For some utilities, the switch to digital smart meters has ended decades of rampant electricity theft. But for at least one utility in Puerto Rico, smart meter hacking may have cost the utility hundreds of millions of dollars, according to the Federal Bureau of Investigation, as reported on the blog Krebs on Security.
The security blog obtained a May 2010 cyber intelligence bulletin that said the incident is the first known report of criminals hacking into smart meters and that this is just the beginning of this type of activity. However, for most utilities, digital two-way meters will greatly reduce theft and reduce the pool of people that have the technological know-how to hack the meter.
However, as Greentech Media noted around the time the FBI was looking into this issue, hacking is always going to happen. Smart meters will help to cut down on traditional theft, but they also open the doors for more tech-savvy criminals.
In 2009, a utility in Puerto Rico asked the FBI to investigate power theft that was happening as smart meters were being deployed. The FBI found that it was likely former employees of the meter manufacturer and the utility that were altering the meter for anywhere from $300 to $1,000 for residential meters and $3,000 for commercial meters, according to the FBI alert reported on Krebs on Security. The total cost could be as high as $400 million for the utility.
The thieves were using either infrared lights to hack the meter so that it communicated with a computer that then changed its software setting or a magnet, which caused the meters to stop measuring usage.
If that sounds downright old-fashioned, it is. News reports throughout the decades are filled with examples of people tampering with analog meters, using methods ranging from adding sand to slow them down to attaching magnets to also slow the measurement of consumption.
“From what we’ve seen, tampering with meters has been a longstanding problem for utilities. What is unique in this case is that the attackers used the optical ports to tamper with the meter's internal software," said Jacob Kitchel, senior manager of security and compliance for Industrial Defender, a grid security company. "Moving forward, it will be harder to detect malicious modification of meter software when vendor-approved methods and mechanisms, such as optical ports, are being used.”
In the case of using magnets on smart meters in Puerto Rico, the average bill would go down by 50 percent to 75 percent, according to the FBI. That’s a big deal in Puerto Rico, where electricity was about 21 cents per kilowatt-hour in 2009, about double the average cost in the mainland U.S.
For many utility customers in the U.S., it’s simply not cost-effective to hack your meter. Even if you can buy parts off the internet to hack your meter, the payback might not be worth it.
In other regions of the world, however, theft is rampant. It has been rumored that the reason that Italian utility Enel S.p.A. installed some 30 million smart meters was not primarily to advance smart grid, but to rein in power theft. Enel saves about 500 million euros a year through automated features created by the meters, so the official motive is strong. Still, the existence of the rumor says something. Chronic power outages in Indian cities are often blamed on power theft. One of BC Hydro’s main economic reasons for putting in smart meters is to recover lost revenues from electricity theft associated with grow operations.
But utilities will have to keep one step ahead, something that has not been a priority when traditional meters just sat out in the field for decades. But many utilities are getting savvier about security across the digital grid.
At the recent Networked Grid conference in Durham, NC, Lee Krevat of San Diego Gas & Electric said that most of the utility's vendor contracts did not have robust enough security to meet its needs. As a result, utility staff made sure that it worked forward-looking security provisions into each and every contract to ensure that SDG&E's vendors embedded the necessary security. For utilities, being proactive about security requirements in contracts is an important first step in security.
“It’s taken a while for some vendors to realize they need to multiply their security capability by at least a factor of 10,” Erich Gunther, chairman and CTO of EnerNex, said at The Networked Grid, although he was not discussing the Puerto Rico incident.
But as federal agencies keep an eye on grid security, and not just meter hacking, utilities and the companies that serve them are getting savvier about protecting their systems.
“I think the security community and the utility industry are aware of some of the major threats and risks,” said Gunther. “The difficulty is coming up with a good way of valuing the threat.”
For at least one Puerto Rico utility, the cost of not doing enough is already pretty clear.