Schneier on Security
A blog covering security and security technology.
« DNSSEC Root Key Split Among Seven People |
| Hacking ATMs »
July 29, 2010
Security Vulnerabilities of Smart Electricity Meters
"Who controls the off switch?" by Ross Anderson and Shailendra Fuloria.
Abstract: We're about to acquire a significant new cybervulnerability. The world's energy utilities are starting to install hundreds of millions of 'smart meters' which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs and implementing rolling power cuts at times of supply shortage.
The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker -- whether a hostile government agency, a terrorist organisation or even a militant environmental group -- the ideal attack on a target country is to interrupt its citizens' electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.
Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability, which we discuss in this paper.
The two have another paper on the economics of smart meters. Blog post here.
Posted on July 29, 2010 at 6:16 AM
• 68 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How much money can power companies possibly save by doing this? By the time they pay developers to develop the technology, buy new hardware, deploy it, and then manage it, it will probably cost more than just paying somebody to go and flip a switch the old fashioned way. It would be interesting to see if they plan to automate this by integrating it into their accounting/billing software which we all know would create even more vulnerabilities. I think this is a bad idea from both a business and security perspective.
Here in St. Louis, we have had one of these smart meters for over 10 years. The meter communicates with Big Brother every few minutes, so the utility does not ever have to send a meter reader. Also, if Big Brother sees a bunch of meters going off-line at the same time, they have a pretty good idea of where the fault is.
Remember, most electric utilities are regulated businesses that don't make any money off of electric sales. In the United States, utilities collect revenue through rate increases granted by state regulatory commissions. Those rate increases are proportional to the amount of capital equipment the utility buys and deploys.
So increasing the cost of meters by including communication and control technology increases the profitability of the company. (it's weird compared to "normal" businesses)
Yet right now, it's not clear who will bear the costs of security failures. Will it be the equipment manufacturer, the parent utility, or the commission that approved the purchase in the first place?
Another problem with the smart meters is privacy. Carefully monitoring someone's usage will tell the company (or anyone else accessing that data) when you are home, when not and possibly what kind of appliances you are using.
"Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended."
High altitude EMP's do exactly that over massive distances - 3 would be enough to take out every electrical device (iPods, phones, cars, generators, the electricity T&D system) for the entire continental US.
For a hostile govt this could prove far simpler than hacking the 500+ electrical grids the US has
Considering that significant 'smart' grid funding is coming from the government (taxpayer), I am uncertain power companies are loosing as much as one might initially think. I am more certain they're won't make money by eliminating meter readers compared to the infrastructure costs involved with securing and managing the 'smart' grid. In the end, I expect energy producers to become a quasi-governmental companies.
It is probably not in the business interest of a utility company to make turning OFF power too automatic. Any positive effect it could have on the company's collection effort would be offset by the risk of chopping off some innocent who's actually willing and able to pay due to some minor misunderstanding, resulting in legislative interest and eventually leading to regulation that cancels out the whole scheme anyway.
No, what they want is the ability to turn power back ON instantly, once they get their money, without having to wait to dispatch someone to physically flip a switch.
I think that power execs genuinely see this technology primarily as a way to increase customer satisfaction (such as, get power immediately when you move into a flat previously occupied by a bad payer; no sudden surprises due to mistaken meter readings, and so forth), and only secondarily or not at all as an enforcement tool.
Meter fraud is one of the most rife and often innovative areas of fraud.
For example, I know that you used to be able to inject (with a syringe) a small spider into a gap on the meter, with it then spinning webs which gunk up the moving parts and reduce (or eliminate) metering. Sounds crazy right, but I heard this direct from a Meter Fraud Investigator.
WRT smart meters, I think we all are very aware that making things more complex does not inherently make them more secure, and typically only temporarily increases security, simply through initially being more obscure.
This sounds we are going to run into a repeat of the 'Ohhh, ATMs are affected by the ping-of-death' incidents.
But this all at least reminded me to get my two big UPSs inline again :-)
Two more factors motivating Smart Meters:
-Time of Day pricing. Power at 7pm costs a whole lot more than 2am power. If you can read a meter every hour, you can charge customers a different price each hour. This makes senses when you consider that 20% of a utility's generation is dedicated to covering peak load, and is rarely used.
-Governmental pressures. Today it's a *lot* easier to justify spending on energy conservation than a new power plant. It's cool to be green, and darn the cost, those utilties are gonna go green.
So I just read the paper and I thought it was going to give me an idea of the English smart meter crypto protocol and instead discovered that it looks like the power companies didn't want Ross Anderson to be involved: "...the Royal Academy of Engineering were excluded from meetings to settle the specification of the smart metering programme"
I'm rather inclined to agree with him that if they didn't want him there then their security is an open problem. This paper seems to be his solution.
I also wanted to suggest that if any regulatory body is going to be managing PKI keys then I would really like to see another layer of indirection beyond the actual industry to a single Office of Cryptographic Keys.
I happen to work at a utility looking a smart grid project. A couple of facts. Meter reading savings won’t make the project financially attractive. Neither will turn on/off.
What the big push by the government and utilities is really about is variable pricing. Utilities for example might be paying $30/MWh during times of light load, but then paying over $100/MWh when the load rises (I've actually seen it go as high as $800/MWh). If you want to see what the current costs are in the midwest check out http://www.midwestmarket.org/page/...
Considering 20% of the generating fleet runs less than 10 days/year getting consumers to conserve during high load and shave those peaks has potential for savings. The other huge wildcard in this effort is electric cars and the fact that the batteries in the cars could actually be drained back into the grid to help during high load and then be charged when prices are low. How people would set their preferences and be compensated for charge cycles to the batteries still needs to be worked out.
The weakness in a transition to technology driven products lies in the development strategies of the big smartmeter manufacturers, whether they design with security first or last.
As too often is the case, last will get to market first and the bigger share.
Combine that with
1) purchase order practices of buying hardware not software. Purchasing is not required to follow security and often does not. Budget owners drive purchase decisions.
2) Consumers don't/won't own the equipment, so disclosure will take a big event.
Due diligence, by security and IT is rarely embraced, often ignored or given lip-service. That habit creates a dangerous environment.
Security is often buried far down in a company's structure. It is a rare company that recognizes the value of embracing security methods, and an even more rare company, where the CEO ever hears security concerns.
As this gets more visibility, we will see the results of that known-to-fail model.
At least until a 'big event.' Then the CEO hears and wonders why s/he wasn't aware sooner.
I think I'll invest in candles, generators and solar panels ;->
Is there just one command, available to utilities operators, that enables them to turn off power to every customer? Or would a series of commands, perhaps one for every customer, need to be implemented? The assumption here seems to be that power could be interrupted to a large number of receivers in one fell swoop. I'm thinking it might be far more complicated than that. If there is such a "switch", I doubt it would be through the remote read meters. It would probably be on a higher level in the system.
I guess my argument here is that while there may be security issues with the remote readers, using them for a wide-scale attack would be very complex and inefficient.
Rationale for smart meters:
- Electrical cars changing the power consumption
- Feeding back self generated power, eg, solar, wind, coupled heat/power generators
- Feeding back stored power from electrical cars
Someone HAS to start planning for a two way grid. Oil WILL run out someday, if we even can afford to burn it all.
There is a worldwide push to handle more intelligence in the grid to allow for massive power storage in car batteries, which would act as a buffer, as well as the power feed in from "alternative" sources and coupled heat/power generators.
Obviously, all the security and privacy problems still hold. But these intelligent meters are not introduced for some petty reason like fraud prevention.
While you are correct about EMP, it is a more costly attack. Remember there is a a marginal cost of zero to reproduce a meter hack, and for each EMP the cost is the same.
Also while there may be +500 utilities (actually there are about 1800 NERC registered entitites), how many meter models will there be? If you can spread an attack virally across meters (and people ALREADY have), then you end up with 5-10 compromises needed, not 500.
@DayOwl & Tom Rafferty
See Mike Davis's presentation from last year's BlackHat.
Proviso: this is not my legal area...
Here in the UK if your power company overcharges you, you can claim back a maximum of a year of the overcharges; if they undercharge you they can claim up to six years of underpayments!
I have no doubt that Smart Meters are a smart idea; just not for consumers.
Some how, after reading about all this, my little off-grid Alaskan cabin seems even more secure. I haven't experienced a power outage in years. Wind, solar, backup generator, no lines to go down in a storm, no switch someone else can control, life is good. When I get my new hybrid vehicle I'll have even another backup option for electricity.
It's ATMOS all over again!
Some smart shutoffs are already in place. When my mother got an air conditioner for her house, over twenty years ago, she got a price break by agreeing to let the power company shut it off half the time (one hour on, one hour off) in periods of high load. Of course, hacking into that is only going to annoy people, and conceivably kill a few. Being able to cut off electricity en masse and totally would be far more disruptive.
A further rationale- so that it can be differentially taxed. As electricity is increasingly used to charge cars, govts will need to recoup the taxes they are losing from fallling fuel sales.
As an aside, how do these smart meters connect back to base if you live in an area without a mobile phone signal?
As someone somewhere once said, "What can POSSIBLY go wrong?"... Doh! This is just so stupid that I can't even begin to say how fubar this entire idea is. Our electric transmission/distribution grid is already so vulnerable that this may not increase our current risk much in absolute terms, but when an entire city is taken off the grid at the home, there will be dire consequences, and not just for those directly affected by the outage... I think there will be some interesting new foliage hanging from trees near the power companies' offices.
i work at a cooperative power company. there are actually many more cooperatives than investor-owned utilities (http://www.nreca.org/AboutUs/Co-op101/CooperativeFacts.htm). the coops just tend to be much smaller and so are less known.
we don't generate our own power, so we have to buy it and have it wheeled to our system, which we will be charged for. the rates that we charge include the cost that we pay for power and any wheeling costs that we pay to get it to the consumer. but our rates are still lower than the next county, which is supplied by an investor-owned utility.
in addition, our meters are not accessible from the internet, but only from within our organization. while this doesn't mean that it's impossible to attack the power grid, it makes it much harder than just entering the ip address of the meter and pressing the "off" button.
i can't speak for all coops, but we take security very seriously. we are already ahead of the curve when it comes to NERC and FERC compliance, and we are always doing our best to keep our systems secure from attack.
As frequent readers will know I have been worried about these meters for quite some time now.
One thing to consider is life expectancy...
There are electricity meters in the UK that have had a longer operational life than DES had. Most meters are expected to be in use for 25years.
Appart from a few thermionic valves and transistors you would be hard pushed to find many of the electronic components that where commonly av ailable 25 years ago.
Especially Micro Controllers, how many are still in production that are 27-30 years old (you have to allow for design time).
Thus from a design perspective they are "throw away" items. Which in general means the lowest possible price to manufacture.
Which means also "software on the cheap" with "insufficient testing" for a security device.
It also means that the devices are not likley to have a very secure "re-flash" system. Even if it does experiance with the likes of TI calculators and other systems such as games consoles, set top boxes and smart phones et al tells us it will (no maybe) be hacked.
The history of Sky Satellite Set Top boxes should stand as a clear warning as to what will happen to "home grown" security, likewise WEP etc.
High level security should be built in from day 0 but the question is "what security" do we actually know enough to say anything we design will be good for five years let alone 25years?
For instance you cannot just turn somebodies supply off (think those with home dialysis etc).
Thus you need special groups of protected individuals especialy as "home nursing" is on the rise.
One thing that is sure to happen with this level of
control available to the utility companies. That is the system will without doubt become more fragile as utility companies continue to defer upgrades and some planed maintanence. Prefering to "play smart" rather than "play sensible" when it comes to adding "new load" to existing capacity without "upgrading" or "maintaining" in the way they used to do.
But when worrying about "Remote OFF Switches" we also need to remember that there is a big big issue with turnning electrical devices off, that's easy, the hard part is turning them all back on...
The inrush current on some old style light bulbs was ten times that of the normal operating current. Likewise nearly all electromechanical and most electronic items have a startup current that is a significant multiple of the normal operating current.
Thus an attack strategy could simply be to "switch off" and then "switch on" a small subset of consumers just to max out a small part of the gride and cause a massive cascade failure...
Oh and a whole bunch of other issues to do with Privacy, just imagine what the supply usage in your home says about it's occupants and how the likes of the NSA would love to add that to their DB's...
But what about those nasty "Buy our ..." phone calls, you can imagine many companies wanting near "near real time" access to "who's home" data...
@Tom Raftery, on electric power disruption by EMP:
The proposed attack seems to require one or more nuclear explosions at high altitudes, with compact "weaponized" bombs and missile systems capable of lofting them to the required altitude over the target area(s).
How many states are capable of making such an attack?
How likely is it that a non-state actor could make such an attack?
What are the survival prospects of a government that initiates such an attack against a powerful state?
What is the likelihood that a capable state would risk the consequences of such an attack?
How do these survival prospects compare to those expected if the same state were to make a "cyberattack" against infrastructure?
It seems to me that answers to these questions must be considered, in assessing the plausibility of an EMP attack, at least against a state with powerful retaliatory capacity (or a powerful protege).
Correction: meant to say, "a powerful protector"
Smart Meters are the technological fallout of smart thermostats. Somebody outside of your home (effectively a home invader) wants to control what happens inside of your home. In reality, this is likely not a billing issue (someone not paying) as the utility assigned cost of $75 (or $150) per incident won't change. It is a control issue, just as with the smart thermostats.
Look around. This is already happening in cars (OnStar, Sync) as someone outside the car wants to control what is happing inside the car. Same with building access (extrance/exit badges) and public thoroughfares (cameras), and public event attendance (face recognition cameras).
But the real killer is our dependence on electricity, and the death of our independence when electricity is off or used to hold us hostage in our own environments (homes, electric cars, workplaces).
@Tim: Pacific Gas & Electric (Utility for much of Northern California & Oregon) are setting up their own "secure" wireless network (based, I think, on ZigBee). See
I think the comparison "cyber equivalent of a nuclear strike" is highly exaggerated.
The last decade certainly had its share of black-outs (e.g. North America: 14. August 2003; Europe: 4. November 2006; etc. ). It did't feel like a nuclear war, did it?
"This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too."
Nuclear strikes come along with these pesky little things called death and destruction which prevent people from starting the power grid back up while simultaneously limiting the number of people who actually need that power anyway.
If someone hacks all of these "smart meters" and shuts down power then people will gripe about it until the power companies figure out how to get back into the meters or they spread the information about how to remove the meters and restore power.
That sounds just like a nuclear strike to me. Annoyed people aren't that much different from dead ones anyway.
@Ward: If power was removed from a significant percentage of households in a major city during a heatwave ... then there would be an alarming death toll. If the attack locked the utility out of the smart meters (requiring a visit to each house to reset) - then it could be weeks before power was fully restored.
I wish we could shut off power to people like this. Corrupt politicians/officers/managers. :)
@Winter - Errmm.. you do know that almost none of the nation's electrical supply is from oil, right?
The top sources are (in order) coal, natural gas, nuke, hydro, and renewables. Oil is way, way down the list. What little oil is used for generation is rapidly disappearing.
Question: once the electricity is turned off at a smart meter point, won't that same electricity still be needed at that point to later turn the electricity back on? This means electricity for the communications for the "smart" meter to get its signal to turn back on. Yeah, batteries will only last so long.
It's not just how smart the meter is, it is also who it ows allegiance to.
I would like the meter to exercise its intelligence on my behalf and negotiate with different suppliers hourly to get the best deal.
Somehow I don't think that is the way it will work :-)
@kashmarek: The smart meter still receives power from the grid when power to the home is cut off.
Maybe one of the folks working for electric companies can answer this, but it's a question that's been nagging at me:
Assume a major metropolitan area (eg, New York, Los Angeles, etc) manages to get 100% of their meters replaced with smart meters. What (if anything) happens to the grid and related generating/distribution infrastructure if an entity (malicious or negligent, doesn't matter here) was able to issue a 'disconnect' command to 95% of those meters in a 60 second time period?
My understanding is that the meters use a communications chipset with a not-very-random random number generator...
"... use a communications chipset with a not-very-random random number generator..."
Sadly a lot of "off the shelf" chips with inbuilt random number generators are not that good. Many are down to about 10bits equivalent entropy prior to the entropy pool (if there is one) and "magic pixie dust" hash function.
Entropy is like "angel hair" we know it should look like "spun gold" but we never get to see it in real life let alone touch it, when we try to make it rather than float like gossemer it tangles like a sewer rats nest..
More FUD from everyone's favourite fudmeister - Mr Ross Anderson.
And who are ABB who have funded some of the research in this paper? Do they have some axe to grind here in some way?
"Oh and a whole bunch of other issues to do with Privacy, just imagine what the supply usage in your home says about it's occupants and how the likes of the NSA would love to add that to their DB's..."
Clive, is your tinfoil hat on straight?
Precisely, what exactly does this tell us about the occupants of a house? They have some 'heavy use' devices? Don't use much electricity during the day? What am I missing here?
Come on Bruce, don't some of Anderson's "doomsday" type scenarios elaborated upon in this paper qualify as movie plot type threats?!!
This is way beyond George Orwell's 1984. Now the goverment will have the ability to switch off power to your home without so much as a due process/court order. Another tool to monitor/control political oponents, monitor power usage to find out where they are meeting. Cut off power to hundreds/thousands of oponents just by running a little script.
"Precisely, what exactly does this tell us about the occupants of a house?"
Over time quite a lot actually (as is already known from studies into "efficient homes" where the utility usage is monitored).
For starters if the occupants are actually there or it's the security system "faking it".
For instance if there is a regular pattern this is probably due to a time clock controling your heating or air con. This will likley have a noticable time drift which can be fairly acuratly predicted (thus subtracted to form a new activity base line).
Other irregular signals but at similar times of day would indicate human presence and "routien activity". Thus a change in any of the routien would be noticable.
Nearly all electrical devices have charecteristic startup signitures and other dynamic signitures that enable them to be identified.
For instance a microwave oven that is not used at full power has a very well defined and almost unique (amongst household electrical items) signiture.
@somebloke: Nice paranoia there. ABB are actually a smart meter manufacturer (amongst other things).
We have had a time-of-use meter for more than a year now and things have gone well, although that's no guarantee for the future. Low price is 9:00pm to 6:00 am, and all day weekends and holidays; the other times are 6:00 to 11:00 am, 11:00 am to 5:00 pm, 5:00 to 9:00 pm. The highest price is for the first and third periods in the winter, the second period in the summer. Our usage is available online. You can get a credit for allowing the AC to be cut off for brief periods (not an hour). I live in Toronto, Canada and the Ontario Privacy Commissioner has already raised the question of the privacy of the online readings. I would say that it is a wash on cost for us; the low price periods are frequent enough to make up for the high price periods. The new meters are digital which sure makes it easy to read them but you had better do it in daylight. I'm okay with them but there have not yet been any disasters with them in use so I don't know what would come of such a situation.
"Errmm.. you do know that almost none of the nation's electrical supply is from oil, right?
The top sources are (in order) coal, natural gas, nuke, hydro, and renewables. Oil is way, way down the list. What little oil is used for generation is rapidly disappearing."
And the best replacement for oil and natural gas use is electricity. Electricity that has to be delivered over the grid. Powering heating and transportation with electricity will more than double (tripple?) electricity use.
And for a lot of reasons, coal is not a very "comfortable" energy source. So preparations for electricity feed in are made everywhere.
All together, good reasons to build a "smart" grid.
Did you know that an area North Africa the size of Germany would be enough to deliver solar electricity for all energy needs of a billion people at current Western European levels? That amount of electricity can be delivered over a grid. However, it has to be stored and distributed smartly over the grid.
People are already thinking how this could be realized.
In short, there are a lot of energy saving, distribution, and generation ideas floating around that require a smart grid.
Electricity usage patterns are already used to find marijuana "grow houses", without needing smart meters.
(or so I hear)
@marc "communicates with Big Brother every few minutes"
Strictly speaking Big Brother is the Gummint. Large corporatations, in pursuit of money only, attempting to attain monopoly power, disregard notions of rights, and externalize all costs --like safety or concern for the enviornment--, are better described as a "Big Mother . . ."
Most electricity is lost during generation and transmission. Making power generation plants more efficient and reducing the loss over long hauls to the end point would give them much more product to sell. But given the fights we see to make older coal fired plants less toxic it's unlikely the capital outlays would be made. Could the incentive for power companies be not to be efficient/productive but massively generative? It's an interesting product. You can't stick it in a box and put it on the shelf.
The only way to earn revenue is to keep that sine wave moving along copper tubes strung up on sticks.
As a class this vulnerability has existed for a decade. Large buildings have remote access by power companies. What we are seeing is the proliferation of impact. Like when everyone else discovered how cool the internet was.
This is a movie scenario waiting to happen. As a scenario. It'd have to have Brad Pitt or Tom Cruise attached to it before it made it to script, much less movie.
@ Corey Mutter,
"Electricity usage patterns are already used to find marijuana "grow houses", without needing smart meters (or so I hear)"
You hear correctly. a "Grow House" in the UK adds a 10-20KW load onto the local substation and can cause a massive "phase imbalance" there. This is a "continuous load" so stands out like the proverbial "sore thumb".
Worse the "Grow House" operators are daft enough to "fiddle the meter" thus within 90days at most there is a massive disparrity with the KWH logged at the substation and that on the meter returns.
Currently the load does not identify which house it is but which one of the three phases it occurs on. Giving a choice of around thirty houses. A simple check with a thermal imager generally "nails them cold" (well hot actually ;)
Obviously a smart meter that returned readings would "grass them up" well within 24hours, and no neeed to send out the man with "the heat seeing gun".
Which of course back in the US and other jurisdictions raises the thorny question of "probable cause" to get a search warrant...
@Clive: "For instance a microwave oven that is not used at full power has a very well defined and almost unique (amongst household electrical items) signature."
Typically microwave ovens are used for a few minutes at a time, while smart meters (at least the ones we just had installed here in California) only report kWh used each hour.
I expect it is still quite easy to spot changed usage patterns that indicate that a house is empty ... but somewhat harder than it would be with the fine-grained data (1 second resolution?) that you'd need to do accurate device identification.
So far this thread seems long on FUD and short on solutions. Seems pointless to me to find a thousand ways in which a hypothetical system can fail, when what is needed is just one way in which it can work.
Smart meters are the future. They are the future in China, Africa, Australia, America, Europe basically everywhere. So, from a device security perspective, it is completely unnecessary to discuss the reasons for smart meter deployment. It is sufficient to understand that this change-over is happening. It is happening NOW so we need solutions for today's attacks and the flexibility to address the yet to be devised attack.
All of the smart meter deployment plans that I have seen target something like 90% deployment of consumer smart meters by between 2015 and 2020.
OK so lets talk a little about the reality of smart meters.
1) In most parts of the world Narrowband powerline communications (PLC) will be used to control smart meters, generally this is restricted to the LV (low voltage) sections of the Grid, so for a given MV to LV transformer there are less than 100 houses connected, whereby each phase (assuming 3 phase) goes to about 30 houses. Note: the US is likely to be the exception where RF mesh networks will probably dominate.
2) So your meter is only connected to 29 other meters and one controller. If I hijack PLC network, from my house, I can potentially bring down, 30 houses, Maybe 100 houses for a badly designed system.
3) One controller, typically located near the transformer, communicates with the 3 phases (100 houses). In most implementations this controller forms a GPRS to PLC bridge.
4) The GPRS to utility control center link flows over telecommunications infrastructure.
5) In most countries the MV=>LV transformers already have a remote shutdown capability, so Smart Meters do not really create a vulnerability that does not already exist.
6) Typical comms over narrowband PLC networks is fairly slow under(10kbps). Although some newer OFDM meters achieve 100kbps. however in reality most networks are lucky to achieve 1kbps (end to end) throughput. So a simple task like reading a metre takes about 1sec network time. This is important because independently sending commands to remotely connect or disconnect power will take between 10sec and 2min for a typical consumer PLC network.
If anyone is really interested in discussing the "real life" security aspects of smart metering than lets do it, but please without all the FUD.
Interesting "side channel" for smart meters.
Narrowband PLC systems for smart meters have an interesting characteristic that can be used as a side channel to deduce the nature of the load at any point on the LV powerline link.
The basic problem is that the powerlines do NOT behave as a channel model at low frequencies. Rather they look to the communications controller like a distributed LC load along with an unusual location dependent delay spread. As a result each section of the link effectively has its own channel model. Which BTW changes as the local and global load changes.
So if I can dump the channel model as seen by each smart meter, then I can indirectly calculate the nature of the AC load at each house on the network. without ever reading the meter.
With this information I can probably calculate exactly what type of TV, computer, Air Conditioner etc you have.
So WRT your "grow house" the way that PLC link changed characteristics at your house would be instantly identifiable because of the unique comms signature of the high efficiency lamp load.
I'm only mentioning this because in all the smart meter system security analysis that I have seen, nobody has ever discussed this simple side channel problem with the comms link.
The above weakness especially true for the newer DPSK over OFDM and DSSS style PLC links. The older FM and "Chirp symbol" based systems leaked less information about the load.
"Typically microwave ovens are used for a few minutes at a time, while smart meters (at least the ones we just had installed here in California) only report kWh used each hour"
That's what they "report at the moment" they actualy "measure" on a sub second basis (some on a cycle by cycle basis) to do power factor correction (or whatever the local statutes require in your jurisdiction) for "real consuption" not "apparent consumption".
As @ Robert, notes above the meters are going in irrespective of how secure they are or are not.
And guess what the chances are very high this smart meter will have the equivalent power of todays mid to high end smart phones... Why?
Well firstly the thing about designing embedded microcontroler systems these days is there is little point in "just sizing on cost" as there was ten or twenty years ago the very small up front cost saving will be lost in much much larger "swap out" maintanence costs within a year or two at the most.
The chances are the basic capacity of a smart meter in terms of CPU power RAM and Flash ROM is going to be compleate and utter overkill simply because the price of a high function CPU chip is likley to actually be less than a low function just adiquate chip. Why?
This is due in the main to demand for the likes of other 'smart devices" such as consumer Phones PDA's etc and even "white goods" (ovens, washing machines, etc) with "smart displays".
The chip manufactures will only want to manufacture a very limited range of chips to reduce inventory costs and will "front load" to ensure that. Thus the microcontroler chip in a smart meter is likley to be the equivalent of a high end PC of just a year or so ago.
So the capacity you have in your smart phone now will migrate across into Smart meters, but also the potential functionality... Why?
Because it's going to be the next great marketing give away and tied in profit center for the utility companies.
These meters are going to be mandatory not optional laws are in the legaslitive process as we talk and you the consumer are going to pay the 300-900USD cost of having them put in whether you like it or not. Most of this cost is labour not the price of the meter so even trippeling the price of the meter will have little or no impact on the cost.
So the smart meter is effectivly a freebie for the utility companies and even the dumber ones are going to realise what a great oportunity this is going to be so they can sell you "unregulated" addons (unregulated operation is where the utilities can make the big profits).
These addons are going to be initialy things such as "active consumption" display and later control as multiple daily tariff markets develop.
At the same time some if not all smart meters will also get "consumer side" device control capability for a standard "domestic over the wire" control protocol or other local range network (zig bee, UWB, WiFi, Bluetooth etc) or external control bus such as CanBuss used in the automotive industry.
Because the utility company will effectivly own the smart meter like the cable company owns your set top box, they will do the old IBM trick of supplying you with a device with all the bells and whistles built in BUT "locked out". So you have to pay them to get the feature enabled either as a one off or on monthly subscription...
Thus these Smart meters are likley to have a striped down comercialised OS (or even a Linux like Android etc) simply to save cost not just now but in the future. Which means the smarter designers will alow for easy upgrades and Applications to open up another market.
This is because the initial profit a utility will get in selling somebody a meter that allowes them to get ten or fifteen different tariff rates a day will get eaten up by people using it to do as such. Which realy is not in their interest.
Thus I Will stick my neck out and say,
The Utility companies have the potential to develop a whole new unregulated market space for themselves at near zero cost. Thus they would be fools not to avail themselves of it if we alow them to.
If that happens then the chances are you will see exactly the same kind of market develop for smart meters as you currently see for Smart phones where the "iMeter App Store" model will be getting the marketing people salivating.
However unlike the majority of mobile phone operating companies they will not make the mistake of just being the equivalent of "bandwidth sellers", they will follow the likes of the "set top box" "tied in" market.
Thus I fully expect to see "smart meter hacks" to unlock features etc develop as a counter market (just as ther has been with games machines and smart phones) but with the Utility companies using the full power of the law to maintain their position.
Now the question arises "what price security"?
The one thing the PC market has taught us is security is a significant cost and one that will be avoided by the industry for as long as it can...
But unlike the PC market where the life expectancy / devaluation to zero of a PC is as little as 18months, these smart meters are going to have an expected life of 25years and in reality between 10 and 35 years (that's what is currently seen with domestic non smart meters).
Thus effectivly longer than the working life of DES...
Which means we realy should be paying real attention to the security of these devices "up front" otherwise legacy issues will make us all "hostages to the unknown future".
And due to the long life the security can not be the usual "perscriptive" of US legislation where specific methods are mandated. It needs to legislate a framework where functionality is by plugable modules.
Thus if a weakness is discovered in say an encryption algorithm (as was seen with DES) or as more recently hash functions it can be easily swaped out.
But it actually needs to be a framework at an even higher level than API's.
The reason being the security weaknesses we are going to see progresivly more of are "side channel" and "protocol".
To a certain extent "side channels" at a low level (timing attacks against AES) can be solved by swapping modules. However those side channels caused by protocol issues (SSL) cannot be fixed if they are hard coded into the API's.
The problem is we currently only have a very vague notion of what would be involved in such frame works.
A partial example can be seen in the way Europe legislates for radio spectrum and telecommunications which gave rise to the GSM mobile phone system.
And we realy need to be talking at this level befor we "jump the gun" with smart meter legislation simply because some politico has a "paid for hard on" via industry lobbying dressed up as "green initiative".
We cannot afford to default to the "Cyber Warhawks" who actually need bad security for their survival, and thus rather than build a secure solution will opt for one where they can continuously be seen to be "rising to the chalenge" of "cyber-terrorists" / "cyber-criminals".
Security has to be built in properly from Day-0 not bolted on as an afterthought which gives rise to endless patches but no real solutions.
Since getting one of these meters last year, my utility has bombarded me with weekly flyers, trying to get me to switch to time of day plans.
The meters are about killing the basic rate, so they are prepared to play in a cap and trade market.
Most of them are 128 bit AES (no details on mode, unfortunately) encrypted Zigbee @ 900 MHz or 2.4 GHz. No idea how well they manage their keys, or how hard they would be to extract from a stolen meter. Around here there are so many vacant homes, it shouldn't be too hard to steal a few meters to experiment on, were one so inclined.
Smart meter communication systems
At the moment there are basically 5 different communications channels being deployed / proposed for smart meters. I believe that understanding the physical link layer is important because the data security will always be layered on top of the link security.
1) Narrowband PLC (powerline communications) typical restricted to 40Khz to 148Khz range, (upto 500Khz in US) lots of different implementation exists each one is proprietary and claiming some reason for being the best. Closest thing to an agreed Standard is probably Prime Alliance OFDM (or maybe G.hn control band) Largest installed bases are for SFM and Chirp based comms)
2) GSM / GPRS direct to meter, this is potentially the simplest and cheapest system to implement, because the infrastructure exists and "secure" data link layers are already defined and implemented. The meter identities are also defined by their SIM cards. This method is not common, because of the high charges the incumbent wireless operators try to impose. Also there is the technical difficulty of communicating with Emeters located below ground and often enclosed in steel boxes. Adding an above ground antenna can significantly increases the costs of deployment and potentially violates a number of laws / conventions for electricity safety, which is typically locally controlled / regulated.
3) Mesh (multihop) zigbee or Bluetooth systems at 900Mhz or 2.4Ghz bands, popular idea in US, but not much interest outside of US. also difficult to deploy partially populated systems because of low Tx power. The meters are often below ground (RF deployment problems similar to GSM) System is very cheap to operate because telco backhaul is restricted to the mesh edge. It is also a simple/ cheap method to seamlessly integrate smart appliances). System Security is a mess because of the strong possibility of man in the Middle and relay / replay attacks. The mesh RF link is very difficult to secure, so all meter security is from data encryption and end point mutual authentication.
4) RS485 links grouping meters basically used for multifamily dwellings, with phone modem style back haul.Old system with no new deployment.
5) Broadband PLC (3Mhz to 30Mhz) OFDM, this system is VERY unpopular with HF amateur radio people and is banned in many countries. Several systems are being proposed that will deliver narrowband data rates over broadband comms channel by using multihop message forwarding protocols with the system operated at very low transmit power to appease HF community. PLC up/down data link is typically GPRS at the MV=>LV transformer.
One final thought: the Electricity company "recommendation boards" are usually technically illiterate. So don't expect them to understand (or even care about) crypto key sharing protocols. Also the complete systems are usually sold by electricity infrastructure companies like Siemens, GE, ABB, Schneider Electric, ....) As such security protocols are typically proprietary and patented. The very high likelihood of patent infringement, is a very good reason for neither disclosing (nor changing) security protocols. The whole smart meter / smart grid area is rife with submarine patents and patent thicket's.
Forget the attacks:
A few seconds after the, "Oops!"
I encourage everyone to begin massive indoor growing of legal plants, vegetables and fruits. Why fight the insects, birds, gophers, and more random attacks from nature when you can grow inside and harvest fresh, delicious fruit and vegetables year round?
Stop purchasing green harvested and store ripened fruit and vegetables from your local supermarket, it has nowhere the taste, quality, or health giving benefits of home grown fruit and vegetables.
This smartMEATer technology is another step towards the chipping of every individual. It should be renamed DUMB meter by the people, just as with all so called smart devices.
One intrusion followed by another into and outside our homes, and the people take it because what choice do they have? How many options do you have locally for purchasing electricity, water, sewage treatment?
The programmed masses swallowing the darkness in movies and shows which are nothing less than moving sidewalks for the mind to drive you through conditioning into the dark way of living, will lead you to the mandatory head or hand chip, introduced voluntarily at first, perhaps (see? they took it of their own free will!) but eventually, mandatory.
can you really swallow all of these intrusions into your life and still live in the world but not of the world?
don't take the mark
i'm not sure how a smart meter constitutes an intrusion into your home. even a traditional meter that someone has to come by and read will still show how much power you consume. the power company is still going to know how much power you use every month. after all, they have to bill you somehow.
"i'm not sure how a smart meter constitutes an intrusion into your home... ...the power company is still going to know how much power you use every month."
It's a question of granularity or time between data points.
As I said above a smart meter is reading your power consumption to very small fractions of a second (they have too to work out "real power" as opposed to "apparent power" in many jurisdictions).
Such fine granularity enables power signatures to be read, so in practice it could with the appropriate software instaled know not just what types of applianes you have but the manufacturer, model number and even production batch and it can also tell in some cases (electromechanical heating etc) if the appliance is showing wear or is failing.
This sort of information is worth a fortune in of it's self to marketers etc.
But it's not just the appliances they can form signitures off it's their usage as well. Thus they are also signitures of activity in the dwelling by it's occupants.
Thus the smart meter could tell when I turn my electric kettle on and by the duration make an approximation of how much water I'm boiling up.
They might not know If I drink tea or coffee but they know when and for how long.
This is the same as not knowing a messages content but knowing where and when and for how long which forms the basis of traffic flow analysis.
And as is now becomming abundantly clear to researchers, for surveillance traffic flow is way way more usefull than knowing the conntent of individual messages.
Part of "traffic flow analysis" is "deviation from norms" this enables changes in the signiture over time to predict many things only a very few we currently know (this will become a hot research field when smart meters become more prevalant).
Now this involves a lot of data and a lot of data crunching. But... each smart meter for a very moderate price (that you not the utility company have to pay) stops being "a dumb" power meter and becomes a high end datalogger with the capability of a high end smart phone or low end laptop/PC. Which means the smart meter can do all the data storage and data crunching and just report what it is told to and when...
The potential for abuse is way beyond that which most of us realise and even most academics, as reasearch in this sort of analysis is only just starting to be investigated in academia. However the likes of Google and many other comercial organisations with hugh data repositories they are already mining are way way ahead on the curve of this.
Probably more so than the NSA in some respects, afterall the NSA has made supposadly anonymized data available to many such companies to mine in their own way with the NSA and other Go's buying back results and technology that is developed from it (think back to the company that mined trafic data for cell phones and could easily identify various group types).
Maybe one should put this a bit into perspective - the old mechanical meters were not exactly fortresses as well - hacks have always been possible and were used frequently.
More or less central "off" switches also exist today without the use of "smart meters"
Especially Britain should already be used to pre-paid smart meters, since they have these things were you actually need to put in some coins in order to switch on the power...
"Such fine granularity enables power signatures to be read, so in practice it could with the appropriate software instaled know not just what types of applianes you have but the manufacturer, model number and even production batch and it can also tell in some cases (electromechanical heating etc) if the appliance is showing wear or is failing."
Would these new Smart Electricity Meters also allow for the possibility of capturing individual keyboard keypressess? I've read of keypress snooping via power grid if what you're saying is true, could real time individual keypresses be monitored? Could several keyboards in the house be monitored at once?
I think some of you guys need to increase the dosage of the meds a little, because Keyboard snooping from the powergrid sounds practically impossible to me.
It is probably possible to guess the length of a password based on the peaks in the startup current, so I can detect the computer being turned on and I can detect when the user logs on, so I know the time difference. However I find it difficult to believe that the individual key strikes can be observed from the meter, in any normal household or business environment.
Anyone that has ever worked on powerline communications will tell you that it is a VERY noisy comms channel especially below 10Khz, so trying to do fancy timed measurements would require complex noise cancellation methods that are way beyond what is incorporated in a typical power meter.
A typical power meter chip contains a 2nd order sigma delta ADC connected to a current transformer. The ADC over sample rate is typically about 100Khz but output data is decimated to under 1000hz. Usually the only high frequency information that is extracted relates to the AC line harmonic distortion, generally measured up to the 10th harmonic (500Hz or 600Hz). This is extracted because there is Real power associated with the load induced harmonic distortion of the AC source.
A bit of paranoia there.
Follow the money.
The utilities love this because most utilities around the world work on a split model: Generation, HV transmission, LV transmission and billing - all done by separate companies. The billing = your retailer. The retailer buys power at a VARIABLE price (as demand goes up and power becomes short, price goes up), and they usually sell at a fixed price.
The idea of the smart meter is to have different tarriffs depending on either time of day or demand. This pushes the VARIABLE cost away from the retailer and onto the consumer.
The excuse being use is Green green green - tell the consumer what their power costs and they will use less. Which is BS. They'll watch that power consumption display for the first 3 months, after that it will be another thing to look at once in a blue moon if they remember. Everyone knows this but its only about money. Remember that.
"...militant environmental group..."
ROFL! The authors are amusingly, rhetorically idiots if they think that there are "militant environmental group(s)" in operation anywhere that has even the *motivation* to hack-up the point-of-meter electric infrastructure.
Even the non-existent Earth Liberation Front constitutes less than a worry when it comes to *actual* "terrorism" -- and you can disregard what the terrorist/fascist FBI claims about the ELF/ALF since they're always attempting to justify their outrageous budgets and their human rights and civil rights assaults against American citizens by virtually proclaiming *every* progressive effort "terrorism."
I'm sorry, but that idiot suggestion "militant environmental group" detracts greatly from the urge to review their papers. If the authors think electric power systems are ever going to be threatened by environmentalists, that says something about the stupidity of the authors to the point where their credibility discounts ever reading their papers.
I think, most of us can stop the security hysteria and invest into LAAARGE plumbum accumulator buffers, that will make us invulnerable to viruses in the grid and power consumption signature analysis.
Just buy it large enough.
And make it smart enough to recharge at the lowest tariff.
@ David Brazier,
"... about electricity meter fraud & the social engineering involved."
The sad thing is the people who have (in most cases) had these meters forced onto them are paying considerably more than other domestic customers per KWH.
I find myself asking the question who is defrauding these people more, the crooks or the companies?
Especially as the companies have known about these flaws in their system since before they started installing the systems in the first place.
The simple fact is it's the old game of go for the cheap solution to maximize profit and not worry about the flaws as long as you can offset it by some other method.
The problem for the consumer in the UK is the utility company have a legal right of entry into any dwelling to change the meter when they wish for safety or other operational reasons and they can change it to anything they like.
When my very old meter was changed they tried "socialy engineering" / conning me into a meter type I did not want.
There then ensued a very interesting negotiation where I pointed out that if they installed it I would be within my rights to disconect it and remove it from the property immediatly.
After a little further negotiation, low and behold they found the meter type I wanted on their van...
ok, but if someone did hit us with 3 of those emvs dont you think the generation plants might be a little effected, give me 15 min a hacksaw blade roll of duct tape and an old lawn mower blade and i can bypass the meter head, wont do much good if theres nothing on the other side.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.