Black Hat: Water Smart Meters Vulnerable To Attack
Of all critical infrastructure, the public water system might seem the least vulnerable to a cyber attack. But that might be changing, with the increasing adoption of advanced metering infrastructure (AMI) that controls the water supply remotely, according to John McNabb, water expert and security researcher.
In a speech at Black Hat USA in Las Vegas, McNabb said because wireless water meters are data collecting, embedded devices, they are therefore vulnerable to attacks that could cause service disruption, or even enable attackers to execute malware.
"There are a lot of inter-dependencies. In many parts of the country, water departments don’t have emergency generators. There's more attention to security for water systems," he said.
Essentially, the Achilles heel of the smart meters is that they’re equipped with a small computer -- or microcontroller -- which enables a direct electronic reading of the water consumption, said McNabb.
“Electromagnetic forces detect the flow of water. You put the meter in, and it registers a total volume of water going through,” he said. “This is what records the data. It turns the water meter into a data collection device.”
Transmission methods vary, such as phone lines or cable power lines. However the most common transmission method is via radio signals, that operate at about 900 megahertz. If hackers could develop a way to "sniff" a system running at a 900 megahertz frequency, McNabb said, they would be able to take control of the system.
As such, water smart meters, like any other critical infrastructure controlled over a wireless sensor network (WSN), are fraught with many of the same vulnerabilities facing electrical smart meters and other Web-facing systems, including cyber attacks and disruption, McNabb said.
For one, AMI controlled water systems are automated but unattended, leaving them susceptible to insider attacks, McNabb said. In addition, most WSNs don’t come equipped with basic security measures, such as encryption.
Once hackers gained access to the WSN, they could use their privileges to reduce their water bill, increase someone else's water bill, steal water or evading water restrictions by getting away with consuming more than an amount regulated by the city or state, said McNabb.
Thus far, the wireless water meters don’t pose a significant threat, as smart meters are only present on about 7 percent of water utility systems, McNabb said. But that number is growing, driven by the necessity to reduce costs, provide increased meter reading accuracy and more frequent billing.
In the U.S., advanced metering infrastructure, or AMI, is expected to grow from $2.54 billion in 2010 to 5.82 billion in 2015, representing an 18 percent compound annual growth rate. Meanwhile, the smart meter install base is expected to be around 31.8 million by 2016.
However, the increasing adoption of water smart meters could pave the way for more serious attack scenarios. In addition to enabling attackers to conduct surveillance of an individual's activities, water smart meters could potentially be a path to route malware into water SCADA systems, said McNabb.
The meters could also serve as an entry point to access a comprehensive network that incorporates all critical infrastructure--water, electricity and gas—“where everything is controlled by the utility,” McNabb said.
Water controlled by smart meters also could open doors for potential terrorist attacks, in which water supplies were shut down or poison the water supply, McNabb said.
The mesh system smart grid is also “very wormable,” McNabb said, referencing IOactive, which successfully ran a worm in a simulated city of 25,000 smart electric meters. "A water smart grid could be just as vulnerable," he said.