Insecure smart grid technology could result in utility attacks

Share this article:
So-called smart grid technology must be developed with security in mind, or the next generation of the nation's power grid runs the risk of being overrun by hackers, a security company said Monday.

IOActive, provider of application security and risk management services, said in a report that digital smart grid technologies, designed to allow for increased efficiency and reliability, are vulnerable to common cyberattacks, such as malicious code, buffer overflows and protocol tampering.

That means products such as smart meters, which can be connected to appliances and enable two-way communication between homes and the utility companies, could provide entryways for malicious individuals -- resulting in extortion attempts or even blackouts.

"It increases the attack surface," said Josh Pennell, IOActive's president and CEO. "Something that used to be behind lock and key is open to the American public. You are encouraged to participate, in fact."

But Pennell said smart grid manufacturers may not be thinking about security.

"It's first to market wins," he said. "They'll deal with security later."

As a result, Pennell, who presented his company's findings to the U.S. House Committee of Homeland Security last week, called on vendors to utilize a framework similar to Microsoft's Trustworthy Computing Security Development Lifecycle model, used to develop the company's software. Plus, vendors must perform actions such as penetration testing and provide clients with white papers before rolling out their offerings, he said.

With $4.5 billion earmarked to develop the smart grid under the nation's economic stimulus bill, $10 million is going to the U.S. Commerce Department's National Institute of Standards and Technology (NIST) to facilitate the development of standards around the interoperability and security of the technology.

Mark Bello, a NIST spokesman, told SCMagazineUS.com on Monday that developing guidelines will require a lot of collaboration among many different entities.

"When you introduce the ability to interoperate, you don't want to also introduce the opportunity for security threats and breaches," he said. "It's a back-and-forth process that involves working with a lot of parties and getting them to a level where everyone is satisfied."

Once the standards have been created, the North American Electric Reliability Corp. (NERC), authorized by Congress to regulate the bulk power system, could decide whether to make them requirements. A NERC spokeswoman could not immediately be reached for comment.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.