Hacking the smart grid

The recent Australian Business Assessment of Computer User Security survey by the Australian Institute of Criminology found the computer security incident experienced by the highest proportion of victimised businesses was a virus or other malicious code.

Sixty-four per cent of businesses that were victimised by one or more computer security incidents (65% of small, 61% of medium, 52% of big businesses) experienced this type of attack. The most common effect was hardware or software corruption.

That's a sobering fact for Australian businesses pushing new devices to customers and that interact with them over the internet.

Hackers will look for vulnerabilities in these devices and their networks. Just like identity theft was spawned by "dumpster diving" - people searching through rubbish bins for bank statements - why not walk up to a household electricity meter to discover its unique identifier then use this information in the online environment for financial gain? 

In time, such information could be as valuable in the online criminal marketplace as credit card numbers, even a prompt question as a login challenge for password protected websites. With meters connected remotely over wireless networks, the exploit could be as simple as driving up the street collecting personally identifiable information, a process colourfully known as "wardriving".

All of these networked devices raise the prospect of them being remotely-controlled in big numbers, just like we see in traditional botnets: zombie-like hordes of PCs under a malicious hacker's control and usually bent to nefarious and illicit ends. 

Once infected by malware, an electricity meter (or similar) is under the control of the exploit owner, who may send instructions to turn power on or off, or reveal information about the owner of the device or its power use. 

Remember how online gambling sites used to be hit by denial of service attacks followed up by extortion requests? A savvy criminal group could do the same thing with a utilities provider after they have remotely disconnected customers en masse or targeted institutions such as hospitals. The resulting drop in public confidence would be disastrous.

Boutique system-penetration companies claim they can already do this and more.

And a cunning customer may hack their own meter to get it to display less electricity use than actual, resulting in a lower power bill.

Consumers

The average computer user struggles to keep their anti-virus software current and properly configure their firewall. How will they cope with internet-enabled utility connections?

There are many internet sites awash with safety messages, but the incidence of end-user compromises keeps growing. Consumers may reject having to learn more skills to protect their homes' infrastructure if it all becomes too hard.

It is up to those in the supply chain - government, energy providers and ISPs - to support and protect consumers during this change. Institutions must work to change consumer behaviour to ensure implementation is successful. That's not a get-out-of-jail-free card for the user. They still need to act sensibly just as they would when surfing the web.

Regulators

With the advent of the smart grid, we think of energy regulators focusing on retail prices that vary with system conditions and demand, therefore enabling customers to lower their power bills by setting appliances to run when prices are lower. But this new dynamic will force them to change their thinking to look at issues discussed above.

Unless regulators take security of systems and customer account information seriously and implement appropriate policy and procedures, shifting consumers' behaviour to variable electricity rates or to pay vastly increased rates for reliable power supply at peak times will stay unmet.

Nigel Phair was the team leader of investigations at the Australian High Tech Crime Centre from 2003-2007. He is an author, recognised Australian IT security authority and SC Magazine Australia Awards judge. He will speak at the e-Crime Symposium in Sydney on August 4. Details at the conference website at www.ecrimesymposium.com.