News10NBC Investigates: Smart meter security
ROCHESTER, N.Y. – Over the course of the next three years, every home that gets power from RG&E will be getting switched over to a smart meter.
But many customers continue to be concerned about how much information the meters collect and how it will be protected.
RG&E says the data collected by the meters stays with the utility. It won’t sell or provide any of it to outside agencies. Eventually, you’ll be able to use smart pricing options, meaning you can shift your usage to a time of day when the price of electricity is less expensive.
“This is proven technology that is used across the United States,” Nancy Zurell, senior manager of technical projects for RG&E, said. “There are over 111 million smart meters that are out there in the U.S. and we are some of the last utilities in the U.S. to implement this technology.”
Sumita Mishra is a professor in Rochester Institute of Technology’s Department of Computing Safety and one of the nation’s leading smart grid security and privacy researchers.
Jennifer Lewke, News10NBC: “Let me ask you this. As someone who studies this for a living, the smart grid technology, are you going to accept a smart grid at your home?”
Sumita Mishra, RIT professor: “So, great question, Jenn. So I wish I had the option, and at this point, I would say no. I need more information.”
“I do understand the benefits, but at the same time, I don’t want to compromise my security and my privacy.”Sumita Mishra, RIT professor
Smart meters gather your energy usage data once an hour and transmit it back to RG&E.
The information is encrypted, but Mishra and other security researchers with whom we spoke have concerns about the path that information has to travel from our home back to RG&E.
“These meters have the wireless capabilities and the reading has to reach the utility,” she said. “But they can not transmit at very high power because then we’ll have emission issues and other issues so they have to keep it low-powered transmissions.”
That means it’s likely the data has to likely bounce a few times before getting back to RG&E.
“We don’t have any information about whether this data is going to hop through our neighbor’s smart meter or directly go into a wireless collector node,” Mishra explained.
Why does that matter? Because it gives hackers more points of access and there’s at least one example of how that can be problematic. Back in 2021, a major storm knocked out power for days in the Dallas, Tex. area.
“The utility (in Texas) was not revealing for how long the houses were without power and they said, ‘Oh, it’s privacy concerns,” Mishra recalled.
So, an ethical hacker with a specialty antenna and some equipment on his car “drove around and he was able to get the information about which household was without power and for how long and that turned out to be because of weak routing protocols,” she said.
Jennifer Lewke, News10NBC: “And what’s the harm in weak routing protocols for the customer?”
Sumita Mishra, RIT professor: “They can be exploited to do other things.”
Jennifer Lewke, News10NBC: “If I know, as someone with bad intentions, that a house has no power, I may more apt to break in because I know their cameras aren’t working or their home security system might be down?”
Sumita Mishra, RIT professor: “Absolutely. So, I’d like RG&E to be more transparent about what kind of encryption is being used, what kind of wireless is being used? If they can assure us that they are using the security and privacy preserving measures that will ensure that if there is a compromise, because we live in a world where we have to assume that it will get compromised, so if there is a compromise, it should not lead to breaches for my household.”
RG&E’s data security team stopped short of providing specific name brands and networking information to News10NBC, but reiterated it is following the most recent guidelines and standards set by the New York State Public Service Commission, which is the regulating agency that approved the smart meter switchover.
“Again, there’s multiple layers of information and it’s protected and there’s everything from two-factor authentication, multiple layers of security in the systems, different products that we use in order to secure it. So, we take this very seriously,” Zurell said.
RG&E and NYSEG customers who do not want to be switched over to a smart meter can opt out but there is a $12 fee per month to do so.
To learn more, click here.