JUICE: Cyber Insecurity

By Published On: February 8, 2008

While the multiple benefits of “advanced” meters that track energy consumption for utilities are well advertised, little is said about the down side of installing these gizmos. Wireless automation and transport of information from the customer’s site to data banks frees up utility resources and is expected to curb energy use during times of peak demand. But, it also creates a potential pathway for cyberattacks that could wreak havoc on the system. Various versions of these so-called smart electric and gas meters are being installed by Pacific Gas & Electric, Southern California Edison, San Diego Gas & Electric, as well as the cities of Burbank, Anaheim, and a number of other public power agencies. This infrastructure is set to allow automated meter reading for billing, as well as remote control over connections and disconnections. The new meters also are supposed to provide two-way real time data on energy use and customer pricing. Ratepayers and utilities expect the devices to enable the remote control of appliances, including heaters and air conditioners, to lower demand when energy use is surging and supplies are short. The California Energy Commission, however, shot down rules on January 30 that would have allowed utilities to remotely control residential thermostats because of fears of “Big Brother” intrusions into privacy. Looking at the bright side, there really isn’t a whole a lot to dislike about the advanced meter systems–not factoring in some of the programs multibillion dollar costs, that is. Yet, little attention is focused on the new technology’s down side–not too different from the myopic approach to opening the energy market to competition during the heady days of deregulation. Advocates and regulators assumed competition would create a one way pricing street, that is, downhill. They failed to pay sufficient attention to the fact that prices can go up as well as down. The less than rosy side here is the added vulnerability this wireless communication channel brings. “Whenever you make it easy for administrators to handle, you make it easier to hack into,” warned David Hall, professor of cybersecurity at Montgomery College in Maryland. Cyberattacks from the outside or inside can result in intruders sending signals that disrupt operations, including ones to shut down power plants that disrupt voltage and the grid. Regulators and ratepayers should feel even more nervous given the “black box” treatment of power system cyberattacks. So far, details of intrusions that have occurred are kept under wraps. Thus, as utilities develop new systems they may build weaknesses into a system that could be avoided with adequate information. For example, the European Union’s transmission system was said to be hacked into a couple months back but specifics are difficult to track down. In 2003, a worm infected a private computer network at the Davis-Besse nuclear plant in Ohio. It disabled a safety monitoring system for five hours and “affected communication on the control networks of at least five other utilities,” according to the Cyber Security Industrial Alliance, based in Virginia. Some suspect that the huge Northeast Blackout in August 2003 was caused by a cyberattack. Last month, a rash of attacks on utility and other companies’ power systems were alluded to during a conference of international security officials from the electric, gas, oil, and government sectors. “We do not know who executed these attacks or why, but all involved intrusion through the Internet,” said Tom Donahue, a CIA cybersecurity analysis, according to a Washington Post report. This made me curious about possible break in attempts at the California Independent System Operator. “Nothing has successfully breached our production system,” grid spokesperson Gregg Fishman told me. Knowing that a new meter was coming to the side of my home, I wanted to get a grasp on what is at stake so I started calling cybersecurity experts–both information technology (IT) and utility systems folks. First off, the utility sector is not unique. The vulnerabilities it faces are the same as those faced by the oil and gas, water, and sewage sectors–all of which use industrial wireless control systems. In addition, the stand-alone smart meters are probably the least of our worries at this point because they come with heavy encryption. Here’s the catch, they say: The far bigger problem lay in the vulnerability caused by unprotected connections from the meter to the pole and substations. “A lot of work has been done to protect pricing signals from meters to the connection point,” said Joe Weiss, managing partner at Applied Control Technologies. However, he adds that there are all kinds of ways to get into the utility system, including commands to a power plant via the distribution system. Part of the issue is that the type of data sent, and speed at which it is transported, is very different from that of other internet-based activities, such as credit card transactions. “Even new equipment is not very well protected,” Weiss warns. According to the Cyber Security Industrial Alliance, “Most utility companies are finding it difficult to deploy security measures such as anti-virus and firewalls because of the technical challenges with current systems in place.” Some utility managers agree. “The vulnerabilities in our system make me sick,” said Fred Fletcher, Burbank Water and Power’s assistant general manager. Cyberattack concerns got the attention of the Federal Energy Regulatory Commission, which is not exactly a cutting edge high-tech regulatory agency. Last month, it passed a number of cybersecuirty measures to help protect the bulk power system. After the January 17 approval of the rules, which were developed by the North American Electricity Reliability Corporation, commissioner Phil Moeller noted the nation’s transmission system “was a lattice of interconnections.” However, these standards do not apply to distribution systems or meters. In addition, utilities, according to Weiss, never really thought about security and assumed it would be there. Protecting the system takes money and planning from the very beginning. “Adding it in later is a fool’s approach,” Fletcher said. Thus, it is essential for the state regulators to step in and fill the void. The California Public Utilities should mandate cybersecurity protections for utility systems. Utilities also need to develop policies and procedures to thwart possible intrusions into their systems. Then again, any whiz can intrude into a system with enough time and resources. The goal is to make it as difficult as possible. It’s kind of like being with a group of friends in the wilderness, when a bear approaches. You don’t need to out run the bear, just your camping buddies. Or as Hall noted, “The security game is about decreasing vulnerability.” Regulators must acknowledge the threat of cyberattacks and put in place meaningful measures to protect ratepayers and the system upon which we all depend. The CPUC should also realize that secrecy can both hinder the efficiency and viability of new meters. I don’t worry about the system going on the fritz once in awhile. But, I do worry about getting a $1,500 bill because of cyberspace adulteration.

Share this story

Not a member yet?

Subscribe Now