The government is planning to put a smart meter in every home in the UK by 2017 as a step towards a smart grid, but what are the security implications of such a move and how can the pitfalls be avoided?
Security must be embedded in the smart grid
Raj Samani, Cloud Security Alliance
Availability is often the poor cousin when compared with confidentiality; however, the impact of a major outage is often quantifiable and of staggering proportions. For example, the US north-east blackout of 2003 resulted in a $6 billion economic loss to the region. All this was caused by the loss of something that is often taken for granted: power.
Such reliance on power, and the overriding need for modernisation, has resulted in the US smart grid industry being valued at $21.4 billion in 2009 and estimated to exceed $40 billion by 2014. From a global perspective the industry is estimated to be valued at $171.4 billion by 2014. However, the 'success' of the Stuxnet worm has publicly questioned the security of the smart grid, but according to Ian Watts, head of energy and utilities at Detica, "there are already around 40 million smart meters in use worldwide and, even at this early stage, we have seen a number of security breaches These have included insecure meters, hacking of customer details, denial of service attacks and suspected infiltration by foreign intelligence services".
To address such concerns, it is of paramount importance to ensure the design of the smart grid addresses security early; this should include embedding security into devices and defining their secure operation before they are rolled out. Failure to do so will result in proof of concept research activities being realised operationally. For example, in 2009 a team of researchers identified a number of programming errors on smart meter platforms that ultimately allowed them to assume full system control of these exposed meters, including the ability to remotely power on/off, usage reporting, and so on. Although this affects only individual meters, other demonstrations have shown how one meter can be used to spread a worm between meters. This could result in a power grid surge or even shut down the entire grid.
Avoiding such pitfalls can only be achieved through public and private sector partnership, such as the NIST Cyber Security Coordination Task Group (CSCTG). The work of this group and the creation of Security Technical Experts Group, which looks at the end-to-end security of the smart meter rollout in the UK, are certainly steps in the right direction. The importance of such activities cannot be underestimated (as Stuxnet has demonstrated), and as stated by McAfee's CEO, Dave DeWalt, "Today, the weapons are not nuclear, but virtual, and everyone must adapt to these threats."
An opportunity for a secure digital society
John Colley, CISSP, Managing Director EMEA, (ISC)2
This question reminds me of the discussions of late over the state of the UK's broadband infrastructure. It continues to make headlines, yet few are clear on what we can expect to be delivered.
The smart grid is still quite conceptual, described as a modernised, larger electricity grid featuring the ability to manage fluctuations in supply, maintain security of the supply, and incorporate the micro-generation of electricity by individuals, businesses, smart appliances and even electric vehicles. What this means in real terms is as yet unknown.
The meters themselves are a very minor first step. Assessing the risks that may be introduced will be highly dependent on understanding what networks they will be connected to, what data will be communicated, and the systems they will communicate with. Even guessing at how smart the meters would be is highly speculative at this point.
Current smart meter technology is 10 years old and they were not developed to be integrated with other systems. Smart meters themselves could pose very little risk if all they are to do is replace the man who knocks on the door twice a year to take a reading. They could collect the innocuous data and be isolated from home computer networks. But this would be a costly solution for very minor benefit, while utility companies are encouraging homeowners to post their meter readings online - a much simpler solution.
The ambitions of the programme will have to be broader than this to justify the investment. If I am to express any concern at this stage, it is to acknowledge my fear that major lessons are still to be learned when it comes to security. While security is rarely the driving force behind any programme that seeks to network significant resources and a broad user base, it must be central to the systems design, not an afterthought.
This is an opportunity to demonstrate that our digital society can be a secure one. Let's hope it is not missed.
Understand the potential threats
Andrew Yeomans, founder member of Information Security Awareness Forum and Jericho Forum
There are two things government should do to avoid the security pitfalls of rolling out smart meters across the UK.
First, those responsible for security should understand and evaluate the motivation behind possible threats, for example, obtaining free electricity is likely to be a greater motivation than running a botnet on smart meters.
Second, there needs to be thorough testing of all aspects, from the smart grid design to the individual devices themselves. And the design must permit errors to be easily fixed.
Strike a balance between information and privacy
Mike Westmacott, MBCS CITP CISSP, Chair, BCS Young Professionals Information Security Group
With declining natural hydrocarbon fuel supplies and an increasing population with increasing energy demands, it is essential that we understand our current energy requirements to be able to prepare and adjust for the future.
As consumers, it is highly desirable to be able to choose an energy supplier that can provide the best value according to our usage needs. Both of these issues can be addressed with smart metering.
By providing the precise meter reading at any point in time across a grid of consumer's smart meters, it might become possible to route supplies intelligently to where and when they are needed. Suppliers could inform consumers of how much they are using and when, which could lead to flexible and novel payment plans.
Such are the benefits; however, the potential for deriving information beyond how much power is being used, and towards what activities are occurring, is quite significant. Readers are reminded of the grid-wide electrical power spikes that occur in the breaks between television soap opera segments. Different devices consume energy at different levels and times; with smart metering it would be entirely possible, over time, to construct a probabilistic breakdown of which devices were being used, and when, by different households. To know which households use vacuum cleaners more than others, or electrical tools, or play video games, would represent a highly valuable marketing resource.
The key to whether such a scenario might be realised is resolution: the more frequently the readings are taken, the more information can be gleaned, and the more information about the lifestyle of households is divulged. As such there is a balance that could be achieved that maintains the infrastructure benefits and protects the privacy of the individual.
The issues do not end with privacy, however, because there are operational security matters to consider, ranging from non-repudiation to meter hijacking. The Netherlands recently rejected smart metering for a whole host of reasons; the decision to implement such a system must be taken very carefully and with a high level of public input.
Standards must be adopted
Adrian Davis, principal research analyst, ISF
Smart meters will provide a great opportunity to manage demand and increase energy efficiency. We have identified four issues in this field, described below.
The first issue is meeting the confidentiality, integrity, availability and legal privacy requirements relating to the information collected by the meter and supplier. The dataset collected will contain personal information (names and addresses and payment details), consumption and usage patterns at an individual and aggregate level and demand and forecasting information. This information is valuable - to criminals, hackers and the organisation - and may prove to be a tempting target for misuse or attack by malware.
The second issue is the physical and information security of the meters themselves. The meters are envisaged to have a life of 20 years or more, so will need to be resistant to physical attack and have mechanisms to upgrade, patch and enhance the device and its software. Additionally, the devices will probably have to be managed remotely and on a massive scale.
The third issue is that of communication. The upward link (reporting consumption and meter status) and the downward link (for upgrade/maintenance) will need to be secured, probably by encryption. The meters are designed to connect directly by wireless or indirectly via the 'home network'. There will be a need to encrypt transmissions, upgrade infrastructure to handle the volume of traffic that may be generated and provide a backup should the communications link fail.
The fourth issue is wider than the meters themselves. The meters will connect to what is part of the UK Critical National Infrastructure (CNI), and weaknesses in the meters may create an entry point for attacks on the CNI.
To address these issues, the first step is to adopt a standard that will set a common baseline from which security can be developed and enhanced. The second step is to use the design to build in security tools, such as strong authentication, anti-tamper mechanisms and reporting and onboard malware protection and firewall software.
Universal threats still apply
Earl Perkins, research vice president, Gartner
Smart meter deployments throughout the globe are proceeding apace as part of the 'smart grid' evolution. By providing a means of control and intelligence-collecting in the home, you bring a number of advantages, both to the client and the utility. The client gets more accurate and flexible meters, while the utility benefits from better control and availability to that intelligence for use in forecasting, billing and other analytics.
However, when a device becomes smarter, it assumes an identity. Indeed, it earns one. The more features and capabilities it has, the more likely the need for control and intelligence. A networked smart device will have access security threats to its control means, and data protection threats for its intelligence. These threats have been universal and are not new; desktops, laptops and smartphones have also faced these threats. While there are differences in scale and feature, the concepts remain the same.
To perceive the nature of the threat, it is important to look at the results a smart meter delivers, as noted above. The 'vector' of a threat will attack a meter's control and availability by: disrupting a utility's way of doing business; obtaining intelligence about the meter's user and potentially the utility itself; and using retrieved intelligence for profit, mayhem, corporate espionage or wartime advantage. Gathering and using intelligence is also an age-old process that does not change just because we have different places to gather that intelligence or exert that control.
This only begins the conversation about securing the smart grid and the advanced metering infrastructure that is part of it. Talk is cheap, but much remains to be done.
Opening our homes to a new security threat?
Tim Holman, president for Information Systems Security Association (ISSA) and CTO at Blackfoot
The environmentalist within me supports such a move; we waste far too much power as individuals and smart meters are the way forward so that we can all start using energy more effectively.
Power companies have already started rolling out smart meters and you might think that the installation of domestic and business smart meters could not have that much of an effect on security.
However, whatever implications there may be are surely magnified by the sheer scale of operations: more than 50 million meters are scheduled to be replaced by the end of 2020, according to the Department of Energy and Climate Change.
This means a visit to every home and business premise in the UK over the next 10 years.
The technology itself does not appear to be an issue; the smart meters are most likely to be connected back to energy companies over GPRS or long-range radio, as opposed to any home broadband connection or dial-up, and will be configured for two-way communication, so they can both send data to power companies and also receive instructions.
This usage data may not appear overly sensitive. After all, it will be sending back only information regarding how much electricity and/or gas is being used, and at what rate. There will not be any personal data or credit card information tied to this, other than a meter number.
However, should this data fall into the wrong hands, criminals will have a complete profile of when people are likely to be in their homes or are away on holiday and ripe for burglary.
Likewise, a large-scale rollout of 50 million smart meters provides easy entry for criminals masquerading as installers to get into homes and businesses around the country.
So how can such abuse be avoided?
First, the usage data should be sufficiently protected. The GPRS network is an open, public network and anyone who wants to can connect to it. An SSL connection should be established at minimum, to offer similar levels of data encryption as those we expect from e-commerce websites.
But what can we do about good old fashioned social engineering? How are 62 million UK residents going to be taught what an installer looks like and what to be expect of them?
Therein lies the problem: although we will be shaving 5% off our energy costs and offsetting 39 million tonnes of carbon dioxide over 20 years, yet another door into our private lives and homes has been opened.
This time, I don't think there is a way to close it.
Secure by design
Sarb Sembhi, Chair of ISACA Security Advisory Group
One morning last year while watching the news, I honed in on a particularly interesting item about smart meters and what wonderful things they could do. My immediate thought was that the underlying technology these things were going to be using has to be ordinary common networking technology, because that is the only way that any manufacturer could bring something to the market cheaply. With that thought in mind, later that day I decided to find 30 minutes to do some research.
I should point out that several years ago I had researched into the vulnerabilities of network CCTV systems and then of access control systems, which is why I allocated only 30 minutes to the task. My intention was to determine if the manufacturers of smart meters made the same mistakes as those of network cctv and access control systems before them. I did not intend this to be a new area of research, believing that if the underlying technology was more or less the same, the underlying problems would also be more or less be the same.
Within a minute I had found out who the manufacturers were, then the section of the site dedicated to partners and third-party integrators. Within another few minutes I was downloading lots of documents providing me with the APIs on how I could control these meters remotely, and anything else I could do remotely.
It is important to understand that these things (smart meters), and others like them (network CCTV, access control devices), are all embedded devices and as such have very few or no buttons or functionality that you can control with your hand when the device is physically in front of you. This is because all the functionality is built into the hardware and software, to be controlled remotely once installed. This is what makes them so useful (being able to view energy readings remotely) and at the same time so powerful (being able to control them - switch them on and off).
Interestingly, it is now very hard to find any documents related to smart meters. The manufacturers appear to have realised the potential risks from some of the high-profile press coverage they have received resulting from researchers being able to get their hands on these products or their documentation.
Rather than itemise what it might be possible to do on the various meters on the market, if we assume only that it is possible control of the energy supply using one of these meters and that it is possible to switch off the power, then we can assume this is enough to cause targeted problems by criminals or terrorists. It may be possible to switch off the power to a single property before attacking it, or to switch off the power in a larger area to cause greater damage.
One of the problems is that manufacturers try to do things on the cheap, by using software components that were not developed with security in mind and in some cases are so old that the environment they were built for was non-hostile one. Further, manufacturers also believe that as security, they can leave it to be implemented at the network level, rather than building security into the product.
Then there is always the functionality bloat: to ensure their product will have a great uptake and work with anything, they add lots of 'ease of use' functionality, which sometimes ends being the weakest point (for example, one of MS Windows' greatest strengths was that it could connect to anything you threw at it, but it was also its biggest weakness - device drivers).
Added to this user functionality bloat is the integrator/developer functionality. This is often a producer's ability to gain wider acceptability for their product; look at Facebook and its API to enable developers to write games for end users, (It was this that I used to determine that smart meters were not yet ready for the wider market last year; the problem is that since it is not possible to do this now, I cannot determine if these things are any better since last year.)
Earlier this year, I was involved in the launch of a two-year long report by parliamentary group Eurim. The report focuses on "Secure by Design", as opposed to insecure by accident, or secure by accident, or secure as an afterthought. And it seems to me that what we have in smart meters is any of the above, except for "Secure by Design".
However, the good news is that although there are standards relating to some of the technology that goes into the meters, we also have some that are not. This means that unless they can be upgraded securely, their lifespan should be limited, (for example, look at the wireless networking standards - a, b, and n. Most people have been able to get the latest modem/routers by changing their ISP - is this what we expect from our energy suppliers?). Getting back to the good news, yes, some suppliers have not only thought about the secure remote update issue, but also about the agreed lifespan of their products. However, if a supplier has already committed to one route, no matter how good the new products or standards may be, they cannot work with the invested infrastructure of the supplier.
In conclusion then, since most manufacturers have focused on their area of expertise (i.e. non-security aspects), for the moment the best way to protect these systems is through network security technologies. This is easy if you are a large enterprise or a networking professional, but not for any one else in a typical home environment.