Itron Inc. (NSDQ: ITRI) is putting its smart meter security to the test with the Department of Energy's Idaho National Laboratory – the latest move by a smart grid company to make sure new digital communications and controls for the power grid don't lead to new ways to tamper with it.
But don't worry, says the leading smart meter maker. It's all part of an ongoing effort being undertaken by Itron and other companies, as well as the government and industry groups with a stake in securing the smart grid still on the horizon.
Still, it's a timely topic, if only because media reports of potential smart grid hacking vulnerabilities have been emerging at the same time as the Obama Administration is taking a closer eye at cybersecurity of all kinds, but with a focus on the power grid in particular.
Last month, President Barack Obama cited smart grid security as one reason for creating a new White House "cybersecurity czar" position.
The new position came after a string of reports emerged, ranging from an anonymously sourced Wall Street Journal article saying foreign spies had infiltrated a power grid system to claims by cybersecurity firm IOActive that it had proven it could hack a smart meter system to boost or cut power to millions of homes at once, which would cause the grid to fail (see Hacking the Grid: Is Smarter Less Secure?).
The latest assault on smart meter security came last week from IOActive security consultant Mike Davis, who told The Register that the "vast majority" of smart meter systems use no encryption or authentication processes to prevent someone from uploading malicious software or turning meters on and off en masse.
Rich Creegan, vice president of marketing at Itron, denied that claim. Itron has hired cybersecurity provider Certicom to provide encryption, and has designed its smart meter networks in a way that requires all commands to pass through "trust centers" that are "diligently locked down with certification and authorization, in our opinion to the highest security levels available," he said.
As for catching, isolating and eliminating an intrusion, Itron works with Industrial Defender, which specializes in securing legacy industrial and utility control systems as they upgrade to newer technology, he said. The company serves as "the watchdog, minding the perimeter, so to speak, and makes sure the right people are getting into the right places," he said.
After all, smart meters, with their ability to take utility commands to turn on and off, or send signals to in-home energy management systems or appliances to turn down or off during peak energy demand times, could be used in nefarious ways (see The Smart Home, Part I)
"When you are embedding intelligence, when you are providing two-way command and control... then you need to be very diligent about the way you're putting assets out at the edge of your security system," Creegan said.
Erfan Ibrahim, power delivery technical executive for the utility group Electric Power Research Institute, also denied the idea that smart meter makers were hopelessly behind the cybersecurity times.
"It's not true that smart meters are being put up without any meter-to-meter authentication and encryption. It's just not happening," he said.
He also suggested that security gaps claimed by IOActive could have been discovered within pilot projects, which are meant to test a system, find its problems and correct them.
"I don't want to suggest that we've solved the cybersecurity problem," he said. But "these elementary things that grade-level hackers are going to do, have been covered. Now we're talking about sophisticated scenarios where the hacker really knows the system and could exploit the vulnerabilities."
Todd Nicholson, Industrial Defender's chief marketing officer, said that such "insider threats" are among the chief concerns for clients of his company, which both deploys technology and manages network operations centers to watch over client's IT systems.
"The biggest challenge we see from our customers is [protecting against] the malicious and non-malicious attempts from inside the perimeter of the network," he said. That can range from a fired employee hacking the system for revenge or embezzlement to a college intern mistakenly uploading anti-virus software that wreaks havoc with a network, he said.
Still, the idea of "extending an IP-based network all the way down to the meter level" does open up the potential for both inside and outside hacking to cause problems, he said.
To protect against that, Ibrahim said, "You don't want too centralized an architecture. You want to have distributed intelligence in the grid – you don't want a single point of failure."
Itron may have a particular stake in publicizing its security efforts, given that at least one analyst has pointed to potential security problems as a possible cause of a slowdown in some of its smart meter contracts (see Security Concerns Behind Slowdown in Itron Rollout?).
But as Ibrahim put it, every company with an eye toward providing equipment and services to utility smart grid efforts should be concerned with security.
After all, he said, if any of the worst-case scenarios outlined by IOActive came to pass, it could sour utility regulators on the idea of an interconnected electricity grid for years to come.