Power companies ignore blackout risk in rush for grants

PG&E, based in San Francisco, has SmartMeter based on Smart Grid concepts.
PG&E, based in San Francisco, has SmartMeter based on Smart Grid concepts. Ellen Creager/Detroit Free Press/MCT

WASHINGTON — Billions of dollars in government stimulus money are encouraging utility companies to ignore security risks that could plummet large metropolitan areas into darkness, security experts say.

In 2009, the Obama administration provided nearly $4 billion to upgrade and digitize the nation's electric grid and other utilities using Smart Grid technology. Since then, utility companies have been scrambling to roll out programs to install the new technology before federal funding dries up, often without regard for security, said Jonathan Pollet, the founder of the security consulting firm Red Tiger Securities.

"The utilities were in a mad grab for money, and almost every major utility was able to submit applications for almost free money," he said.

Smart Grid technology allows companies and consumers to monitor energy usage. Theoretically, this would enable consumers to reduce their energy bills and conserve at times when demand and prices for energy are high.

To do this, instead of one-way communication — utility companies sending power to consumers — Smart Meters at homes and businesses communicate back to the companies, reporting usage without the need for technicians to visit the sites. The technology also enables consumers resell excess energy from their solar panels or wind turbines.

Utility companies already have begun to replace traditional analog electricity meters with digital Smart Meters in many areas, and security firms such as Red Tiger have been testing the new technology.

Pollet said his company found that the grid could be exploited at multiple points, starting at the meters on consumers' homes. He said that, if left unprotected, the two-way communication could act as a starting point for hackers, and if exploited it could cause significant blackouts such as the one in the Northeast in August 2003. The two-day outage affected as many as 50 million people and cost an estimated $6 billion.

"Electricity cannot be stored, so as soon as it's generated, it's transmitted," Pollet said. "That delicate balance between what is generated and consumed has to be kept in balance, so if you take a large amount offline, that would be a cascading event like what you saw in 2003."

Pollet said that utilities acknowledge the security problems, but in the interest of time and funding they continue to use insufficient hardware and software, arguing that the problems can be fixed later.

"There's huge room to improve, both from the vendors standpoint to the utilities who are installing it," Pollet said.

One of the companies installing the meters, Pacific Gas & Electric, wouldn't comment on how it's securing its Smart Grid technology.

"Cybersecurity is a constantly changing field, and new threats could arise at any time," said Paul Moreno, a spokesman. "PG&E remains highly vigilant for any credible threats and the safety and security of our systems."

Luke Clemente, the general manager of Metering Sensing and Systems at General Electric, said there's an ongoing industry effort to secure the grid at all points.

"We're always looking for vulnerabilities and addressing those vulnerabilities," he said, "but you're never done with cybersecurity. It's a living process."

Regardless, said John Bumgarner, the chief technology officer for the U.S. Cyber Consequences Unit, an independent, non-profit research institute that assesses the possible consequences of cyber attacks, Smart Meters remain significant points of entry for hackers.

"The hacker community this year is already showing how to hack meters by driving around the neighborhood," Bumgarner said.

Bumgarner said that the current vulnerabilities may not cause major problems for consumers now, but could cost billions to fix later after appliances such as washing machines are unveiled that could tap into the Smart Grid system and turn on or off based on the price of energy.

"The average consumer a decade from now will have an issue, because we're building all of this technology into our electrical grid," Bumgarner said.


>It's not just the Russians spying on us

Commentary: Securing the wild, wild Web (and networks, and e-mail)

Regulators: Market plunge wasn't cyber-terrorism

Check out McClatchy's politics blog: Planet Washington