The Double-Edged Blade of Security
TOM WILLIAMS, EDITOR-IN-CHIEF
Page 1 of 1
Call me Cassandra, the Greek princess who could foretell the future but was cursed so that no one would believe her. It just appears that so many claims about digital security sound so reassuring, but then doubts creep in once again. Will it come to pass that the technology we have utterly come to rely upon will forever have the potential for its own misuse and undoing? There appears to be a cautionary tale in the arrival of the smart meters that are an essential element of the much touted but yet to be realized Smart Grid.
We’ve got smart meters installed here. Big deal. The power company still has to send guys around in trucks to read them. The difference is that they now use a handheld device that they point at the meters and download the data. I know, I know. This is a transition phase and I’ve got to have a little patience until the whole network infrastructure for the Smart Grid can be put in place and we can take advantage of demand response, automatic meter reading, time of day pricing and all that other great stuff. It’s coming and it takes time because it is complex and huge. I can’t exactly appreciate even how many millions of smart meters will need to be put in place all over the country and even around the world. And that is just one aspect of what will ultimately constitute the Smart Grid.
The trouble is that each of these devices constitutes an access point, many of which will be in obscure places and mostly unattended. Now along comes a very well-intentioned security consulting firm called SecureState that releases an open source smart meter hacking tool called Termineter. Termineter is an open-source application that is intended to “allow users to assess the security of their smart meters” by way of the optical interface. The idea is ostensibly that meter manufacturers can detect and correct internal flaws in order to make their products more secure. Am I missing something or is there a problem here?
I think there is and it is not with just this product, which may be a very useful thing. It isn’t even that a framework like this might “fall into the wrong hands,” which it certainly could since it can be downloaded via Google Code. If one company can produce a Termineter, any number of other enterprising programmers and hackers can certainly create similar code that will get them in through the infrared interface and potentially break into all three access levels in a meter: low-level, mid-level administrative and privileged super user. From there it may be possible, once all these meters are interconnected on the networked Smart Grid, to go anywhere and access anything all the way up to the reactor control room. And don’t tell me that’s too far-fetched. I’m not buying that.
Now I don’t assume that such deep penetration would be easy. It certainly would not be. But neither will it be impossible. And of course, there are already a goodly number of existing routes into such sensitive and dangerous places. Then there is also the other side to all this. Despite its present and potential dangers, we desperately need the build-out of the Smart Grid. Our present grid is already vulnerable, old and inefficient. And if we just look at the recent blackout in India that left over 600 million people without power, we know what continuing to neglect our own grid can lead to. And that most probably occurred without any malicious activity. Adding Smart Grid digital intelligence to the system can do a great deal to avoid such calamitous blackouts, but it can also open the door to other forms of trouble and attack.
And what are we actually to make of such a tool? If it works and lets you into the meter and potentially beyond, you know the meter has a security problem that can potentially be identified and addressed. But if you can’t get through, does that mean that your meter is secure or only that the tool does not adequately test the meter? And now we find that exactly the same tools and technologies developed to help assure security can also be used to compromise it. It really is a double-edged blade.
The best we can do is to keep trying and bring in that other character from Greek mythology, Sisyphus. We’ve got to keep pushing that rock up the mountain knowing that from time to time it will roll back down. Quite often it is enough to make breaking in sufficiently difficult or expensive to discourage all but the most determined or sophisticated hackers, and there is real value in that. But the idea that something can be utterly secure is an illusion. We’ve got to make sure that things are secure enough and not cut ourselves in the process.