“When you introduce computers everywhere in the grid – in the generation, transmission, distribution, and metering in homes – then you also introduce security risks. Unfortunately, it is very common that when new infrastructure is introduced, security is more of an afterthought”, Lindqvist explained.
He told Infosecurity that smart metering is one area where hackers who could take control of millions of meters could wreak havoc on the system. “If there are vulnerabilities that allow these attacks to be sustained over time, that could be costly and even extremely dangerous.”
Smart meters are attached to houses or buildings and continually communicate energy consumption data to the utility for monitoring and billing purposes.
While the collection of data by smart meters improves the efficiency of the electric grid, it also poses privacy and information security challenges. “For example, If someone knows that your energy consumption is extremely low for a couple of days, that probably means that nobody is home…and someone might want to break into your house”, Lindqvist said. “We need to be cautious about how data is collected and stored."
In addition, control systems are vulnerable to cyber attack, as demonstrated by the recent emergence of the Stuxnet worm. The worm, which some security experts speculate was developed by Israel and the US, attacked the control systems at an Iranian nuclear power plant.
The malware exploited zero-day vulnerabilities in Microsoft software and valid security certificates to target Siemens supervisory control and data acquisition systems used by the plant.
“The Stuxnet attack was a real eye-opener for many, the first real cyber weapon that specifically targeted control systems. That was really a big deal. I’m afraid that there might be more to come, copycats, etc.”, Lindqvist noted.
Lindqvist said that many types of power plants use control systems, so they could be vulnerable to a Stuxnet-like attack. “Malware is really just limited by the imagination and resources of the attacker. Once you have software that can spread through vulnerabilities in systems, you can make it do whatever you want.”
Working with the Department of Energy (DoE), SRI has developed intrusion detection technologies to defend against cyber attacks targeting control systems in the energy sector. The Detection and Analysis of Threats to the Energy Sector (DATES) project was sponsored by DoE’s National Energy Technology Laboratory.
“What we did was to build special intrusion detection sensors that were customized for the kinds of network protocols that are being used in the electric power system. We were also able to use methods that have higher fidelity for detection”, he explained.
Lindqvist said that SRI is working to develop the advanced intrusion detection system for commercial power plant use. “If you don’t know what is going on in your network, there is no way you can take the right actions, make the right decisions, and stop the attack before something serious happens. This is one important tool in the toolbox for those who do security monitoring of these kinds of networks”, he concluded.