The connected devices that many infrastructure companies are planning to deploy as part of a "smart grid" have serious security vulnerabilities that could allow malicious attackers to seize local control of home utility networks, security firm IOActive announced on Monday.
The vulnerabilities, discovered independently by researcher Travis Goodspeed and by employees of IOActive, underscore the dangers of deploying smart grid technologies before the developers have designed adequate security mechanisms, said Joshua Pennell, CEO of IOActive. In particular, the researchers had focused on the Advanced Metering Infrastructure (AMI), devices that monitor and control the use of energy in homes and businesses. Currently, about 2 million of the devices have been deployed and an estimated 17 million devices have been ordered by utilities, according to IOActive.
"The smart grid is a lot of different things, but, at it's core, will be a lot of embedded devices, each with a network stack to communicate with each other," Pennell told SecurityFocus. "Seriously, it is taking this read-only medium, from a consumer standpoint, and making it a read-write."
Companies that manage critical infrastructures — such as energy, transportation and food-distribution — have been slow to improve their cybersecurity. In 2006, following the well-publicized smoking-generator attack, state governments and federal laboratories recommended better security procedures for infrastructure firms. In 2008, intelligence officials claimed, without supporting evidence, that cybercriminals has hacked into power plants and threatened to darken cities if not paid. The Obama administration has made cybersecurity a top priority and is currently reviewing initiatives undertaken by President Bush.
While IOActive did not disclose the companies whose product contained the vulnerabilities, Goodspeed has blogged about attacking the security of devices using the Zigbee wireless protocol. Many home-area network devices, which measure and control power consumption in the home, use Zigbee. In 2008, the Zigbee Alliance wrote in an opinion piece that the protocol includes "four basic security services: authentication, message integrity, message confidentiality, and replay protection."
Pennell, who briefed the White House last week on the security issues, stressed that the smart-grid industry needs to consider the security threats to their products now, rather than trying expensive fixes once their systems are already deployed.
"We haven't missed the train — these things are out there at some small beta sites, so it's not too late," he said. "Lets take a step back and make sure we are baking security in rather than bolting it on."
A hearing in front of the U.S. House of Representatives' Subcommittee on Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on "Protecting the Smart Grid Against Cyberattack" scheduled for Tuesday was indefinitely postponed, following the revelations.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos