Slimme meters

Why smart meters might not be so clever after all

 

theguardian.com - Smart meters will be widespread in the UK by the end of the decade, but has the government thought through the security ramifications?

 

Those whom the gods wish to destroy, they first make credulous. In the case of technology, especially technology involving computers, that's pretty easy to do. Quite why people are so overawed by computers when they are blase about, say, truly miraculous technologies such as high-speed trains, is a mystery that we will have to leave for another day. The only thing we need to remember is that when important people, for example government ministers, are confronted with what a sceptical friend of mine calls "computery" then they check in their brains at the door of the meeting room. From then on, credulity is their default setting.

 

In which state, they are easy meat for technological visionaries, evangelists and purveyors of snake oil. This would be touching if it weren't serious. Exhibit A in this regard is the government's plan for "smart meters". By 2020, more than 26 million British homes will have their old-style electricity and gas meters replaced by shiny new digital smart meters to monitor their gas and electricity usage.

In principle, this is an attractive idea. It will enable much greater flexibility in the way we generate, distribute and consume energy. The meters will tell consumers about their energy use on a minute-by-minute basis. They will enable utilities to charge different rates at different times of the day (higher in times of peak demand, lower when demand is slack) and thereby enable customers to make more informed choices about when they switch on devices. Dishwashers may one day come with a red button (for "do it now") and a green button (for "do it when electricity is cheaper"). The current legions of peripatetic meter readers will be redundant. There will be no more "estimated" meter readings. And so on.

 

So far so good. But there is another side to the smart-meter story. Inside each device is a sim card that enables it to communicate with the utility companies that supply the gas and electricity. This is how the utilities will always be able to supply an accurate meter reading. But it will also enable them remotely to terminate your supply if, for example, you fail to pay your bills on time. Which means – and here's the interesting bit – Kim Jong-un, the Chinese army or any number of unsavoury characters in the Middle East or Russia could do the same.

 

"The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before," writes Professor Ross Anderson, one of the country's leading experts on cyber-security, in an oft-cited analysis. "From the viewpoint of a cyber attacker – whether a hostile government agency, a terrorist organisation or even a militant environmental group – the ideal attack on a target country is to interrupt its citizens' electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended. Smart meters change the game."

 

They do indeed. But the government is interestingly coy on the matter. The Department of Energy & Climate Change's response to the public consultation on smart meters has – rightly – a lot on privacy and data protection. But when it comes to the really big security issue, it lapses into the standard vague, patronising assurances. "In order to ensure the ongoing security of smart-meter systems," it burbles, "the government is taking a 'secure by design' approach, in which security concerns are considered and addressed at every stage throughout the development lifecycle. To support this approach, the government has produced security requirements to mitigate, within an agreed tolerance, the anticipated risks that the end-to-end smart metering system will introduce. These requirements provide for key security controls in areas such as the encryption of sensitive data, checks on the validity of critical commands sent within the system, and the tamper resistance of metering equipment (among other areas)."

 

Don't you just love that "secure by design" approach? The government is asking us to believe that a project involving subcontractors from a range of companies going around the country installing networked computing devices in 26 million properties will result in a secure system. This is the same government, incidentally, which is so hot on security that it paid contractors millions of pounds for electronically tagging criminals who were either in prison or dead. All that remains now is for G4S to get some of the smart-meter installation work.