicated to the issue, were left largely unanswered by investor-owned utilities. The California Independent System Operator did tell me that they have a staff of 25 working on cyber security. The level of resources spent in this area is not separately accounted for, said Gregg Fishman, CAISO spokesperson. That lack of information from utilities leaves me wondering how much state regulators know about utility “smart” metering cyber protection practices and policies. Reports that are submitted on deployment assessments of these projects focus on costs, installation dates, and the hoped- for benefits. I have seen nothing on cybersecurity specifics. There must be checks and balances, as well as oversight. The California Public Utilities Commission should make sure that a range of protections are put in place and updated. It should require that ratepayers be informed about possible risks and safe practices, the equivalent of firewalls we install in our home and work computers. That way we all can help protect data and energy flows and guard against possible bill screw ups and bigger headaches. Reaching that milestone would be as exciting as the arrival of my couch was years ago in my Spartan apartment. It too would be a cause for celebration.
