For a utility that’s in the process of installing smart meters, there are probably few things more terrifying than the simulation of a smart meter worm that IOActive’s Mike Davis showed off at the annual security conference Black Hat on Thursday. During Davis’ presentation, he showed how he and his team at the security consulting firm created a simulation in which over a period of 24 hours about 15,000 out of 22,000 homes had their smart meters taken over by a worm that could render the device under the control of the worm’s designers.
Davis showed off a time-condensed version of the simulation using an overlay on Google Earth. At the beginning of the simulation there were 22,000 green pins on the image of the satellite map to signify actual plotted address in a metropolitan area; after the introduction of the smart meter worm, the majority of the pins quickly turned a shade of red, rapidly spreading from the point where the worm was introduced. The image was reminiscent of the introduction of infectious diseases and Davis said in a real world scenario the rate of the spread of the worm could be slower or faster considering a variety of technical conditions.
Davis said the reason that the he could so easily hack and spread the worm in the simulation was because there was a fundamental design flaw in the specific meter model itself, though Davis wouldn’t name any individual manufacturers. Among other things, the meter he took over didn’t have the proper data encryption and didn’t know the difference between the meter next to it in the network or a device that was intended to wirelessly upgrade its software. “The guys that built this meter had a short term view of how it would work,” Davis said.
The manufacturer used in the simulation didn’t take kindly to being told their security wasn’t up to snuff. Davis explained to the audience how when he told the manufacturer about the capabilities of the worm simulation, the first response from the meter maker was: “that’s impossible, our meters can’t spread something like that.” When Davis told them he had personally done this in his company’s security lab, the next response from the meter maker was: “how can you even access our meters,” to which Davis says he explained he bought it on eBay.
Given Davis’ research has already gotten a lot of press (and negative reactions from some in the utility and energy industry) over the past month, Davis was cautious during his presentation. Over the past couple of months he seemed to have gone through a range of emotions, from the hacker-style joy of successfully being able to take over a system (he showed a photo of him and a colleague drinking champagne at 4AM the morning he “pwned” the meter) to an admitted sensitivity over wanting to explain to the utility and energy industry that the point of his exercise was to get them to take security seriously and patch the vulnerabilities. “Nobody [in that industry] likes me,” he said at one point in response to a question about whether or not he would do more research on parts of the smart grid network that were more under control of the utilities.
But while the specific meter company didn’t respond well to Davis’ simulation, there are greater lessons for the industry. Davis explained in his presentation that once a worm started to spread in the manner of his simulation, “it’s hard to see how a vendor could react quickly enough.” The only effective response he could think of he said, was to have a kill switch that would just shut down the meter, to stop the spread. Members of the utility industry seemed to agree and queried Davis after his talk about their company’s own experiences with meter security. In addition meters should be designed to be recoverable from such an attack, and be as secure as the mechanical meters of the first generation of dumb meters, Davis said.
Davis was also concerned with what someone could do with a large amount of meters under their control and reminded the audience that he didn’t research how the worm could be used as a weapon. After the presentation members of the audience discussed how turning on and off a large amount of meters — say, 50,000 meters and 3 MW worth of electricity — could cause problems for the stability of that section of the grid.
At the end of the day the allocation of the smart grid stimulus funds has caused a rush to roll out smart meters and Davis is concerned that the speed in deployment could cause companies to be neglectful of proper security. There’s an attitude of “we’ll fix this later,” he explained. But as Davis’ worm simulation showed: no company wants the attention and financial and reputation problems, of a meter security incident.