Power grid is found susceptible to cyberattack
IOActive researchers discovered a number of Smart Grid vulnerabilities
IDG News Service - An emerging network of intelligent power switches, called the Smart Grid, could be taken down by a cyberattack, according to researchers at IOActive Inc., a Seattle-based security consultancy.
IOActive researchers have spent the past year testing Smart Grid devices for security vulnerabilities and have discovered a number of flaws that could allow hackers to access the network and cut power, according to Joshua Pennell, IOActive's CEO. Smart Grid devices are small computers that are connected to the power grid, giving customers and power companies better control over the electricity they use. There are about 2 million of these devices currently deployed, but many more are expected to be added in coming years.
IOActive and independent security researcher Travis Goodspeed concluded that these Smart Grid devices could be used to spread malicious code.
In the hands of a malicious hacker, this code could be used to cut power to Smart Grid devices that use a feature called "remote disconnect," which allows power companies to cut a customer's power via the network.
IOActive briefed the U.S. Department of Homeland Security on its findings Monday and is advising the utilities industry to better test the systems before deploying them in the real world.
News of IOActive's research was first reported by CNN, ensuring that the security of the Smart Grid will get a lot of public attention as the U.S. moves forward with plans to add another 17 million of these devices over the next few years.
The robustness of U.S. power networks has been a hot-button issue after a technical glitch in 2003 caused a cascading power failure in the eastern United States and Canada that affected 55 million people.
Hackers have eyed power systems before. Last year, the CIA confirmed that criminals had hacked into computer systems via the Internet and cut power to several cities in countries outside of the U.S.
The IOActive research will probably never be released publicly: Many of these devices are already deployed and it would be too dangerous to make the bugs known. Pennell said that his team's work was not focused on one particular device maker and that IOActive researchers were able to confirm a number of the theoretical vulnerabilities identified by Goodspeed, who has researched vulnerabilities in the Texas Instruments MSP430 chip used by some Smart Grid devices.
In 2007, Goodspeed demonstrated that it was is possible to write a worm that would spread among MSP430 chips, according to Goodspeed
The Advanced Metering Infrastructure (AMI) systems in the Smart Grid use a variety of low-power processors along with custom-designed firmware and operating systems and can be equipped with a variety of wireless protocols, giving attackers multiple ways to break into the systems, Pennell said.
Makers of AMI smart meters would benefit from having outside security experts test their products for flaws, Pennell said. "The design and implementation of these systems has not been scrutinized by a third party," he said.
Today it is common practice for companies like Microsoft to bring in outside hackers to stress-test their products before they ship.
Even if the industry doesn't invite them, third parties are likely to take a look at these Smart Grid devices, Pennell said. Often they can be picked up for a few hundred dollars on eBay, giving hackers an inexpensive way of testing their attacks.
Should one of these security bugs be made public, it wouldn't just be dangerous, it would also be expensive, because utility companies would have to pay a lot of money to retrofit buggy systems, Pennell said.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts