When Smart Meters get Hacked
- in Smart Energy
There‘s a lot of talk about grid security and data privacy in the energy industry, but very little about the consequences of what happens if smart meters go wrong.By going wrong, I don‘t just mean people attempting to hack their meters to reduce their bills.That will probably happen.I‘m more interested in the nightmare scenario when several million electricity meters suddenly disconnect.
Whenever I’ve asked a utility about what they’d do if a million meters disconnected, the only response I’ve had is a puzzled look and the reply that “that can’t happen”. It probably won’t, but it could. If it does, the economic effect on the country would be disastrous. It’s probably the most effective terrorist attack available. And the worrying thing is that with the current design of UK smart meters, it could happen.
I wonder whether the right risk analyses have been done about the consequences of such an attack, versus the benefits to utilities of specifying meters which make it possible?
What makes this possible is the fact that every smart meter being deployed in the UK includes a relay which can disconnect the household from the electricity supply. This is controlled by the utility and makes life easier for them by allowing then to manage connections and disconnections from a computer terminal rather than having to send an engineer out to gain access to the house. It’s part of the savings that they claim justifies the deployment of smart meters. It also makes it easier for them to switch customers to prepay if they are in arrears. Again, they don’t need to send out an installer to change the meter – they do it from their computer keyboard.
In theory only the utility has access to the relay in your meter and they claim to have a secure system. But that’s not strictly true. There is a threat where a rogue programmer working for the meter manufacturer could insert some additional code which would disconnect the meter at a specified day in the future. That threat is very low but maybe not as low as it should be.
If this happens, the consequences are catastrophic. Electricity is an interesting commodity as you can’t store it. It means utilities need to accurately balance the amount of electricity being generated against the amount being consumed. They do this by predicting demand and bringing different combinations of power generation online to try and match it. They’re very good at it. But when there is a mismatch it can bring down the grid. If demand suddenly falls, power stations can’t shut down quickly enough. The voltage on the grid surges and if the surge is large enough it can burn out substations. If it gets that bad, the problem typically cascades onto other segments of the grid, shutting down large areas – in some cases whole countries. Today’s grids are meant to be fairly resilient, but that’s on paper. There are plenty of examples of major blackouts which have left millions without power for weeks.
Bringing power back after one of these events is difficult. If enough power stations have shut down the grid needs to perform what’s called a black start. Utilities try to bring up small areas which match the capacity of each power station before coupling these together across the full grid. The problem is the same one of balancing generation and demand. What makes it complicated is that the utility has no idea what demand is as it restarts, as it doesn’t know what has been turned off, or is still turned on. As a result, getting power back from this situation can take several days.
So what opportunity does that provide for a rogue programmer? All they need to do is to insert a few lines of code into the firmware for a smart meter which will disconnect the meter at some specific time in the future. For best effect, they’d set that to be during a peak time, probably in the winter. The code needs to disconnect the power at that point and also disable the remote connection back to the utility, so that they can’t communicate with the meter to try and restart it. A competent programmer should be able to write that in about ten minutes. As the same code goes into all millions of meters from each supplier, millions would turn off together.
The UK is planning to deploy almost 30 million electricity meters, the bulk of which are expected to be provided by just three suppliers, so if such a piece of malicious code was in one of their meters, around 10 million homes could be disconnected. The effect of that would shut the grid down.
Utilities are normally quite good at restoring power. Every winter in the UK, when we get snow or floods we hear about tens of thousand of homes which are without power. In most cases the bulk of these get their power restored within 48 hours. That’s possible because the fault is normally damaged power lines. Once these are restored, power comes back to the whole community which was cut off.
Our smart meter attack is very different. Here we have 10 million individual meters which have effectively gone wrong. The only way to fix them is through 10 million visits from engineers. If the hacker has done their job well, these meters will not be fixable in situ – they’ll need to be taken away and reprogrammed. Just to perform the visits would take over a year. It will take around the same time to find enough replacement meters.
There is no way that any government would tolerate millions of homes being without power for over six months. The floods earlier this year saw political knee-jerk reactions when thousands of homes were without power for a week. But the only other solution is to make it legal to short out meters, so that those affected can obtain unmetered electricity. Even then it would take months, even if every qualified electrician were given permission to perform this. At the end of the year most of those homes would have power back. But it would be unmetered, pending a new meter being fitted, which could take about two years. During that year, million of homes would have no power. No TV, no internet, no ability to cook, heat their homes or charge devices. Larges swathes of the country, along with its economy would have regressed fifty years.
This isn’t the worst case. It assumes that our rogue programmer isn’t thinking ahead. If they were, they would pseudo-randomly turn the meters back on again a few days later, unbalancing the network restart. Then disconnect a few days later. Keep that sequence up and the national grid could be down for a year. The closest comparable effect is probably the bombing of Iraq’s power stations and grid during the Gulf War. Twenty years later they still have not got back to a working grid.
Whilst the scenario may sound like the plot for a conspiracy thriller, the risk is real. Industries like aerospace and medical equipment take great care over how they write and test embedded code, because of the effect if something goes wrong. Smart Meter manufacturers don’t yet take that approach. The technology in these meters is more complex than anything they have ever done before and they’re desperate to find anyone who can work for them. If you live in the UK and know anything about meters or ZigBee you’ll have probably had a call from a recruitment contract offering you a contract with the ability to name your rate – they’re that desperate. Some of them are subcontracting overseas. There is no evidence that this type of threat is taken seriously.
In other words, it could happen. It doesn’t need to happen now. Once they’re deployed, utilities aim to update the programs in these meters as new functionality is developed or bugs fixed. So at any point in their lives, new malicious code could be inserted.
Which brings us back to the underlying issue. Has anyone ever looked at the balance of risk between the convenience of being able to remotely disconnect a meter, and the potential of that being misused to destroy the entire national grid? The UK smart metering deployment is going to be the most complex in the world. That means it’s the riskiest, with many new potential risks. I don’t believe those in charge have the imagination to contemplate many of those risks – they just want features which will make life easier for them and save them money. It’s time somebody stood back and asked “What if?”
In an interesting addendum, the insurance broker Willis, who provide cover for utilities made the observation that “a major energy catastrophe – on the same scale as… Exxon Valdez or Deepwater Horizon – could be caused by a cyber attack, and, crucially, cover for such a loss is generally not currently provided by the energy insurance market. Most insurance products currently available will cover minor things such as data losses or downtime caused by IT issues, but not major events like explosions at multiple facilities triggered remotely by hackers.” The resulting costs would cripple most utilities, so maybe someone should tell their shareholders about the risks associated with the path they’re following.
It’s a good article, but it doesn’t tell the whole story. GCHQ weren’t involved at the start of the project, Instead, they were presented with a badly designed system and have done a good job of trying to fix it, albeit it with a lot of sticking plasters. Because the original architecture didn’t really consider security, this means they’ve had to add quite a bit of cost and complexity. I’m sure they’d freely admit that they would not have designed a system anything like this if they’d been involved from the start.
However, the article only addresses operational security, i.e. people hacking into the system. My concern has always been the opportunity for malware to be inserted into code. Much of the firmware is being subcontracted out and it would be easy for a programmer to add malicious code which could shut off or modify metering data. Dr Levy’s article makes the point that not everyone who is building things for the Smart Metering System are cyber security experts. Nor are they firmware experts. In particular, most of the industry don’t have the same level of software testing and procedures in place as other more established industries.
I keep getting told this can’t happen, but it happened in Volkswagen with their emissions scandal, albeit for internal, commercial reasons. Yet I still get the response that this could never happen with smart meters. I think it would be all too easy. I’ve been offered several jobs developing firmware for meter companies and I’m not even a programmer. So, Dr Levy’s article is a good, sensible one for a system designed from scratch by companies with established, competent procedures. Unfortunately that has nothing to do with the current GB smart metering system. Sadly, like many good articles, the author and the article have been used out of context by PR people anxious to roll out an expert to paper over the cracks.
Have you read this, by any chance?
What worries me is that the concept of “not beyond the realms of the possible” does not appear to be understood by those involved with this deployment. They consider it to be “not possible”. I used to work with some financial security companies, who do understand these issues. It’s interesting talking to them about how things are changing. They’re worried by the fact that in what used to be a fairly evenly matched cat and mouse game between financial security companies and hackers the playing field is changing, with the hackers outmaneuvering the security experts. They’re unanimous in believing that they need to up their game. In contrast utilities barely appear to be aware that hackers even exist, other than in conspiracy thrillers.
No doubt old news, but the Dragonfly hack brings a touch of “not beyond the realms of the possible” to this article.
It does demonstrate that there are groups that have the mandate and resources to disrupt soft targets.
I know Ross’ paper well and I would encourage everyone involved in this industry to read it. The problem is that no-one appears to be interested in contemplating the effect of what would happen if things really did go wrong. It would be devastating and not far removed from General LeMay’s famous suggestion of “bombing a country back into the Stone Age”.
You probably know the paper “Who Controls the Off Switch?” by Ross Anderson, Professor of Security Engineering at Cambridge University. Google finds it easily, and it makes salutary reading. Since he wrote that we have had the state-organised Stuxnet attack on Iran’s nuclear program, the compromise of the DigiNotar Certificate Authority and the Snowden revelations, to name just a few cyber-security horror stories.
The only prudent approach is to assume that the smart meter network security will be compromised, and to omit the off switch.
“There‘s a lot of talk about grid security and data privacy in the energy industry, but very little about the consequences of what happens if smart meters go wrong” – For this reason I’m really pleased I came across this article. Thanks.
How about an API like…
>Disconnect ~customer //whoops
Good point. I wonder if the risk analysis includes the chance of a utility operative accidentally pressing the wrong button. You can just see the options that an over-enthusiastic programmer will give them:
> Disconnect Customer
> Disconnect Slough
> Disconnect GB
A amusingly creative but highly unlikely scenario, for the good reason that heroic amounts of competence and forward planning would be required.
Given the fly by night nature of our energy supply industry, it is far more likely that mass disconnection would occur because of some cock-up in the billing system. For example, a large payment data base gets corrupted so it looks like customers are deeply in arrears, leading to an energy supplier disconnecting its entire customer base in one fell swoop. A sort of self inflicted terror strike.
good plan man….finally a good reason for having the damn things! might knock some sense into people….