Security in smart meters: an interview with SmartReach's David Green
David Green tells Sooraj Shah that as a bidder for the national rollout of smart meters, it was imperative to think of security first
The government's vision to have every home in the UK equipped with smart energy meters is getting closer. Next year comes the mass rollout stage but in the meantime, three remaining bidders are battling it out for the right to provide the smart meters: SmartReach, Telefonica and Cable & Wireless.
But IT industry insiders are concerned by the potential security risks smart meters present. Unscrupulous consumers could commit fraud by manipulating the data captured by the meter, or a hacker could compromise a smart meter to find out about a home owners' peaks of use to learn when they are likely to be out. More worryingly, smart meters are connected to smart grids, meaning that if someone is able to attack the system, they could impact the load balancing for energy supply on the whole grid, which may bring down part or all of the system.
However, David Green, business development director of SmartReach, a consortium of companies including BAE Detica, BT, Sensus and Arqiva, believes the system is secure, and there is no chance that they can be hacked.
In an interview with Computing, he explains why.
Computing: What are the steps you have taken to ensure that smart meters are secure?
David Green: Step one was completely revamping our network to make sure everything that should be secure, is secure. We formed a consortium, which involved Detica (now BAE Detica) which is a world-renowned cyber security expert company. Detica did a lot of cyber security work for government, large financial institutions and large corporate firms, where security is essential for the business. As we were building a new network, we were able to design security in from the outset, so we weren't trying to secure an old network and see how we're going to lock it down.
On top of that, we are working closely with CESG [Communications Electronics Security Group], to make sure that the end-to-end security model is as robust as it needs to be; what that means to a communications service provider is that we will be carrying encrypted data, between the energy companies and the metering systems, but on top of that we layer our own security and encryption.
Our solution is a radio-based network, based on a technology supplied by a company called Sensus. Sensus has deployed more than 12 million smart metering and smart grid devices, mainly in North America, and there have been no hacks on the system to date. What we have done is layer on security at various points of our network. So we have an AES256 encryption on the air interface, and we have a very secure operation sensor, which is also supported by a security operations centre. What that centre does is monitor the network 24-7, looking for potential intrusions and unusual activity on the network. Detica has some very sophisticated tools that can identify those potential intrusions before they actually happen.
Security in smart meters: an interview with SmartReach's David Green
David Green tells Sooraj Shah that as a bidder for the national rollout of smart meters, it was imperative to think of security first
In terms of testing the network, is this something you've had to contend with before?
Penetration testing of devices has to be undertaken and as a company we've supplied and secured the mobile phone service to the Metropolitan Police. Officers' PDAs and mobile devices that connect into their back office systems require the highest level of security, so in that sense we are familiar with making sure everything is secure.
GCHQ has said that the rollout of smart meters is a ‘strategic vulnerability'. What is your response to that?
People are aware of the potential [of security threats] and have been from the outset of the programme. There has been a huge amount of work gone into the security model by the Department of Energy and Climate Change themselves and they are working very closely with GCHQ on that. While there are risks, the benefits of the internet network far outweigh the risks. For example, [as energy minister Charles Hendry said], implementing smart meters will deliver £7bn in benefits and those savings will come from consumers being better informed on how they deal with energy consumption.
Privacy campaigners have been quite active in trying to block the smart meter plans, because they think each meter will be used as ‘spy in every home'. What kind of data will actually be picked up and used by the companies and what data will be passed on to government agencies?
I don't see huge amounts of data being passed on to government agencies; we're talking about energy bills here. Only authorised users of the data will be allowed to access that data, and that is the energy companies that the consumer has selected to supply them. The data is owned by the consumer and nobody can access it without the consumer's express permission.
Detica has been very clear, and is writing into the smart energy code that the more granular that data is, the more proactive the consumer has to be in giving permission, so if they want to give the energy company more detail, that is their choice as a consumer. Ultimately, the government has also said nobody will be forced into having a smart meter.
The smart metering contract is being awarded in three regional areas. The three remaining bidders will find out which of them is successful in June.