There‘s a lot of talk about grid security and data privacy in the energy industry, but very little about the consequences of what happens if smart meters go wrong.By going wrong, I don‘t just mean people attempting to hack their meters to reduce their bills.That will probably happen.I‘m more interested in the nightmare scenario when several million electricity meters suddenly disconnect.
Whenever I’ve asked a utility about what they’d do if a million meters disconnected, the only response I’ve had is a puzzled look and the reply that “that can’t happen”. It probably won’t, but it could. If it does, the economic effect on the country would be disastrous. It’s probably the most effective terrorist attack available. And the worrying thing is that with the current design of UK smart meters, it could happen.
I wonder whether the right risk analyses have been done about the consequences of such an attack, versus the benefits to utilities of specifying meters which make it possible?
What makes this possible is the fact that every smart meter being deployed in the UK includes a relay which can disconnect the household from the electricity supply. This is controlled by the utility and makes life easier for them by allowing then to manage connections and disconnections from a computer terminal rather than having to send an engineer out to gain access to the house. It’s part of the savings that they claim justifies the deployment of smart meters. It also makes it easier for them to switch customers to prepay if they are in arrears. Again, they don’t need to send out an installer to change the meter – they do it from their computer keyboard.
In theory only the utility has access to the relay in your meter and they claim to have a secure system. But that’s not strictly true. There is a threat where a rogue programmer working for the meter manufacturer could insert some additional code which would disconnect the meter at a specified day in the future. That threat is very low but maybe not as low as it should be.
If this happens, the consequences are catastrophic. Electricity is an interesting commodity as you can’t store it. It means utilities need to accurately balance the amount of electricity being generated against the amount being consumed. They do this by predicting demand and bringing different combinations of power generation online to try and match it. They’re very good at it. But when there is a mismatch it can bring down the grid. If demand suddenly falls, power stations can’t shut down quickly enough. The voltage on the grid surges and if the surge is large enough it can burn out substations. If it gets that bad, the problem typically cascades onto other segments of the grid, shutting down large areas – in some cases whole countries. Today’s grids are meant to be fairly resilient, but that’s on paper. There are plenty of examples of major blackouts which have left millions without power for weeks.
Bringing power back after one of these events is difficult. If enough power stations have shut down the grid needs to perform what’s called a black start. Utilities try to bring up small areas which match the capacity of each power station before coupling these together across the full grid. The problem is the same one of balancing generation and demand. What makes it complicated is that the utility has no idea what demand is as it restarts, as it doesn’t know what has been turned off, or is still turned on. As a result, getting power back from this situation can take several days.
So what opportunity does that provide for a rogue programmer? All they need to do is to insert a few lines of code into the firmware for a smart meter which will disconnect the meter at some specific time in the future. For best effect, they’d set that to be during a peak time, probably in the winter. The code needs to disconnect the power at that point and also disable the remote connection back to the utility, so that they can’t communicate with the meter to try and restart it. A competent programmer should be able to write that in about ten minutes. As the same code goes into all millions of meters from each supplier, millions would turn off together.
The UK is planning to deploy almost 30 million electricity meters, the bulk of which are expected to be provided by just three suppliers, so if such a piece of malicious code was in one of their meters, around 10 million homes could be disconnected. The effect of that would shut the grid down.
Utilities are normally quite good at restoring power. Every winter in the UK, when we get snow or floods we hear about tens of thousand of homes which are without power. In most cases the bulk of these get their power restored within 48 hours. That’s possible because the fault is normally damaged power lines. Once these are restored, power comes back to the whole community which was cut off.
Our smart meter attack is very different. Here we have 10 million individual meters which have effectively gone wrong. The only way to fix them is through 10 million visits from engineers. If the hacker has done their job well, these meters will not be fixable in situ – they’ll need to be taken away and reprogrammed. Just to perform the visits would take over a year. It will take around the same time to find enough replacement meters.
There is no way that any government would tolerate millions of homes being without power for over six months. The floods earlier this year saw political knee-jerk reactions when thousands of homes were without power for a week. But the only other solution is to make it legal to short out meters, so that those affected can obtain unmetered electricity. Even then it would take months, even if every qualified electrician were given permission to perform this. At the end of the year most of those homes would have power back. But it would be unmetered, pending a new meter being fitted, which could take about two years. During that year, million of homes would have no power. No TV, no internet, no ability to cook, heat their homes or charge devices. Larges swathes of the country, along with its economy would have regressed fifty years.
This isn’t the worst case. It assumes that our rogue programmer isn’t thinking ahead. If they were, they would pseudo-randomly turn the meters back on again a few days later, unbalancing the network restart. Then disconnect a few days later. Keep that sequence up and the national grid could be down for a year. The closest comparable effect is probably the bombing of Iraq’s power stations and grid during the Gulf War. Twenty years later they still have not got back to a working grid.
Whilst the scenario may sound like the plot for a conspiracy thriller, the risk is real. Industries like aerospace and medical equipment take great care over how they write and test embedded code, because of the effect if something goes wrong. Smart Meter manufacturers don’t yet take that approach. The technology in these meters is more complex than anything they have ever done before and they’re desperate to find anyone who can work for them. If you live in the UK and know anything about meters or ZigBee you’ll have probably had a call from a recruitment contract offering you a contract with the ability to name your rate – they’re that desperate. Some of them are subcontracting overseas. There is no evidence that this type of threat is taken seriously.
In other words, it could happen. It doesn’t need to happen now. Once they’re deployed, utilities aim to update the programs in these meters as new functionality is developed or bugs fixed. So at any point in their lives, new malicious code could be inserted.
Which brings us back to the underlying issue. Has anyone ever looked at the balance of risk between the convenience of being able to remotely disconnect a meter, and the potential of that being misused to destroy the entire national grid? The UK smart metering deployment is going to be the most complex in the world. That means it’s the riskiest, with many new potential risks. I don’t believe those in charge have the imagination to contemplate many of those risks – they just want features which will make life easier for them and save them money. It’s time somebody stood back and asked “What if?”
In an interesting addendum, the insurance broker Willis, who provide cover for utilities made the observation that “a major energy catastrophe – on the same scale as… Exxon Valdez or Deepwater Horizon – could be caused by a cyber attack, and, crucially, cover for such a loss is generally not currently provided by the energy insurance market. Most insurance products currently available will cover minor things such as data losses or downtime caused by IT issues, but not major events like explosions at multiple facilities triggered remotely by hackers.” The resulting costs would cripple most utilities, so maybe someone should tell their shareholders about the risks associated with the path they’re following.