A UK government minister has reassured Parliament that upcoming deployments of smart meters will be secure. The assurances by junior energy minister Charles Hendry follow admissions by a senior civil servant at a House of Commons Public Accounts committee on Monday that the government's £12bn plan to roll out smart energy meters …
Well thats all right then....
"Security requirements are being developed to minimise: (i) the likelihood of such an event taking place, and (ii) the impact should it occur. The development of these requirements has involved extensive consultation with other government departments and relevant agencies, as well as with industry."
So, were talking to ourselves and everybody knows the stellar record the government has with IT.
Were talking to the industry who has no vested interest in this at all and can be relied on to deny any and all problems .
Were talking to "relevant agencies" who we won't tell you who they are but will be making money from this.
So that's all right then......
What they need to do is talk to people like geohot and other selected white/greyhats or give these systems to the university's and say - "Right we are 100% confident these are secure and will give you £100K for every flaw you find. You have the right to publish if we don't fix the problem."
Either it will be a very expensive exercise which will lead to a much more secure system or a very cheap exercise which will validate a reasonably secure system. Whatever, I would trust what these sort of people say about the security rather than "government agencies" or "industry".
Nothing can possibly go wrong, says gov
.....47 million smart meters for 26 million homes.
So they've ordered 21 million too many??
No, they've just factored in the number that will need to be replaced after doing their risk assesment!
So they want the consumers to pay for something that is 1) To help the power companies' bottom line 2) Has an alarming potential for intrusive monitoring.
£6/household/year sounds like bollocks to me, as well.
Everything can be hacked in some way or another. It will happen.
£12bn = £192 per person
What a wonderful project.
How about we just order 65 million of these at £45 each:
Or we could go nuts and get one of these each. I'm sure they could manage a discount :
Actually it's more than that since 65M is the population, not the number of households so go ahead and multiply that figure by two.
Why are _we_ paying for this?
Why on earth should this be paid for by government? The government has no money of it's own and can only raise money by extracting it from the public.
This smart meter rollout is a scheme that benefits the utilitycompanies : it allows them to bill us more precisely and grants them a greater degree control over our consumption. It is, however, an expensive thing to rollout and comes with all the risks attached to complex IT systems.
I can understand why the utility companies would want to externalise the costs and risks of this scheme. I can understand why jobbing government ministers might want to cosy up to the utility companies. What I can't understand is how or why this is beneficial to the people who are being made to pay for it and who will later be made to pay for the costs when it all goes tits up.
It would not matter whether the tax payer or the utility companies payed for this. If the utility companies paid for this, they would pass the cost on to the consumer and would, no doubt, factor in a healthy profit margin. Either way it's us, the great unwashed, who end up paying.
Government minister notes "Nothing can go wrong."
Bearing in mind that statement, what could possibly go wrong?
There is, of course, something of a security risk in allowing someone into your house to read your meter too.
Not saying this is more or less risky than doing it through tech, but we do seem to hold tech to a much higher security standard than any other part of our lives.
"Last year Ross Anderson, professor in alarmism, sticking it to The Man, and self publicity at the University of Cambridge Computer Laboratory..."
There, fixed it for you.
Ross Anderson is generally acknowledged to be one of the world's leading experts on computer security.
Who are you? Someone too cowardly even to use their own name.
Ross Anderson may be (actually, is) an expert on computer security, but Kevin Warwick is an expert on Cybernetics, it doesn't stop people here pointing out that he has a habit of significantly overstating his achievements.
1) Chip and Pin is hacked: Ross represented a simple man-in-the-middle attack on chip and pin, as a fundamental failure in the entire system. The attack required someone with a credit card that had a ribbon cable attached to it being used in a legitimate store (without the cable being noticed) while a "fake" transaction took place with a fake terminal transmiting a victim's details to the fake card. Upon closer inspection his outlandish claims that it could work over long distances turned out to be theoretically possible, but basically rubbish. (It requires two transactions to be engineered to happen at exactly the same time, give or take a timeout value.) The banks reduced the timeouts and nothing else was heard of it, not a single attack in the wild has ever been hinted at.
2) Ross is currently warning about the secure boot function in UEFI, saying that it will prevent any free OSes being installed on UEFI computers and blaming MS directly. This is complete rubbish and a little common sense would help. His blog article even states that his opinions are based on something that he has heard from someone who knows someone.
I'm not saying he hasn't done good work, just in the last few years he has got very shouty about various pieces of research and overstated them, these tend to be anti-big business and government and tend to be systems that if they were compromised would be a significant problem. Smart meters are a case in point, he has been warning about them in such a way to imply that the people designing the system aren't bothering to think about it at all and that everyone's power will go off because of "hackers".
As for commenting anon, yes I do. I regularly comment on the reg and have done so since you had to email individual authors. About a year or two ago, I forget, I got fed up with personal abuse and generally unpleasant comments directed towards me from some of the more bullying commentators. Including one saying that said the author of the comment thought they knew who I was and that they thought they'd try out the security measures where I worked. So, yes, I don't post with my name any more.
"The banks reduced the timeouts and nothing else was heard of it, not a single attack in the wild has ever been hinted at".
But then you wouldn't have heard anything, would you, if lots of credit cards were hacked and lots of money stolen. The banks would either blame the customer or (failing that) bribe them and/or threaten them to keep their mouths shut. Researchers and script kiddies publicize vulnerabilities; serious criminals, spies, and manufacturers keep quiet about them. Come to think of it, a really smart bunch of criminals might even choose to blackmail the banks by threatening to reveal such a weakness - safer and much easier than toiling around the shops hacking cards.
"Ross is currently warning about the secure boot function in UEFI, saying that it will prevent any free OSes being installed on UEFI computers and blaming MS directly. This is complete rubbish and a little common sense would help".
I'm not quite sure why this is "utter rubbish". Isn't the whole idea to prevent "unauthorized" software from running on a computer? And who will decide what software is authorized? If it's rubbish, why did the FSF see fit to ask: "We, the undersigned, urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed. To respect user freedom and truly protect user security, manufacturers must either allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice. We commit that we will neither purchase nor recommend computers that strip users of this critical freedom, and we will actively urge people in our communities to avoid such jailed systems."
The problems with this are just too legion to go into.
The basic aspect that there is some form of key management that needs to be handled on a countrywide scale have never properly been considered, and the DECC are not up to this task. If any of the command and control keys are compromised then the whole system can be forced in to shutdown mode with no hope of recovery.
A radical climate change group decide that the UK needs to adhere to Kyoto, and gets hold of the (or a) control key. If they issue the command to shutdown the supply, and then change the key to something random, we might be faced with a couple of million bricked-meters, which will require someone to manually reboot or reprogram them with a home visit.
Anyone want to bet that this can't happen? What about a well motivated government? One who has the time and capability to crack the key management or break the public key encryption. Scary.
Or worse, UK Plc decide to buy metre technology from a foreign vendor. What's to stop that country enforcing a back-door key in to the meter? How would you know until the country decides to hit its master off switch. You know, just like Russia did with Ukrainian gas supplies a few years back.
I wouldn't trust any UK Government department, of what ever political colour, to get this right at all, let alone first time. And we have not even begun to discuss the implications of a company / government having the capability to shutting of power or gas to individual households.
Shudder - to scary - and this when we already know the country is under cyberattack. Great, we foiled shutting down the FCO, so that must mean we are secure. Here is a bigger threat.
I would say "Will the last one out turn the lights off", but someone might see that as a challenge!
It takes a few minutes to dissolve the grid if you hack the metering
Every meter contains a switch. Program them to turn on/off in a region a couple of times. It does not even take _ALL_ households to be metered. 40-50% will be enough.
The sudden spikes/drops in demand will be sufficient for the grid safety to cut-in and cut the "limb" off. Do it a few times and you get the situation from USA blackouts because the sudden demand changes will cause major portions of the grid safeties to cut in. In theory it is designed as a negative feedback loop so it should self-level. In practice, adding remote control of the load via SM + hacking can trivially make it into a positive feedback loop which will make it fall apart completely.
The problem with UK SM is that the entire SM effort is driven by retail utilities which neither understand this particular grid specific nor care about it. They are much more interested in "cutting off the customer" right where he/she has failed to pay so "remote controlled switch" is one of their first and foremost requirements.
It should be national infrastructure and the government instead of "listening" to the retail utilities should tell them: "This is it, and this is how you use it. Case closed"
Maybe ye'll find the goverments interest in the control aspect is somewhat more sinister. They have made vague mention of making electricity consumption more environmentally friendly, but what they haven't mentioned is how they intend to do that. The only way I can see for them to do that is to cut off domestic power supplies, while of course leaving business supplies unaffected.
"assurances by junior energy minister Charles Hendry"
"a dedicated team of security experts"
"Security requirements are being developed to minimise ... the likelihood of such an event taking place"
I don't want assurances, I want names, people's names. I want to maximise the likelihood that those individuals will end up a long time sitting on small wet and cold rocks offshore should anything go 'minimally' wrong. Such responsibility concentrates the mind, yes minister?
Are there any benefits to the consumer on this one?
Ha Ha Ha Ha Ha
I love the concept that the poor bloody consumer has anything to do with this except to pay up front and suffer when it goes wrong.
So will the consumer be able to block updates coming through or will the supplier be able to make all manner of 'adjustments' to how quickly the meter ticks over?
Yeah, I already guessed that but it would be nice to nail an answer to the wall...
Can anybody explain why a sheme that only really benefits the greedy energy firms has any involvement with the public purse?
In the same way that the railways' track and signals are (let's face it) run by the state - it's to make sure that the national infrastructure works. If all the companies chose a different standard for their meters there would be no chance to switch.
Smart meters would also make switching much more easy.
UK govt, rigorous risk assessment
Ergo, we're all doomed....
Just like nothing has ever gone wrong with any technology security done by the goverment. Oh wait..
"Utilities want to deploy smart meters because the technology will simplify the process of ........ controlling supply at times of high demand"
Smart meters will allow them to cut us off one by one as we find the cost of energy to much due to the increasing price due to the addition of taxes to pay for smart meters, funding renewable energy companies, paying off the government debt, paying MP expenses and occasionally even the increase in the raw material.
I am not having one!
Can they actually force you to have one of these meters? What if you just refuse to have it installed?
Apparently, they can. They can remove the supply of non-smart meters and take advantage of the law that requires that all electricity meters over a certain age be replaced.
And yes, I had to have this done (although the meter they installed is not smart), and when I checked with the Citizen's Advice Bureau, I was told I had to have it done.
This is technology, mate.
Unless you can see the future or you speak in asm, your risk assessment is meaningless. The security landscape changes dramatically daily.
I don't WANT my supply 'controlled' during peak times. I pay enough or it so feck off!
"a comprehensive risk assessment programme would accompany the deployment of the technology"
psmsl. A 'consultant' will be hired to say that these ivory tower academics haven't got a clue and that the hack only works in the lab. A few billion quid later the mps, civil servants et al move on to claim their seats on the board.
"a comprehensive risk assessment programme would accompany the deployment "
One might better ask why the risk assessment does not *precede* the deployment, with the possibility of radically altering deployment timescales and options in the inevitable case that the whole system will be riddled with holes and implemented ineptly from end to end.
There goes the shipping forecast... and your power supply
Pundits wondering why they can't just keep their existing electricity meter, might want to ask BBC Radio 4. Many electricity meters use a longwave radio data service, carried alongside BBC Radio 4, to synchronise Economy 7 times, clocks forward/backward for summer time etc.
Which is all fine until the BBC's Radio 4 longwave transmitter blows a valve.
Because there are no more valves.
And nobody makes them anymore.
And the BBC have said that once one of the two remaining valves blow, Radio 4 Longwave becomes Radio 4 DAB. Which the electricity meters don't listen to.
But nobody has stopped to ask "what happens to the data service, and the electricity meters which rely on it?"
So, whilst we can argue all we like about exactly what the new meters should do, how smart they should be, and who should pay for them, what you can't argue about is that pretty soon we are definitely going to need new meters.
Interesting and valid points but it presuppose that there is not little man available to read the meter? Or have I missed something?
I've heard this one before...
Surely, an alternative solution would be to give the Beeb a few million quid to design and install a set of shiny new longwave transmitters to replace the existing valve based kit.
Then the choice comes down to :
(a) Spending a relatively small amount of money on maintaining an existing, perfectly adequate system or...
(b) Ripping it all up and starting from scratch at a huge additional cost to the taxpayer.
You don't need to be Lord Truscott to know which one the government's 'industry consultants' will be recommending.
You cannot economically replace the power amplifier of a 500\KW transmitter using transistors. It just isn't economically feasible or technically very clever.
This story about the transmitting valves not being available is balderdash. High power transmitting valves are still manufactured and are also made in large numbers in Russia and China (like a lot of valves generally).
They are also used in almost all TV transmitters above 20KW and are in fact abundant.
Many European long wave transmitters use transmitting valves and have much higher ERP than the BBC at Droitwich.
The story about the valves is just an excuse to shut down LW -- as they have been trying to for decades -- and hope this daft cover story lets them finally off the hook.
So, for want of two valves... everyone in the UK must have a new electricity meter that exposes them to new and entirely avoidable risks?
Yes, that sounds like a government strategy to me.
A fair point well made...
It's instructive that Luxembourg were able to upgrade their 2000kW transmitter as recently as 1994 - using what sounds like a fairly standard piece of Thompson-CSF kit - while at the same time the BBC insists that building long wave transmitters is a lost art and there is no way the UK can ever afford to build a new one! I noticed that there is a petition about this on the e-Gov website. Only 10 signatories so far, though...
"...told Parliament on Wednesday that a comprehensive risk assessment programme would accompany the deployment of the technology"
Accompany? Wouldn't "preceed" be the correct way of doing it?
I think I'll have to try hacking the thing myself to do the modern equivalent of bypassing the meter.
This is such a bad idea.
I already have a meter for my electricity supply. It is simple - like me. It works 24/7/52. It is very tamper evident and so fairly secure.
Please can someone explain why the government, which has no mandate for this, is spending large amounts of MY/our/your hard-earned taxes on subsidising something that, if necessary by the power companies, I should be paying for through my electricity bill?
I'm really angry. I suspect there is not one electable political party out there that has either the vision or the bollocks to tell the civil Servants and power suppliers to come up with their own adequately secure solution if they really want one and then offer it to customers but make it optional for them to take it on.
why the government...
Because to technically illiterate eco tossers which most politicians are the idea of forcing us to install personal real-time energy guilt meters at our own expense is irresistible.
Wikipedia's article may amuse you
The article amused me but because I then read underneath to the part about Spain, where I am currently working.
In my block of flats, no one has access to their electricity meters. If they are smart meters, no one knows, or has a display to tell them how much electricity they are using. You know you are using a "lot" when the main incoming trip in your flat cuts off the power at 15A; you learn to synchronise use of the washing machine, microwave, vacuum cleaner, etc. A UPS is essential.
Strangly it's the same in Japan, where the limits per dwelling can be even lower, but the electricity meters seem to be exclusively eddy-current type with spinning aluminimum disks proudly on display giving direct feedback of how much you are using :)
This BBC Valves.
I'm not an electronic engineer, but I can't believe that there is valve equipment that can't be replaced by solid state. Where there's a will there's a way....
I'm a reasonably competant
electronic hobbyist and i cant believe they cant produce a new valve......
We can fit millions of transistors onto a postage stamp but cant make a valve???
Tosh...Utter tosh at that..
That's because you are NOT an electronic engineer
There are indeed some jobs that thermionic devices do with ease that prohibitively expensive and unreliable with solid state devices. Try looking up Ignitrons for a start.
Valves are alive and well
Provided you know where to look.
If you have a microwave in the kitchen, you will be using a high power valve transmitter to heat up your pizza. Google: Magnetron.
For other uses such as high end audio equipment, guitar amps, and the inevitable amateur radio uses, replacements for all the common old valves are available from either China or Russia.
Love the line...
... about those who miss a payment can be moved onto a higher tariff, I'm sure that will help most folks out of debt by increasing the tariff as a penalty.
Makes me want to start looking into the price of diesel generators and bio fuel, must be cheaper than solar panels?