You know you’re at a hacker convention when the word Pwned is used in numerous speeches and conference literature. I spent a couple hours on Thursday at the annual Black Hat security convention in Las Vegas — not to learn about the newest ways to break into web companies’ private systems, but to listen to numerous speakers on the subject of potential vulnerabilities in the smart grid, and (more productively) what companies and policy-makers building the smart grid should do about those security issues.
According to one speaker, Tony Flick, a principal at IT security consulting firm FYRM Associates, utility and energy management web sites may be serious security concerns for the smart grid. Flick says he looked at eight different utility energy web sites, where consumers could conduct a number of types of energy management services, including turning down appliances that consume energy, and found that the majority of the sites had “very simple” and “basic” security vulnerabilities.
The security lapses he found are common problems with many web sites, for example using something called “clear-text protocols,” which are communication methods that don’t encrypt data and “cross-site scripting,” which allows hacker to inject code into a site when it is viewed by other visitors. But given the sensitive and private nature of energy consumption and control data, the vulnerabilities could cause problems for utility companies, Flick pointed out.
When it comes to the energy management tools built by the big web companies Google (PowerMeter) and Microsoft (Hohm), Flick said, vulnerabilities commonly found for Google and Microsoft sites could cross over to the company’s energy management sites and services. For example Flick said the companies often send “session IDs,” which are unique codes that a web site assigns a visitor during his/her visit, via unencrypted channels, potentially leaving the sites vulnerable to malicious intent.
Flick also said that while he applauded the federal government and standards groups for paying attention to security of the smart grid, they haven’t gone far enough. Security standards documents like the Automated Metering Infrastructure security framework (AMI-SEC), he said, use “security fluff words to make people feel warm and fuzzy,” instead of laying out specific guidelines to make the smart grid more secure. Flick said that in the same way credit card data security was left largely up to the credit card companies to self-police, smart grid security is being left to vendors and utilities.
Flick’s comments weren’t without controversy during his talk. Several audience members pointed out that because of different regulatory environments for utilities in various states and cities, energy data is managed and maintained in numerous ways, so the issues are more nuanced and are different in different locations.