BGE must work to shut hackers out of smart grid

A security consultant named Mike Davis, working for IOActive, got a lot of attention last year for buying a "smart" computerized electricity meter on eBay and hacking into its software.

At the Black Hat hacker convention in Las Vegas, Davis ran a simulation showing how a "worm" (similar to a virus) could take over a smart grid by replicating itself and passing from meter to meter.

"Malicious code could quickly propagate throughout a neighborhood, ultimately causing power disconnections and calibration modifications, rendering the meters inoperable," IOActive, a Seattle-based computer consultancy, wrote on its website.

Next year, Baltimore Gas & Electric Co. will start installing these smart meters in the 1.1 million households it serves. The idea is to make the grid more efficient, produce better information about how people use energy and give customers incentives to conserve.

All good intentions. But most of the questions I get from readers about BGE's project are similar to those posed at the Black Hat confab. How secure will these meters be? How do I know my energy-use information will be kept confidential? What good are efficiency and conservation if the new meters become a privacy nightmare and gilt invitation to terrorist saboteurs?

So I asked BGE.

The good news is that the utility makes a pledge that security experts consider to be at the core of responsible stewardship of smart-meter information.

"We view the usage data as the customer's data," says Mark Case, the company's senior vice president for strategy and regulation. "We would not make it available to third parties without the consent of the customer."

The bad news is that BGE doesn't have a designated privacy officer of the type recommended in draft protocols for the smart grid published by the National Institute of Standards and Technology. BGE needs one.

"If that becomes the standard and that's put in place, then we would definitely go forward with that," said Case.

BGE can hardly obsess enough over security and privacy even though the first meter installations are months away. The time to start securing the smart grid is the day you being thinking about it. Wait until after it's installed, the security pros say, and it's too late.

Last week, BGE finalized a deal with Silver Spring Networks to buy the computerized meters and related software and hardware.

Silver Spring beat more than a half-dozen other bidders partly because its meters are more upgradable, with greater memory and processing capacity, said Michael Butts, director of BGE's smart grid project. BGE's security consultants — affiliates of Lockheed Martin and Deloitte — also rated the Silver Spring system the most hack-proof, along with another company's meters, Butts said.

The wireless signal that beams your electric data to BGE several times a day will be encrypted, Butts said. All connections will be secure. Smart grid components will require authentication before trading information, he said. (This seems to have been the problem with the smart meter cracked by IOActive. The company hasn't said who made the leaky meter.)

"In evaluating technologies, security was one of the highest [priorities] that we were concerned about," Butts said. "We know that this is a critical system. We're going to up the ante on these security requirements."

Hope so. The ways in which a flawed system could potentially compromise privacy and safety are practically limitless, from revealing information about somebody's marijuana grow-lights to shutting down electricity in several states.

Hackers could besiege a local grid as a fake-out "to roll all the maintenance trucks" to one side of town, setting up an attack on the electrical system elsewhere, suggested the Gartner Group in a recent paper, "The Myth of Smart Grid Security." Or they could deliver malicious software into a utility's central computers disguised as customer data.

The smart-meter rollout is in its infancy globally, but already problems have included "insecure meters, hacking of customer details, denial of service attacks and suspected infiltration by foreign intelligence services," Ian Watts, head of energy and utilities for the U.K. consultancy Detica, told the Telegraph newspaper last year.

One of the top U.S. smart-grid security experts, IBM's Jack Danahy, rarely talks to anyone in the business who "doesn't already consider the smart grid to be in pretty desperate need of some shoring up," he wrote on his blog.

This isn't to predict disaster. Properly implemented, the smart grid will deliver benefits that far outweigh the costs. But the potential problems of security and privacy give many customers the creeps. BGE must make preventing them its No. 1 priority or risk losing public support for the whole project.

Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad