Smashing the Smart Grid. Hackers target ZigBee.

It’s been a good week for scare stories about Smart Energy.  Whilst they’ve predictably generated some excellent headlines (and I can’t resist joining in), the facts behind them are very important.  We’re rushing into a global energy monitoring and delivery system with little understanding of whether or not it is secure.

What we can predict is that as soon as Smart Meters are deployed, the first impulse of every neighbourhood hacker will be to take control of their school or local government’s heating and air conditioning, just to prove they can.  At one level, that’s a local annoyance.  If it affects our utility bills it becomes more than an annoyance.  And if it were co-ordinated by someone with a more malicious intent, then turning everything on at a peak time would take the grid down.   So it’s important that we make sure it is as secure as possible.

That makes the two pieces of news this week a lot more important than just providing the excuse for a good headline.  The first announcement was that the Information Trust Institute at the University of Illinois has been granted $18.8 million for a five year research project on securing the Smart Grid.  The second piece of good news is the release of a set of ZigBee hacking tools by Joshua Wright at ToorCon11.  These will let developers discover what vulnerabilities exist within the ZigBee standard, which is vitally important if it wants to be selected for use in Smart Meters.  Josh describes his work as “will hack for SUSHI“.  As far as I know he’s not received any sushi for his efforts, let alone an $18.8 million grant.  If the Government is serious about the security of the energy supply, they should consider diverting some of that funding in his direction. 

So why should we be worried…?

The Smart Grid and Smart Energy initiatives are massive undertakings.  Smart Energy alone involves installing at least two new utility meters into most homes – one for electricity and a second for gas.  Most countries are looking at a timescale of ten years to complete that process.  Even that is probably optimistic – it is a massive undertaking and cost.  However, if these meters are rushed out before the security implications (or other practical implications like wireless interference) are sorted out, this cost could be doubled as that deployment might need to be updated or at worst repeated.

The University of Illinois project addresses the grid, driven by the concern of cybercrime and malicious hacking.  That’s an important project, as damage to the grid, either deliberate or casual has massive consequences, extending through the entire economy.  However, that shouldn’t overshadow the need for security in the home at the Smart Meter level.  They still have the potential to provide pain at many different levels.

What are the risks if we get security wrong in Smart Meters?

  • The simplest one is annoyance and cost.  Smart meters don’t just send meter readings to the utilities; they also enable users or service providers to control the devices around our homes, turning them off when they’re not needed, or when energy costs are high.  A breach in security allows this to be manipulated.

At the basic level, this is just an annoyance, but it can pose real dangers.  Turning heating off for an elderly resident, or changing settings at a hospital can kill.  Small manipulations that ignore messages from the utility about higher short term energy costs can cause a bill to rocket. 

Most importantly, anything that reduces customer confidence in smart meters and energy management will result in them reverting to their previous non-smart behaviour.  It is going to be an uphill struggle to persuade consumers to use smart energy techniques to reduce their energy consumption.  To achieve that, the system needs to be water-tight.

  • There’s an even more important reason to make sure smart meters are secure.  Utilities are paranoid about security and with good reason.  It’s not just because they want to keep customer data secure – there’s another important reason.  Where there are two or more utility meters in a house, one of them, probably the electricity meter, will act as the common gateway, transmitting data to and from all of the other meters.  This means that other utilities will have to rely on the electricity supplier to carry their data.

The other utilities are paranoid that if the electricity company can gain access to their customer’s usage, then they will be able to offer a competitive package to the user.  Knowledge of household energy usage is gold-dust to a utility.  If there is any evidence that security is weak and might allow data to be read by a competing utility, the utilities will walk away.  For them to participate in sharing a single gateway, their individual data must be secure.

None of the different standards bodies bidding for a part of the Smart Energy market are cavalier about security – they’ve all seen the consequences of getting it wrong and spend considerable time and effort adding it into their specifications.  History shows that this is only one step.  Security is never broken by the standards bodies themselves, it’s broken by others who look at it from a different perspective and try to crack it.  That’s people like Josh.  In general, to get interest from this community, products need to be shipping in appreciable volume, as it’s not that interesting to find holes in something that never gets to market.  The big wireless standards – GSM, Bluetooth and Wi-Fi have all come under this scrutiny.  There are plenty of security attack tools available to test them and they have responded to the flaws that have been exposed.  As a result they’re much better standards.

As ZigBee is positioning itself as a major player in the Smart energy market it’s desperately important for it to submit itself to the same investigation, which is why I welcome the announcement of tools for testing it. 

Josh makes a very eloquent point in his presentation.  “To date, vendors haven’t taken ZigBee security seriously due to the lack of attack tool availability. It’s not going to get better until we have a practical attack surface.”

That excuse is now disappearing. I hope that the ZigBee community makes use of these to test the rigour of its current security mechanisms before it moves to any large scale deployments.