Mar 30 - Heath Urie, Daily Camera, Boulder, Colo.


Determined hackers with as little as $500 worth of equipment and some computer know-how could cripple the smart-grid technology being piloted in Boulder and rolled out nationwide, security experts say.

Seattle-based IOActive, a computer security-assessment firm, says a yearlong independent test of smart-grid technology and infrastructure plans found that the systems are vulnerable to the same types of attacks as most any computer system.

But unlike the common PC, the power industry hasn't spent decades combating cyber crime, experts say.

"The people who are rolling out this technology haven't crossed that bridge before," said Josh Pennell, founder of IOActive. "People are talking about what is theoretically possible."

Pennell's company went to work testing those theories about smart grid vulnerabilities, and determined the threat from hackers is very real.

Attacks on the computer networks running the power distribution systems could expose utility companies to "fraud, extortion attempts, lawsuits or widespread system interruption," according to the study.

Other experts have suggested that, in a worst-case scenario, intrusions into the smart grid could lead to massive power failures across huge swaths of the country -- among other unknown consequences.

Pennell testified earlier this month before a U.S. Department of Homeland Security committee in Washington, in which he urged federal authorities to take a closer look at security within the smart-grid plans now -- before the system becomes too large to go back and fix.

"The time to do this and do it right is now," Pennell said. "Nobody wants to go back and remediate a few billion of these devices later."

Pennell said utility companies should begin by adopting standard security measures for the entire national system that's planned.

"If the industry so chooses to adopt standards ... we can start baking the security into the product before we have the technology deployed from the East to West coasts," he said.

In Boulder, slated to become the nation's first smart-grid city, equipment is already being handed out.

Xcel Energy, which is spearheading the effort, has installed about 15,000 "smart meters" -- which allow for detailed energy monitoring and two-way communication with power stations -- in Boulder homes, and is piloting other new technology in the city.

Tom Henley, an Xcel Energy spokesman, said company rules prevent him from discussing security issues.

He declined to answer questions about whether measures are being taken to protect the technology being used within the Boulder system, or whether it's vulnerable, saying only that "maintaining the reliability and security of the computers, control systems and other cyber assets ... is a top priority within the company."

Kara Mertz, assistant to the Boulder city manager and the liaison to the smart-grid project, said the city has not had any discussions with Xcel about security -- because it hasn't come up.

"Certainly we will look into it," Mertz said. "It wouldn't be acceptable to us if our residents' and business' energy is somehow compromised."

According to current estimates, there are more than 2 million so-called "smart meters" already being used across the United States.

About 73 utility companies have ordered a total of 17 million more of the devices -- thanks in part to a promised $11 billion investment in the technology as part of President Barack Obama's economic recovery plan.

Moira Mack, a White House spokeswoman, said there are several federal agencies looking into the issue of smart-grid security. The Department of Energy, for example, is required to submit to Congress by the end of the year a study on the system's security that was chartered in 2007.

"This work will help accelerate the development of cyber security requirements for other smart grid technologies," she said.

The Trustworthy Cyber Infrastructure for the Power Grid, a consortium of university researchers backed by the Department of Homeland Security and the National Science Foundation, is already developing improvements for devices installed in homes.

The group's goals include making at-home equipment, such as smart meters, able to detect attacks and resist unauthorized access. According to the consortium, the current systems are "at serious risk from both malicious cyber attacks and accidental failures."

"These risks may come from cyber hackers who gain access to control networks or create denial-of-service attacks on the networks themselves, or from accidental causes, such as natural disasters or operator errors," according to the group's Web site.

To subscribe or visit go to:  www.dailycamera.com