This week, Brian Kerbs blog about FBI report outlining electricity theft and fraud has made many headlines. The FBI report indicates that the Puerto Rican utility (not explicitly mentioned, PREPA) has been victim of the electricity theft in the past years. While fraud has been a talked about issue in relation to smart meters, does this example really depict the lack of security controls or just another episode of electricity theft among the developing countries?
This week, Brian Kerbs blog about FBI report outlining electricity theft and fraud has made many headlines. The FBI report indicates that the Puerto Rican utility (not explicitly mentioned, PREPA) that generates, transmits and distributes electricity to 1,449,211 clients has been victim of the electricity theft in the past years. The report is a bit dated; investigation was done in 2009. According to the details in the blog, there were multiple issues such as insider miscreants, smart meter vulnerabilities, and physical meter tampering leading to the electricity fraud. While fraud has been a talked about issue in relation to smart meters, does this example really depict the lack of security controls or just another episode of electricity theft among the developing countries?
Electricity theft is quite common in the developing countries. These issues are prevalent in other countries where electricity infrastructure is not as modern. For instance, in some South Asian, African, and the former Soviet Union countries losses can reach 50 %; this means that utilities lose half of their revenues. These theft losses include directly tapping medium and low kV distribution feeders and circuits too.
One of the promises of a smart metering is accuracy in reporting energy consumption. In addition, AMI network allows for the flow of information to happen in a robust manner that may be able to avoid fraud. For instance, while utilities collect enough data and are able to apply analytics to see trends in electricity usage and can point out anomalies. Smart meters also are capable of sending alerts about tampering and additive analytics can further reduce the fraudulent transactions. Fraud detection is currently being used at some utilities for the purpose of identifying networks of customers who may be conspiring to defraud the utility. But on the other hand, no utility has ever done an analysis of transitioning from an electromechanical to a smart meter (two-way communicator) to show what the likelihood of fraud is. It's possible that smart meter may be able to solve some of the theft and fraud related problems but add new ones as well - such as opening new doors for hackers by targeting undiscovered vulnerabilities. And creating new ways to hack meters is where the concern lies.
Fraud as a result of security vulnerabilities is a valid concern. But if it's happening today as a result of installing smart meters, it requires a lot more investigation. In the United States, we haven't seen any instances. However, there have been a few cases in other countries. Just recently, two researchers in Berlin, Germany exposed security issues with one of the local smart metering company. Apparently, when the researchers signed up for the service, they were quickly able to point out loopholes leading to the customer data such as spoofing the unencrypted packets going back to the provider servers, see other customers' data, tamper the smart meter results, and tweak the consumption data.
What does the industry need to do?
The above mentioned examples are an eye opener for utilities and solution makers alike. However, we can't classify every example as being a cyber and information security issue. The Puerto Rican utility had issues with their meters on many ends; however, the monetary loss can't be directly attributed to meter hacks. Both electromechanical meters and smart meters are vulnerable to magnets. Hence classifying the incident as a security issue alone is a bit inconclusive. In the example dealing with German smart meter service provider, issues were directly related to security loopholes.
Utilities have to carefully evaluate the smart meter risks to their future infrastructure and to the customer privacy. Today electricity fraud is not directly related to information technology usage. However, if utility professionals are not able to identify smart metering issues early in the process, they may lose a long-term value proposition since hackers will take advantage of these vulnerabilities. Engage your vendor in a continued dialogue and test the technology before it's rolled out to masses. If possible, utility security professionals should help identify cost of a smart meter breach to their companies and customers.