By Splunk January 14, 2011
Early last year Pacific Gas and Electric added Smart Meter attachments to the gas meters in my neighborhood. Oddly enough not to the electric meters — yet. Ever since, I’ve been curious about their ‘insides’ – how these devices that are sampling my usage once or twice a day (or for some once every 15 min) work. I can see the business value in not having to send the meter reader ’round for the monthly read and I’m sure that saves PG&E money. Most of these meters support remote service disconnect, again saving the company money. For those customers that have these devices added to their electric meters, it also should mean better accuracy that some of the “estimated usage” measurements the utilities used to do when the meter didn’t get read in a particular month.
But, what really happens to the data? If I used to collect data once a month and now I collect the same data once or twice a day, doesn’t that require a lot more storage? Even if its highly structured, the sheer volume of data has to increase. Also, if WiFi can be hacked into doesn’t is stand to reason that wireless Smart Meters can be as well?
PG&E’s Start Meter initiative has forced it to increase its data storage by 2.1 petabytes. In an August 2009 report on “Assessment of Demand Response and Advanced Metering,” FERC presented a partial scenario (80 million meters) and a full deployment scenario (140 million meters) by 2019. Assuming that we feel comfortable in the mid-range of the data descriptions used above, this would imply the need for the creation of infrastructures necessary to organize and manage roughly 100 PB of information within the next ten years.
After reading these startling statistics, I began to research the security aspects of the Smart Meters. Mike Davis and some researchers from IOActive have been able to demonstrate common attack methods on Smart Meters they were able to get through a combination of dumpster diving and eBay. They were able to perform buffer overflows, replace the firmware, and get root kits on the meters (for a great talk on this topic: http://www.brighttalk.com/channel/170). They were also able to simulate a virus that could spread across 22,000 meshed meters in a few hours. So what are the threats and motivations for tampering with the meters? The first thing that comes to mind is the ability to remotely monitor electricity usage as a way of ‘casing the neighborhood’ to see who is home and how is not. “Burglars, terrorists, and others with political agendas could use unauthorized access to command and control systems to disrupt the delivery of services, create blackouts, disrupt load balancing commands, or create fear and panic.”
How could Splunk help? Splunk can scale to collect and analyze trends and threshold based events in the massive amount of data generated by the utilities’ Smart Meters. The idea here would be to use Splunk’s correlation capabilities to correlate collected Smart Meter data with other utility data to reduce the risk from malicious insiders. For example, correlating service shutdown events with utility billing records could help weed out legitimate shutdowns from ones that aren’t authorized. Monitoring sudden drops in utility usage and correlating the data with utility truck GPS data might indicate where insider fraud is occurring. RFID tag data from the inventory of meters themselves should be carefully monitored and correlated with facility access data and work order records to ensure that extra meters aren’t being pulled from inventory, hacked, and put back into service. I leave it to you to put on your malicious-insider-thinking-cap to suggest other ways to correlate data to reduce risk in the Smart Grid.