The inevitability of connecting smart meters and millions of other industrial internet of things (IIoT) devices to the internet is going to bring equal parts invaluable business capabilities and cybersecurity exposures on an unprecedented scale.
This is the message Brian Foster, senior advisor for grid security at Southern California Edison, delivered during the latest Nexus Podcast and this week at the S4 Conference in Tampa. Foster’s talk was a sometimes-grim, often eye-opening presentation on the catastrophic risks posed by an insecure, hyperconnected grid. His caveat was that while the attacks he described on stage were viable, they were also based on infrastructure that was not yet deployed.
“There’s still time to prevent it,” Foster said of the threats.
The concern is that an attacker able to compromise centralized command and control over thousands of devices in a metropolitan area could send malicious commands at scale and cause a catastrophic incident, including fires similar to the recent tragic fires in Los Angeles.
Based on personal research he conducted, Foster quickly learned, for example, that fire departments could quickly be overwhelmed by simultaneous structure fires. When considering that 20% of IoT devices in New York City contain exploitable vulnerabilities, should 5% of those devices receive commands that cause, for example, smart ovens or space heaters to overheat and start fires, firefighters could be facing thousands of simultaneous structure fires.
“We knew it was bad; we didn’t realize it was that bad,” Foster said. “We based our math off publicly available research, but then we saw real-world examples, and we changed [our models]. It’s two-to-three engines per fire—and that’s if you have the staff to support them per fire—and that’s all you can do. And that’s assuming you have engines to pump the water, and if you start opening all the fire hydrants, you run out of water pressure real quick when you’re trying to fight fires across a large distributed area. That’s the scenario you’re looking at.”
So the real question is why are we in a rush to connect smart meters and other smart devices? The answer from utilities is that the data produced and analyzed from connected meters would allow utilities to forecast energy consumption and provide a response within a matter of seconds. The prospect for new business efficiencies is too attractive.
Attackers, however, will someday soon have an ocean of devices enrolled by the customers of utilities that are on insecure home Wi-Fi networks with little in the way of security controls. Most of these devices, Foster warned, likely contain vulnerabilities that enable privilege escalation or remote code execution that are unlikely to be patched for fear of breaking other features.
“Centralized control is at the heart of the attack,” Foster said. “Control systems will soon be able to communicate with enrolled IoT devices on the network. We’ll soon have advanced computer environments on hardware meters meant to last 20 years. We will have to maintain that for 20 years.”
Foster did present an alternative solution, one that argues we don’t need a Wi-Fi connection for every smart meter. Instead, he posits the same level of control that meets the same level of response needs can be accomplished through the cloud using APIs from the manufacturers or using hubs and apps to issue commands, but not directly over Wi-Fi and not through infrastructure meant to last 20 years that can’t be maintained to modern standards.
“That’s what I’m advocating for today,” he said. “A cloud option is a good way. We’re not trying to back haul through our SCADA network and meter network a bunch of commands to devices. They’re going out to cloud systems that we can have modern security on and keep modern security on forever. That gives us the ability to meet the need but without the risks associated with trying to backhaul it through vulnerable legacy networks and hardware agents.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
