Are Smart Meters A Dumb Idea?

The government’s ID Card scheme failed because it wasn’t thought through, says Andrew Donoghue. Smart meters could go the same way, if security is not worked out

At one time, rolling out an ID Card to everyone in the UK seemed like a reasonably achievable aim. Aside from the concerns of the kind of privacy advocates who view Nectar cards as a 1984-esque instrument of oppression, adding another piece of plastic to people’s wallets wasn’t that controversial when the project was first mooted in the mid-90s.

But a succession of government IT gaffes prompted some hard questions about the infrastructure supporting the ID card project, and people started to ask how fit the government was to manage it. Initial media focus had been on the cards themselves, but attention shifted to the systems and databases behind the scenes where the real costs and problems lay. Pressure on the project has mounted and spiraling cost estimates saw the Labour government scale back its plans to make the cards voluntary while the Conservatives have committed to scrap the plan altogether.

Massive Overhaul By 2020

But while ID Cards may have been killed by controversy and cuts, another multi-billion pound government tech project is planning to roll out a plastic device to 26 million homes and businesses.

The UK government has committed to deploy so-called smart meters across the country by 2020 and claims the devices could help cut carbon emissions and develop a whole raft of green jobs. While this might sound like a doable task given the eight years available, as with ID cards, the real work is the background infrastructure to support the devices. Smart meters are only the “end-points” of wider networks, imaginatively titled smart grids. Most of the potential of smart meters depends on the wider infrastructure they plug into which will require a massive overhaul of the existing grid system.

Companies such as Google are already getting very excited about the potential of smart meters and are preparing web apps that will mesh with the devices and provide handy online tools for measuring consumption. But smart meters will not only plug into the utility grid, they will also potentially use wireless technologies such as Zigbee to talk to home appliances to find out how much juice they are consuming.

While this joined-up vision might have the tech-heads at Google and other tech companies including Cisco and IBM all a quiver, the reality is that the project ultimately rests in the hands of a far less blue-sky bunch – the utilities. Joshua Pennell, president and founder of security company IOActive, neatly summed up the problem when we spoke at last week’s Infosecurity 2010 conference. “A lot of guys say ‘Welcome to the energy sector: set your clock back 15 years’,” he quipped.

Must Read: IOActive On Smart Grid Security

As Pennell rightly points out, utilities are a very careful bunch and pretty slow-moving as a result. They can’t risk rolling out untried hardware or software in the same way other businesses might. If the power grid goes down it’s not just embarrassing, it’s a national disaster.

It’s not surprising then that the utilities are taking a considered approach to smart grids – as well as pushing the government hard for funding. That said however, they recognise the benefits of overhauling their infrastructure which include being able to read meters remotely, and not having to hire all those expensive men in vans. Also extremely attractive is “remote termination” whereby utilities won’t have to send someone out to cut-off customers who don’t pay on time but can do it centrally.

Remote Termination

But aspects such as remote termination also come with inherent security risks. IOActive highlighted the problem last year when it developed a theoretical worm capable of replicating itself across the smart meter network using the wireless connectivity which allows the devices to communicate with one another. Not surprisingly, the company found itself advising the US Department of Homeland Security on how to defend against such attacks and has even been talking to the UK government about its plans.

And while on the one hand utilities may be conservative, they are also relatively inexperienced when it comes to dealing with disruptive technology. A further problem is the budget constraints which utilties are putting on the smart grid process including the cost of the meters themselves. Each device has to cost less than a $100 in the US which limits how may limit how much testing they can be subjected to. UK utilities have already been criticised for their attitude to usability.

For its part, the UK government has been insistent that it is taking the issue of security seriously with smart meters and getting IOActive on board is a good sign. However, the real problem with smart meters, which experts such as Pennell concede is the difficulty of knowing, before the system is up and running, just how open the devices will be to hacking by criminals.

Even the technology companies who are pushing hard for the roll-out of smart technology concede that adding sophistication brings security concerns: “As soon as a system is digitalised, there is always the question of security…it is one of the most important aspects and before you start to roll out smart grid technology, you definitely have to have a security concept in place,” Christian Feisst, director, Smart Grids, Cisco Internet Business Solutions Group told me last year.

Overloading Power Plants

A smarter grid might allow hackers to use remote termination, to cut off specific people. More worryingly it could also include overloading the network itself to the extent that it disrupts an actual power plant. There are also plans to potentially deliver broadband to remote locations via smart grids which opens up the possibility of a simultaneous attack on communications and power networks.

This problem is critical in the US, where Pennell says smart meters are being deployed at the rate of 15,000 a day in California. Several billion dollars of federal funding has been made available to help the utilities smarten up the grid but the clock is ticking. The power companies only have a few years to use up the money before it is withdrawn which makes the strategy of roll out the tech and worry about the security later, a very attractive plan.

The UK obviously has a bit more time to play with but is still working under a wider EU plan to beef-up Europe’s power networks by 2020. We can only hope that whichever party, or parties, find themselves in power don’t repeat the mistakes of the ID Card debacle and make sure the hard questions get asked and addressed before the mistakes get made.

Anything else just wouldn’t be smart.