A press release from Ember announced the company had record revenues in 2010 and that they shipped 10 million Zigbee chips last year. From the press release:
Ember’s strong growth was fueled by smart meter deployments worldwide, where Ember’s ZigBee chips and software play a critical role in enabling consumers and utilities to communicate in real time and together manage energy more efficiently, especially during peak demand.
This mirrors what we are seeing in numerous smart grid projects, not just AMI. Zigbee is being widely used, and it is demonstrably insecure. Josh Wright deserves the credit for creating the KillerBee toolkit to show how plaintext Zigbee encryption keys can be captured as they are sent over the network. Yes, the keys are really sent in the clear! Charles Perine has blogged on this some, and I can tell you KillerBee is a compelling demonstration to Smart Grid project teams.
The other option to avoid the plaintext key design flaw is to pre-install a fixed key. This may work for a small pilot, but it is a disaster in a large deployment. This has been tried and failed in other markets, and it is especially worrisome for devices that cannot be physically secured.
So why are so many utilities deploying insecure systems in new projects? In many cases Zigbee is their only option in the equipment they are considering. Utilities should insure they understand and accept the risk that an attacker would be able to view all data sent over Zigbee communication and insert data into the Zigbee communication. I don’t believe that most utilities, or at least a large number of utilities, understand the risk they are accepting with Zigbee.
Does this mean Zigbee should never be used? Well . . . we would rather not use it, but there are instances where the value of the information and the criticality of the communication is low enough that a utility can accept that risk. However even if the risk of loss of money or impact on the electric system is low and acceptable, there still is a reputation risk factor of what the utility will suffer if some hacker or attacker compromises the Zigbee communication in an AMI project.