The advent of new systems used to monitor and direct on-demand services via “smart” infrastructure has created a new level of convenience and reliability for both the providers and consumers of utilities. But while we’re in the middle of slapping automation into everything we use, has anyone asked whether this is a good idea at present?
Looking at the Vulnerabilities
On the surface, it almost always looks like a great idea to introduce software into systems that deliver services like water, electricity and gas to households. This is why we do it. Currently, there’s a worldwide movement to accelerate the provision of smart electric meters, water treatment automation suites, and several other innovations that help ease the burden of moving these things down the supply chain.
It makes sense and there appears to be no downside, but the writing is already on the wall that systems like these can be far more fragile than they seem.
Nothing illustrates this point better than an intrusion that happened in Oldsmar, Florida, on the 9th of February, 2021. A hacker breached the water treatment facility servicing this town of 15,000 residents and attempted to command the software to raise the level of sodium hydroxide (lye) in the outgoing water main to over 100 times the safe amount.
The only thing that stopped this incident from becoming a catastrophe with mass casualties was the fact that an operator was present the minute the breach was occurring.
The hacker was helped by the incompetence of the staff who used a TeamViewer password that was shared by everyone at the facility. This system in particular was straightforward, but what happens when we introduce greater levels of complexity that could present any number of vulnerabilities?
An analysis on smart electrical grids published on ScienceDirect by scientists from the UAE found several possible weaknesses in these infrastructures that could be compromised. Among them is, as they call it, “implicit trust between traditional power devices.”
Most smart grids are designed with the presumption that no foreign device will try to communicate with their receivers. This level of trust theoretically would allow anyone who can mimic the device “language” to spoof data and report false results to the facility from a remote location.
Beyond this, a lot of the hardware and software used by these grid operators can be easily bought and reverse-engineered, as they resemble what already is available to consumers. Because they’re also using the Internet, it wouldn’t be extraordinarily difficult to find a way to perform a large-scale distributed denial of service attack either.
Addressing the Challenges
The vulnerabilities present in the way smart infrastructure is implemented today can be broken down into two words: “human” and “design.”
The human aspect comes in the form of both the operators and end users receiving the services. Both – but especially the former – need to be educated on how to keep their systems and accounts safe. For instance:
- Change your password to something stronger than your birthday or anything that is simple to guess.
- Repeat the above process every few weeks or months.
- Don’t stick any foreign data device into a system that’s mission-critical.
- Avoid allowing systems that have data that doesn’t need to be on the Internet to connect to the Internet.
These four simple rules could have prevented the February intrusion in Florida, and they also shield from the majority of attacks.
As for the “design” aspect of smart infrastructure, companies providing essential services, such as utilities, must take into account how rigorously the devices they use have been tested. The primary concern must always be insulation. Can you send data to this receiver from a smartphone pretending to be a meter? If so, dump it. It’s better to be old-school than have new shiny systems that are built out of thin, rigid glass.
Do you have smart meters? What are your thoughts on potential intrusion by hackers on grid and water systems? Let’s discuss this below!