California Adopts First Standards for Cyber Security of Smart Meters

California regulators have adopted the nation’s first sweeping privacy rules for household smart meters that form the backbone of the growing “green” grid, vowing to protect consumers from cyber attacks that could steal energy usage data and other private information.

The California Public Utility Commission will require utilities to regularly conduct independent security audits of their millions of wireless meters and to restrict the access of third parties, such as energy-efficiency consultants, to customers’ personal details.

The nearly 200-page decision, announced last week, applies to the state’s biggest utilities — Pacific Gas & Electric, San Diego Gas & Electric and Southern California Edison — which together have deployed about eight million of the nation’s 21 million smart meters, with three million more devices planned for late 2012.

“The rules and policies we’ve adopted are the first such in the nation and should serve as a national model,” CPUC president Michael Peevey said in a statement.

He added that the standards are consistent with privacy and security principles adopted by California’s Senate Bill 1476, which former Gov. Arnold Schwarzenegger signed into law last September, and by the Department of Homeland Security.

The smart grid’s rollout across the United States is predicted to revolutionize energy generation and distribution by allowing more intermittent wind and solar power on the grid and by making operations more efficient. By 2020, nearly 60 million smart meters, which transmit real-time data on customers’ electricity use, are expected to be installed nationwide.

With its rules, the commission aims to protect citizens from the kinds of security and data breaches that have plagued credit card payment systems, online gaming platforms like the Sony Playstation Network and similar wireless systems. In recent attacks, hackers have exposed or stolen hundreds of thousands of customers’ names, credit card and debit card numbers, addresses and e-mail addresses.

Smart grid experts applauded the new standards but said that utilities’ compliance with them should be one piece of a much larger cyber security strategy.

Needed: ‘Culture of Security’

“What is more important here is to be creating a culture of security,” Usman Sindhu, a senior research analyst at IDC Energy Insights in Framingham, Mass., told SolveClimate News.

“So, if certain security-related issues come up, then I have a program, a technology, an architecture to solve the problem. I have a team to solve the problem,” he said. “Good security is about visibility and knowing your risks and your threats.”

Sindhu said that a rising number of utilities and smart meter vendors are designing strategies to test and improve existing equipment and maintain constant vigilance should new security challenges emerge.

A July report from IDC found that more than 75 percent of the utility respondents surveyed ranked security investments to be of the highest importance, while nearly 40 percent said security will be one of their top information technology initiatives this year. The report did not disclose the size of those investments.

San Francisco-based Cryptography Research Inc. (CRI) says it is working with an undisclosed number of utilities, smart meter vendors and manufacturers to develop tamper-resistant hardware and software tools that can anticipate and thwart potential financial fraud or hacking invasions.

“Utilities don’t have to reinvent the wheel by themselves,” Ben Jun, CRI’s vice president of technology, told SolveClimate News. “A lot of the work that has been done on financial payment systems is in many cases applicable to meters themselves, and in many cases the same [security] standards can apply.”

CRI, which was acquired by Sunnyvale, Calif.-based Rambus in June, is doing everything from protecting the smart meter’s physical parts to blocking software bugs and building upgradeable systems that can adopt new and improved technology as it comes out.

Matter of Time

Jun said the problem for the industry is that time is running out.

Although hackers and spammers have so far spared digital smart meters and electrical grids from their cyber intrusions, the massive national rollout of devices and grid upgrades planned for this decade will create greater financial lure and status for cyber thugs.

“In all systems of this type, the install base needs to reach a critical mass before attackers start looking at breaking these things,” Jun said.

In June, the Department of Energy announced that a $4.5 billion stimulus program to ramp up smart grid technology projects, matched by $5.5 billion from the private sector, has already led to the installation of 5 million of the nation’s meters. The DOE requires that eligible projects include security provisions to protect against hacking, but it doesn’t detail what those measures should look like.

“We are putting devices in homes where — if the right investments in security aren’t made now — it is going to be impossible to retrofit them,” Jun said. “For an industry that is so new and building infrastructure to last 50 years, one of our major challenges is helping people think ahead.”

New Hacking Front

The point, cyber defense experts try to drill home, is that if left unprotected smart grid technologies could open up a new front for hacker groups intent on not just stealing data but destabilizing the U.S. economy.

In the case of money fraud, consumers could tick their meters backward or bypass it entirely to lower the cost of electricity bills. Cyber intruders could detect when residents are at home or away, and data on home appliance usage could be shared unknowingly with marketers, Jun said.

In a worst-case scenario, cyber terrorists could deliberately cripple huge swathes of the country by hacking into transmission networks and remotely coordinating electricity overloads that would blow up transformers and power equipment.

Researchers have already revealed security vulnerabilities in existing smart grid infrastructure. In a 2010 study of three utilities’ smart meter networks, computer security experts at Washington, D.C.-based InGuardians Inc. found they could wirelessly hack the meters from a laptop and remotely turn off a customer’s power.

Jun said he has seen cases where researchers were able to change meters’ software without authorization, allowing the team to independently control the meter.

Sindhu of IDC Energy Insights is cautiously optimistic about utilities’ cyber defenses. He said that not all of the installed smart meters are at risk and that utilities could still manage vulnerabilities by reinforcing existing computer systems and possibly adding new cyber tools — though adding security measures after the fact would prove daunting and costly.

Currently, utilities and third-party technology providers aren’t required to fall in line with national security or technology standards for their smart meters.

Ongoing National Review

On the transmission side of the grid, the North American Electric Reliability Corporation (NERC) requires all bulk power system owners, operators and users to follow a series of cyber security rules for monitoring, assessing and managing the nation’s critical infrastructure. For now, smart meter security is guided only by an ongoing review process of the best available state or corporate security protocols.

“There are some utilities focusing on solving early security roadblocks, [but] every utility is doing it in their own way,” Sindhu said.

The National Institute of Standards and Technology (NIST) is leading the review process in collaboration with service providers, utilities, regulators, academics and federal agencies.

The institute has put out smart grid security and privacy guidelines, though it has yet to formally adopt any measures.

“Having such a large, varied group of experts participating ensures that we are getting a fair view of what is already out there and how to protect” smart grid technologies, said Marianne Swanson, a senior adviser at NIST and chair of the Cyber Security Working Group.

The 650-member working group is part of a larger Smart Grid Interoperability Panel, which also houses a testing and certification group and an architecture group. The cyber security team in September published a three-volume report on smart grid guidelines meant to alert public utilities commissions of issues that need resolved.

“It is fundamental that as we start to build this [grid] that we build it with security in it rather than try and bolt it on after the fact,” she said. “The more word we get out, the better. Otherwise, people will start building in a vacuum.”

Sindhu of IDC Energy Insights said that although mandatory meter standards could boost investments by utilities in cyber security, a mere “checkbox compliance” strategy would still not be sufficient for securing the nation’s smart grid infrastructure.

“It is not only about putting a technology out there,” he said. “It is also about the [security] process and the people at the same time.”