Government warned of smart meter security threat back in 2012

“Misleading”

DECC said that the FT article was “misleading” and that it had worked with GCHQ from the start.

“Smart meters will help hardworking families and businesses to take control of their energy use, bringing an end to estimated bills and helping bill-payers to become more energy-efficient. They’re part of this government’s commitment to make Britain’s energy infrastructure fit for the 21st century,” said a DECC spokesperson.

“Smart meters will operate on a secure system that only authorised parties, such as energy suppliers and network companies, can access. Working with experts across industry and across government, we have put in place robust security controls which are based on international standards and industry good practices.”

Single point of failure

The Cabinet Office report further raised the risk of denial of service attacks cutting out communications between consumers and energy providers. It said the centralised model that has since been implemented raised “enduring concerns” by introducing a single point of failure and an access point to the entire smart meter network.

“The DCC will have the ability to disable any meter remotely, a facility that creates a significant cyber security threat in the form of enabling an attacker – insider or outsider – to centrally disrupt or otherwise interfere with energy supplies,” said the report.

In an interview published in March 2016 in The Brewery Journal – a publication from PR firm Freud Communications – Ian Levy, technical director at CESG, said the organisation had “recently” examined the smart meter project to ensure its security.

“In the design of the system, we’ve assumed that vulnerabilities exist in each component, and designed the system so it’s tolerant to those weaknesses,” he said.

Long list of concerns

The Cabinet Office review of the smart meters project in 2012 highlighted a long list of concerns relating to the programme beyond the security threat, warning that it ran the risk of “replicating the problems of major government IT projects of the last 15+ years”.

One concern raised was: “[The programme] imposes a solution based on using single large suppliers with exclusive 10+ year contracts rather than being based on open standards, interoperability and an open marketplace.”

Another issue was: “The programme is following an old-style rather than agile procurement processes, and currently using a competitive dialogue restricted to a limited number of large suppliers able to meet the high procurement bar and long contractual period.”

Other suppliers subsequently involved include CGI, with an eight-year contract worth £75m to develop and operate the system controlling the movement of messages to and from smart meters. Arqiva and Telefonica have 15-year contracts worth £625m and £1.5bn respectively to establish regional wide area networks connecting the data application with gas and electricity meters.

The Cabinet Office made 31 separate recommendations suggesting significant changes to the smart meter programme in a wide range of areas – not just security – including a three-month “reset” period to reconsider the project. It is not clear which, if any, of those recommendations were implemented.

Halt, alter or scrap

The smart meter programme has come under increasing scrutiny in the past year as concerns grow about the likelihood of success. In March last year, the Institute of Directors called for the project to be “halted, altered or scrapped” immediately to avert an expensive IT failure.

In the same month, MPs on the Energy and Climate Change Committee said the plans were veering off-track. “Without a significant and immediate change to the present approach, the programme runs the risk of falling far short of expectations,” said committee chair Tim Yeo.