Last November, Felix Lindner came very close to shutting down the power supply of Ettlingen, a town of almost 40,000 people in the south of Germany.
“We could have switched off everything: power, water, gas,” Lindner, head of Berlin-based Recurity Labs, an IT security company, said.
Fortunately for residents, Lindner’s cyber attack on its energy utility, Stadtwerke Ettlingen, was simulated. But he revealed how easy it was to hack into the utility’s network through its IT grid, which gave him access to its control room.
“The experiment has shown that sensitive, critical infrastructure is not sufficiently protected,” said Eberhard Oehler, managing director of the utility, Stadtwerke Ettlingen.
Cyber attacks on infrastructure have become a major worry for utilities following the 2010 Stuxnet computer virus, which experts believe was used by Israel and the United States to make some of Iran’s nuclear centrifuges tear themselves apart.
The threat has been reinforced in recent months by the appearance of a computer virus known as the Havex Trojan, which hackers appear to have used to attack oil and gas firms.
Traditionally, energy utilities have kept infrastructure like power plants safe from cyber attack by keeping it separate from the open Internet.
But that is rapidly changing as a new generation of “smart” power meters hooks up customers to their utilities through the web, and new forms of solar and wind microgeneration supplement traditional centralized power stations.
“The risk is being underestimated outside of the industry,” Oehler said.
VULNERABLE
Smart meters give customers and utilities real-time data about when, where and how much energy households use, enabling energy providers to monitor and adjust energy flows.
Globally, the number of installed smart meters is expected nearly to quadruple by 2022 to 1.1 billion from 313 million in 2013, according to a report from Navigant Research.
Utilities say their customers should have little to fear, with electricity meters using the same sort of security measures that have made online banking widely accepted as safe.
“The transmission of client data to companies for billing purposes is subject to coding techniques and will at least reach the security level seen in online banking, if not surpass it,” said RWE, one of Germany’s biggest utilities, which has completed a smart meter pilot project.
But hacking attacks are believed to have already occurred. According to a 2010 FBI bulletin cited by Brian Krebs, a Washington-based security expert, a utility in Puerto Rico called in the feds, estimating it had lost $400 million in annual revenue after criminals hacked into smart meters to under-report electricity usage.
A U.S. Congressional Research Service report warned in 2012 that “smart meter data present privacy and security concerns that are likely to become more prevalent as government-backed initiatives expand deployment of the meters to millions of homes across the country.”
The European Union wants more than two thirds of Europe’s electricity users to use smart meters by 2020, an initiative it hopes will reduce energy use by three percent.
In Italy, the dominant utility Enel supplied all of its 30 million customers with the technology a decade ago. Scandinavia has broadly introduced smart metering in the last 10 years. Britain is spending 12 billion pounds ($20.4 billion) to install 53 million smart meters by 2020, while France is planning to install 35 million over the same period.
“The smart metering system has been developed to provide strong security controls that mitigate the risks of security compromise, via cyber-attack or otherwise,” said a spokesman for the British Department of Energy and Climate Change.
“Smart metering system security uses international standards and common industry good practices, e.g. encryption of sensitive data, protection from viruses and malware, access control, tamper alerts on meters, two-party authorisation of important messages to the meters and system monitoring,” he added.
But officials acknowledge that such connected systems will have new vulnerabilities.
“We can identify three risks: outright sabotage; external, illegal control; and criminals that want to earn money with it,” said Udo Helmbrecht, executive director of the European UnionAgency for Network and Information Security (ENISA).
The University of Cambridge said in a report that smart meters raised “several serious security issues” such as fraud through manipulated meter readings, misuse of private customer data and a threat of power outages through a large cyber attack.
Data-hubs which collect information coming from smart meters and transmit it to the utilities, including via mobile connections, could be especially vulnerable.
One weak spot could be the encryption of data sent from meters to utilities, which could be cracked, said Eireann Leverett, of IT security firm IOActive: “The smart meters are made to last 20 years but it is totally unclear whether cryptology will last that long.”
For the foreseeable future, utilities will be working to keep their systems safe, while hackers keep looking for holes.
“There will never be 100-percent protection,” said Werner Thalmeier, security expert at Radware.
($1 = 0.5877 British Pounds) (Editing by Henning Gloystein and Peter Graff)