Smart grid technology is undoubtedly a big issue. The US government has allocated billions of dollars to the development and deployment of that enables the remote monitoring and control of the electricity supply, and the European Union is also backing the introduction of smart grid solutions.
The principle behind smart grids is simple: by enabling more accurate monitoring and analysis, the delivery of electricity can be made more "intelligent". Providers can ensure a constant supply is available to meet demand and ease provisioning, while customers receive accurate, timely usage statistics -- aiding energy conservation efforts through the use of real-time data.
But Mike Davis, a senior security consultant with research company IOActive, has warned that a rush to roll-out the technology could give rise to serious security problems. The current generation of meters was deemed "probably not mature enough", with Davis warning that "many of the security vulnerabilities we found are pretty frightening and most smart meters don't even use encryption or ask for authentication before carrying out sensitive functions like running software updates and severing customers from the power grid".
Davis and his associates have developed proof-of-concept malicious code that self-propagated on a peer-to-peer basis, spreading from one meter to the next. Common attack techniques include buffer overflows, persistent, and non-persistent root kits, adapted to target smart meters.
An attack on the grid could have a number of consequences, from calibration modifications that render meters inoperable, to co-ordinated attacks that cause utilities to lose control of the infrastructure, exposing them to fraud, extortion attempts, or widespread system interruption -- putting the integrity of the power supply infrastructure at risk. This potential damage means that smart grid companies need to act sooner rather than later, to ensure that they do not rollout technology which includes fundamental flaws.
Davis said that he hopes exposing the flaws will "prompt vendors to mitigate existing vulnerabilities and increase security in future products".