Most people don’t think much about firmware – the embedded software which runs the microcontrollers in all of the devices we have around us. We’re aware of the frustration when they don’t do what they’re meant to, at which point we realise that “smart” may not have been the best adjective to use to promote the product, but even when they do go wrong, turning them off and on again, or taking the battery out generally clears the problem. They almost always go wrong because the design process didn’t include enough testing, or not enough time was given over to thinking about the “edge cases” – those unexpected combinations of events which result in things not working the way they should. Most of the time it’s just a short-term annoyance; if it’s worse than that we’ll probably send it back, or throw it out and buy a new one.
However, we do expect safety critical devices like cars and
planes and national infrastructure to be a lot better designed than this. Your boiler turning off because it thinks
there’s a flow problem when there isn’t is annoying (time for a firmware
upgrade please, Vailant), but it’s not life threatening. In contrast, a self-driving car that runs
over a cyclist is not something the public is generally happy about. Nor is a plane falling out of the sky. But where would you put a smart meter in the
scale of things that might affect your life?
Last week we found out, and it’s not a happy answer.
It’s been a good week for scare stories about Smart Energy. Whilst they’ve predictably generated some excellent headlines (and I can’t resist joining in), the facts behind them are very important. We’re rushing into a global energy monitoring and delivery system with little understanding of whether or not it is secure.
What we can predict is that as soon as Smart Meters are deployed, the first impulse of every neighbourhood hacker will be to take control of their school or local government’s heating and air conditioning, just to prove they can. At one level, that’s a local annoyance. If it affects our utility bills it becomes more than an annoyance. And if it were co-ordinated by someone with a more malicious intent, then turning everything on at a peak time would take the grid down. So it’s important that we make sure it is as secure as possible.
That makes the two pieces of news this week a lot more important than just providing the excuse for a good headline. The first announcement was that the Information Trust Institute at the University of Illinois has been granted $18.8 million for a five year research project on securing the Smart Grid. The second piece of good news is the release of a set of ZigBee hacking tools by Joshua Wright at ToorCon11. These will let developers discover what vulnerabilities exist within the ZigBee standard, which is vitally important if it wants to be selected for use in Smart Meters. Josh describes his work as “will hack for SUSHI“. As far as I know he’s not received any sushi for his efforts, let alone an $18.8 million grant. If the Government is serious about the security of the energy supply, they should consider diverting some of that funding in his direction.