AMI Meter Security – Is it a screen door on a submarine?

Privacy is a primary issue for just about everyone. Schools, governments, business and even the average consumer are concerned about their privacy. So, to the utility industry, I pose this question, “When it comes to our data, are we putting what amounts to a screen door on submarine?”

Let me explain: There is a major emphasis being placed the security of the data being transmitted over the new Advance Metering Infrastructures (AMI) networks. As a result, there has been a movement to encrypt this data; and federal and state governing bodies have begun to demand the data on these networks be secured. The assumption has been that the current security is up to snuff, but in actuality many of the electric meters used on the new AMI networks have what amounts to “a screen door on a submarine”. Much of the data on these networks is less secure than the data on my home networked PC!

Efforts are focused on encrypting the data coming over the networks to the utilities while ignoring the screen door that sits on the front of the meter – the optical port. With all the sophisticated password hacking tools available today, the password protection schemes on these security screen doors can be cracked by a novice hacker with extra time on his hands. Yes, even a novice can defeat them easily, gaining full access and total control of the meter metrology!

Hackers have bought ATM machines on EBay to learn how to defeat them, So why not electric meters?

To add insult to injury, most utilities use the same password on all the meters they deploy. Once access is gained to one meter, access is granted to any meter with an optical port used by that utility; and by the speed and expanse of the internet, hackers can pass this information on to anyone. Then the race begins to see who gets to the meter first, the utility or the hacker.

The ANSI C12.18 standard allows for encryption to be utilized on optical ports, but to my knowledge, no one in the industry has taken advantage of this. And while new smart meters with disconnect switches are a step up from previous models; they still utilize the same standard password practices used on the old meters. Defeating the password protection on these new smart meters could create a whole new racquet for the energy theft opportunist. Instead of paying the fees to the utility that cut you off, just hand over a few bills to the hacker down the street and you’re back in business.

As with all new advances in the industry, efforts to address this vulnerability will require dedicated creativity and ingenuity. It will touch every meter operating process the utilities are presently using and will change how business is conducted. This is something that must be done, as it is vital to the protection of the industry and the public. So let’s get it started. What can we do rid ourselves of this security screen door and how do we replace it with a solid hatch that keeps the “water” out?