By Gregory Hale
Smart meters may not be perfect right now, but they are here to stay and will continue to get a stronger security posture.
“Smart meters provide a net benefit for utilities and for users,” said Jacob Kitchel, senior manager of security and compliance for Industrial Defender. “No computer or software will be totally secure, but it is possible they will have enough security built in to force attackers to go elsewhere.”
Kitchel was responding to a report that talked about a series of hacks perpetrated against smart meter installations over the past several years may have cost an U.S. electric utility hundreds of millions of dollars annually.
That report came from a FBI cyber intelligence bulletin obtained by KrebsOnSecurity.
The goal of smart meters is to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. Smart grid technology also holds the promise of improving a utility’s ability to remotely read meters to determine electric usage.
However, some meters are better than others being able to fend off hackers and block unauthorized modifications. The FBI said insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software available on the Internet.
Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts it believed related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.
Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert said. The FBI believes thieves hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software you can download from the Internet.
“The optical converter used in this scheme can be obtained on the Internet for about $400,” the alert said. “The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact.”
“People have been getting by on utilities in the past, but what sets this apart from the historical ways is using the optical port,” Kitchel said. “There will always be theft from meters, but this allows criminal to modify the configuration from a software perspective. Dumb meters didn’t have that capability.”
Kitchel added there was other potential part that could also come out of this incident and that is the wireless component. “These meters also have methods of wireless communication. That will be something to look at.”
Meter vendors have taken steps to solve security issues, but right now implementation varies. The first round of smart meters came out, but shortly afterward vendors and utilities found out what the problems were and they ended up fixed, Kitchel said.
The beauty of smart meters, though, is the ability to remedy the security profile.
“Meters have some flexibility in the software, so there is some ability to adjust,” Kitchel said. “
Another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage, while still providing electricity to the customer, the FBI said.
“This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company.”
“Each method causes the smart meter to report less than the actual amount of electricity used,” the FBI said. “The altered meter typically reduces a customer’s bill by 50 percent to 75 percent. Because the meter continues to report electricity usage, it appears be operating normally. Since the meter is read remotely, detection of the fraud is very difficult. A spot check of meters conducted by the utility found that approximately 10 percent of meters had been altered.”
The FBI estimated the Puerto Rican utility’s losses from the smart meter fraud could reach $400 million annually.