Insecure smart grid technology could result in utility attacksSo-called smart grid technology must be developed with security in mind, or the next generation of the nation's power grid runs the risk of being overrun by hackers, a security company said Monday.
IOActive, provider of application security and risk management services, said in a report that digital smart grid technologies, designed to allow for increased efficiency and reliability, are vulnerable to common cyberattacks, such as malicious code, buffer overflows and protocol tampering.
That means products such as smart meters, which can be connected to appliances and enable two-way communication between homes and the utility companies, could provide entryways for malicious individuals -- resulting in extortion attempts or even blackouts.
"It increases the attack surface," said Josh Pennell, IOActive's president and CEO. "Something that used to be behind lock and key is open to the American public. You are encouraged to participate, in fact."
But Pennell said smart grid manufacturers may not be thinking about security.
"It's first to market wins," he said. "They'll deal with security later."
As a result, Pennell, who presented his company's findings to the U.S. House Committee of Homeland Security last week, called on vendors to utilize a framework similar to Microsoft's Trustworthy Computing Security Development Lifecycle model, used to develop the company's software. Plus, vendors must perform actions such as penetration testing and provide clients with white papers before rolling out their offerings, he said.
With $4.5 billion earmarked to develop the smart grid under the nation's economic stimulus bill, $10 million is going to the U.S. Commerce Department's National Institute of Standards and Technology (NIST) to facilitate the development of standards around the interoperability and security of the technology.
Mark Bello, a NIST spokesman, told SCMagazineUS.com on Monday that developing guidelines will require a lot of collaboration among many different entities.
"When you introduce the ability to interoperate, you don't want to also introduce the opportunity for security threats and breaches," he said. "It's a back-and-forth process that involves working with a lot of parties and getting them to a level where everyone is satisfied."
Once the standards have been created, the North American Electric Reliability Corp. (NERC), authorized by Congress to regulate the bulk power system, could decide whether to make them requirements. A NERC spokeswoman could not immediately be reached for comment.