Power grid is found susceptible to cyberattack

Researchers at IOActive have written a proof-of-concept worm that could spread on next generation power meter devices

An emerging network of intelligent power switches, called the Smart Grid, could be taken down by a cyberattack, according to researchers with IOActive, a Seattle security consultancy.

IOActive researchers have spent the past year testing Smart Grid devices for security vulnerabilities and have discovered a number of flaws that could allow hackers to access the network and cut power, according to Joshua Pennell, IOActive's CEO. Smart Grid devices are small computers that are connected to the power grid, giving customers and power companies better control over the electricity they use. There are about 2 million of these devices currently deployed, but many more are expected to be added in coming years.

The researchers created a computer worm that could quickly spread among Smart Grid devices, many of which use wireless technology to communicate, according to Travis Goodspeed, an independent security consultant who worked with the team. "It spread from one meter to another and then it changed the text in the LCD screen to say 'pwned'," he said. Pwned is hacker-speak meaning "taken over."

In the hands of a malicious hacker, this code could be used to cut power to Smart Grid devices that use a feature called "remote disconnect," which allows power companies to cut a customer's power via the network.

IOActive briefed the U.S. Department of Homeland Security on its findings Monday and is advising the utilities industry to better test the systems before deploying them in the real world.

News of IOActive's research was first reported by CNN, ensuring that the security of the Smart Grid will get a lot of public attention as the U.S. moves forward with plans to add another 17 million of these devices over the next few years.

The robustness of U.S. power networks has been a hot-button issue after a technical glitch in 2003 caused a cascading power failure in the eastern United States and Canada that affected 55 million people.

Hackers have eyed power systems before. Last year, the U.S. Central Intelligence Agency confirmed that criminals had hacked into computer systems via the Internet and cut power to several cities in countries outside of the U.S.

The IOActive research will probably never be released publicly: Many of these devices are already deployed and it would be too dangerous to make the bugs known.

Pennell said that his team's work was not focused on one particular device maker and that they were able to confirm a number of the theoretical vulnerabilities identified by Goodspeed, who has researched vulnerabilities in the Texas Instruments MSP430 chip used by some Smart Grid devices.

"They demonstrated that the same vulnerability exists within a particular smart meter and they demonstrated that they could exploit it, and do this on a stock software with no changes," Goodspeed said.

These Advanced Metering Infrastructure (AMI) Smart Grid systems use a variety of low-power processors along with custom-designed firmware and operating systems and can be equipped with a variety of wireless protocols, which can give attackers different ways to break into the systems, Pennell said.

Smart-meter makers would benefit from having outside security experts test their products for flaws, Pennell said. "The design and implementation of these systems has not been scrutinized by a third party," he said.

Although this has not always been the case, today it is common practice for companies like Microsoft to bring in outside hackers to stress-test their products before they ship.

Even if the industry doesn't invite them, third parties are likely to take a look at these smart-grid devices, Pennell said. Often they can be picked up for a few hundred dollars on eBay, giving hackers an inexpensive way of testing their attacks.

Should one of these security bugs be made public, it wouldn't just be dangerous, it would also be expensive, costing utility companies big money as they went back and retrofitted their buggy systems, Pennell said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackingpowersmart metering

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender’s best-in-class security solutions have been awarded Product of the Year. Get cybersecurity that 500 MILLION users already have and trust!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?