In this paper an in-situ deployment of smart grid technology, from meters through to access points and wider grid connectivity is examined. The aim of the research described was to determine what vulnerabilities were inherent in this deployment, and what other consideration issues may have led to further vulnerability in the system.
It was determined that there were numerous vulnerabilities embedded in both hardware and software and that configuration issues further compounded these vulnerabilities.
The cyber threat against critical infrastructure has been public knowledge for several years, and with increasing awareness, attention and resource being devoted to protecting critical in the structure, it is concerning that a technology with the potential to create additional attack vectors is apparently insecure.
The research conducted for this project demonstrated conclusively that the technology as it currently stands has not been implemented according to network security best practices. This conclusion is based on the numerous vulnerabilities in both hardware and software and configurations that were discovered through the process of examining the equipment using a verifiable methodology.
Whilst this technology potentially has many benefits from both sustainability and environmental vectors, the numerous security vulnerabilities inherent in smart grid question whether the technology is currently mature enough to be deployed in production environments.
Future research in this area should be both technical and non-technical. Technical research should look at other implementations and products, although given the difficulties in undertaking this current project, feasibility of such research is questionable. Non-technical research should attempt to determine reasons as to why the technology is being developed and implemented with security as an add-on and not fundamental to the product itself.
Given the increasing global awareness of the cyber threats against critical infrastructure, it is concerning that a technology which potentially provides a large attack surface for every owner of a smart meter to exploit is being developed and sold in such an insecure fashion.
Whilst regulation in these areas has not been shown to be particularly effective in the past, that should not preclude action. If there is no significant improvement in the level of security offered by vendors of these products, the government may need to make policy decisions related to roll out of these systems need to ensure that appropriate security standards are part of the implementation for smart grid systems.
To read this external content in full, download the paper from the author article archives at Edith Cowan University.