Anyone having a gas/leccy meter replaced with a Smart Meter? Something you need to know

[Tianc]

As requested, a thread about Smart Meters.

The power companies are intending to replace all electricity and gas meters with Smart Meters starting this year (govt prospectus). They're loudly selling this idea as energy-saving, because Smart Meters have big screens to show your energy consumption.

But Smart Meters do an awful lot more than that. Including things the companies are keeping rather quieter about.

Smart Meters will be reprogrammable remotely. If a power company thinks you owe it money - or makes a typo - it will flick your meter over to Prepayment mode and load it with whatever it thinks your debt is (see p16).

Currently they cannot do this without physically installing a prepayment meter, for which they need a court warrant to access your premises. So they have to demonstrate to a neutral body like a court that they are not talking complete bollocks. And they very often talk bollocks because power company records are notoriously shite (phantom meters, zillion pound bills, and a Mumsnet Classic).

Plus going to court, installing meters, etc, costs money, and meanwhile the company's not getting paid, because the consumer can simply decline to pay an obviously bonkers bill. So the current set-up focuses their little minds somewhat on sorting the problem out.

With Smart Meters, tick a box on your account and lo! your meter is a prepayment one loaded with the debt of £944994594984 they've decided you owe.

There are also other v serious problems with reprogrammable Smart Meters, including that they're potentially hackable and brickable. The cybersecurity people like Prof Ross Anderson are doing their nuts about it. Meanwhile Ofgem, which is supposed to represent the consumers' interests, has in fact been tasked with pushing through the change.

TBF, some of the Smart Meter functions actually are trying to tackle genuine problems, but in such a way the remedy may be far worse than the disease. Other functions are purely for the benefit of the power companies.

I'll shortly do a list of papers from the consultation process and other useful reading, and also try to précis and reference the major issues.

I've mailed this to a friend whose DH teaches in the construction industry - he had heard some rumours that these smart meters weren;t all that customer friendly, so this info will permeate the wider world.

Don't lose heart, Tianc, this is really important!

Your commentary is being web-ified :)

Smarty Meter has a profile!

4) The Smart Grid is intended be an end-to-end control system, where power to individual devices and sockets in your smart house can be remotely controlled from the other end of the network by you, the power companies or third parties. (ref 1)

The Smart Grid will look approximately like this (more sophisticated diagram at ref 2):

Home Area Network
(HAN: control system in your house connected to individual "smart" appliances and sockets which can be remotely switched on/off, through apps from power companies and independent app suppliers)
||
Smart Meter (gas meter + electricity meter + control and communications module)
||
Wide Area Network (WAN: communications to/from DCC)
||
DataCommsCo (DCC: centrally managing your meter data)
||
power companies, independent suppliers of apps and services

The idea of the "smart house" or HAN was described in the Guardian recently,(ref 3) extolling the virtues of remotely switching off the socket for your hair straighteners or turning down your spouse's heating while you're out (I shit you not, the Guardian called this "a boon".) Initially this would be controlled by the consumer via a website or mobile phone commands, but eventually it would also be connected to the Smart Meter,(ref 3) which would open control to the power company, suppliers of independent apps, and anyone who could gain access at any point along the Smart Grid.

This has serious problems on many levels.

Let's assume the system remains secure.

a) The aim of this system is not to give the consumer choice and control ? because you already have choice and control. It's to give the power company control to carry out "load management" within your home through "appliance switching events". To translate, during peak times they will switch off appliances like your fridge, freezer, water heater, and washing machine.(ref 4)(ref 5)(ref 6)(ref 7)

This switch-off will be done by software within a smart appliance or socket, or by an app talking to the HAN. The power company will encourage you to install such apps by offering a Time-of-Use tariff, where the price you pay for electricity will vary at half-hourly intervals (like Economy 7 on acid).(ref 4)(ref 8) When the price rises above a certain amount, the HAN will switch off the appliance.

Initially these TOU tariffs + switch-off apps may be promoted as being a discount on normal electricity prices. However it?s not hard to envisage that once the system has been fully rolled-out, the boot will change foot: TOU will become the norm and anyone not having switch-off apps may be charged a premium for the sort of uninterrupted supply we currently take for granted. Much as the train companies charge eye-watering prices for tickets outside regulated fares.(ref 9)

So money has been decided on as the mechanism for rationing, once power supply can't meet demand, over other methods of rationing such as rotating power-restrictions round a series of substations. Maybe this is what we as a nation want: it's certainly a thing we should discuss democratically.

b) There is plenty of talk of switching appliances off ? but I've seen very little about switching them back on again. What will happen to the food in the freezer if the price peak lasts for hours? The washing trapped in the washing machine? How energy-efficient is it to be reheating washing water? Or tumbling clothes that missed the good drying weather?

Think it can't get worse?

c) You know how, when there's an upgrade or patch from Microsoft or Apple, your machine or your apps fall over? Now that can be your home's power supply. The power company will remotely upgrade and patch your programmable Smart Meter, and you'll come home to find the app from your independent supplier has crashed and switched the freezer off.(ref 10) Or switched the hair straighteners on.

But in fact the system won?t remain secure.

a) There are multiple points of entry to the Smart Grid, eg directly via the Smart Meter, via apps, via the web interface, via the wireless HAN.

b) Most of the technology being used for Smart Grids has well-known vulnerabilities.(ref 11) Eg the US is installing about 52 million Smart Meters of a type "riddled with security bugs that could bring down the power grid".(ref 12) It is possible to build much more secure systems, but that costs money. And even supposedly secure systems are not safe against a dedicated attack, as weapons manufacturer Lockheed Martin discovered in March 2011.(ref 13)

c) The Smart Grid will be highly connected and communication is two-way, so once malware gets in it can rapidly infect thousands of individual Smart Meters as well as attack the power companies' control systems.(ref 11) Once in, malware can do more that just crash a computer system: Stuxnet halted the Iranian nuclear programme by taking control of centrifuges and running them so they broke.(ref 14)

Ross Anderson's analysis of the situation is thus:
"Electricity and gas supplies might be disrupted on a massive scale by failures of smart meters, whether as a result of cyber-attack or simply from software errors. The introduction of hundreds of millions of these meters in North America and Europe over the next ten years, each containing a remotely commanded off switch, remote software upgrade and complex functionality, creates a shocking vulnerability. An attacker who takes over the control facility or who takes over the meters directly could create widespread blackouts; a software bug could do the same."(ref 15)

Summary
A Smart Grid is a control system allowing appliances in your house to be remotely controlled by you, the power companies and anyone who can gain access to the Smart Grid. The power companies plan to use this to switch off your appliances at peak times, because this is cheaper and on, the face of it, more energy efficient that providing adequate peak supply.

Smart Grids are a massive new vulnerability in critical infrastructure. They are profoundly vulnerable to hacking at all levels, from script kiddies to hostile states. They are also vulnerable to software error and failure of multiple apps to interoperate smoothly. The consequences of a software failure or attack or could be anything from your house burning down to sudden, catastrophic failure of critical national infrastructure.

References
(ref 1) "The Fourth Carbon Budget - Reducing emissions through the 2020s", UK Committee on Climate Change, Chap 6 p273 Box.6.11
(ref 2) "New bill would accelerate UK smart meter rollout", Smart Grid Watch published by eMeter (US company selling Smart Grid technology)
(ref 3) "Smart homes: take remote control", The Guardian
(ref 4) "Smarter Grids: The Opportunity", DECC, pp2, 17
(ref 5) "Guest post: Roger Hunt on Smart Homes", British Gas Customer Newsroom
(ref 6) "Gov confirms plans for Sky box in charge of your house", The Register
(ref 7) Smart Metering Implementation Programme: Statement of Design Requirements, DECC & Ofgem, Table 1
(ref 8) Smart Metering Implementation Programme: A call for evidence on data access and privacy, DECC & Ofgem, §30
(ref 9) "Train fares set to fall in 2010", BBC News
(ref 10) "Who Controls the Off Switch??, Ross Anderson & Shailendra Fuloria, Cambridge University Computer Laboratory, chap. IV §D
(ref 11) Report: World Cyber Security Technology Research Summit, Belfast 2011, Centre for Secure Information Technologies, Queen's University Belfast, §2.1.3
(ref 12) "Buggy 'smart meters' open door to power-grid botnet", The Register
(ref 13) "RSA to Replace SecurID Tokens After Lockheed Cyber Attack", PCMag
(ref 14) "Stuxnet: Cyber attack on Iran 'was carried out by Western powers and Israel'", The Telegraph
(ref 15) "Who Controls the Off Switch??, Ross Anderson & Shailendra Fuloria, Cambridge University Computer Laboratory, Chap. V

Sorry it took so long.^^

Yet to come: wireless communications probs, prepay/credit switching and creative disconnection.

Bloody hell.

I read up on the home networks yesterday. I was boggled by the fact that anyone could think this was a good idea! Thank you very much for your ongoing precis, Tianc.

It's reminding me of abusive situations, where people fail to intervene because of thinking "They wouldn't do that, would they?" Guantanamo, the Maze, military rapes, the banking business ... They would, as long as they can get away with it and nobody asks.

You speak my branes, garlicBreathZombie... I actually deleted a bit at the end:

By now you'll be saying "This can't possibly be true. No one would be that stupid, there must somehow be some cunning Plan B."

No. They really are that stupid. DECC's Plan B is to wave its hands and say, "Oh we don't understand that computer stuff, it'll be fine. Just fine," while the power companies chant "Think of all the money we'll save. Think of all the money."

Thing is, the power companies expect to save vast amounts of money with the Smart Grid.

(They won't have to provide adequate power to cover peaks, and they anticipate sacking meter-reading staff and call-centre staff. Plus they'll dump the risk of buying electricity half-hourly but selling it averaged.)

So while the smart appliances ideas is good in (very small) parts, the implementation being is driven by the freight train of commercial interest. Trains not being known for their flexibility of direction...

The current process is, IMHO, very unlikely to yield us the safest, most secure, most consumer-oriented system ? which might not be Smart Meters at all, as they're currently envisaged.

Thanks for this, T.

tianc thanks for bringing this to our attention. It shouldn't be overlooked at all. I wonder if most constituency MPs are up to speed with this.

Soon will be!

Quite shocking but.......

Smart meters debated in parliament yesterday.

This was the Public Accounts Select Committee, who are concerned that "A gap exists in communicating the benefits of smart meters to taxpayers on lower incomes", rather than that benefits to all consumers may be completely outweighed by power company behaviour and inherent massive cyber risk.

However they are also completely correct that poorer households are less likely to benefit from Smart Meters ? excellent concise Guardian article on commercial and social aspects.

Does anyone fancy writing to this committee (doesn't have to be your own MP), casting your concerns in terms of "value-for-money criteria which are based on economy, effectiveness and efficiency"? (Committee doesn't do "merits of policy".) I'll also have a go.

List of members and committee clerks.

I'm trying to think of what points to make. Maybe:

? that the costs of security failure may massively outweigh the costs of investing in new generating capacity

? that power companies see this as a cost-saving exercise(ref 1)(ref 2), and therefore are choosing less secure hardware, software and architecture of the whole system than they would if they put security (national and personal) first.

? anything that else that strikes you

References
(ref 1) Smarter Grids: The Opportunity, pp1, 2, 7, 18
(ref 2) Smart Metering Implementation Programme: Statement of Design Requirements Tables 2, 3.
NB Love the way on Table 2, "load shifting" and "TOU tariffs" are described as Consumer Benefits. No dear, load shifting is a consumer sacrifice which is a supplier benefit. And TOU is a best an incentive/compensation for that consumer sacrifice, at worst a licence to charge the earth in the evenings.

Sorry, illness stopping play at the moment. Will resume as soon as I can.

Have resumed reading. And have to share another gem.

"An accreditation process is being considered as part of smart metering security governance activities for key players operating within the smart metering system. Conclusions will need to be made for the arrangements for determining whether DCC and smart metering deployments, implemented by suppliers, are in line with the security requirements both in the foundation and enduring stages."
§6.18 Smart Metering Implementation Programme, Response to Consultation Process, Design Requirements, DECC & Ofgem, March 2011.

Translation: "It's March 2011, we haven't even worked out how we're going test or licence Smart Meters as secure ? and the energy companies are out there installing thousands of the things. Which may fail the security tests."

So, what will happen if the immovable force of STEG* security requirements is met by the irresistible force of commercial companies which have rolled out millions of pounds' worth of white elephants?

I think making it politically unacceptable to brush the issues under the carpet could be important at that point.

There's already a background patter of bland, head-patting noises: "Nothing to worry about dear, it'll all be secure." "The computers are terribly clever you know." "Look, it's even encrypted." This patter may well become a deafening din. But personally I'll wait for the nice people at CPNI and CESG to be happy before I decide I'm happy.

• Security Technical Experts Group (STEG), which includes govt bodies like CESG, which is connected to GCHQ, and the Centre for Protection of National infrastructure (CPNI).

Dates & numbers.

"mass roll-out to start at the beginning of the second quarter of 2014 " (ref 1)

Full roll-out to be completed in 2019. The current smaller scale installation is called the Foundation phase (think this is largely new builds and replacement of elderly meters as they become due).

British Gas boasted to Parliament in October that they had installed 400,000 Smart Meters. And that "less than 19 out of 100,000 we wrote to recently" have opted out of half-hourly data collection. Indeed they were writing to lobby Parliament for half-hourly data to be made the default.(ref 2)

(ref 1) [[http://www.decc.gov.uk/assets/decc/11/consultation/smart-metering-imp-prog/2546-smip-consultation-rollout-180811.pdf Smart Metering Implementation Programme:
A consultation on draft licence conditions and technical specifications for the roll-out of gas and electricity smart metering equipment]], §52
(ref 2) "Supplementary written evidence from British Gas"

Apologies, for further delay 've been ill again plus I'm a lazy mare.

But in the meanwhile, news of a cyber attack on a Supervisory Control And Data Acquisition (SCADA) system, this time hackers in Russia supposedly damaging the water provision in Illinois.

"Hackers 'hit' US water treatment systems"

Uff. I haven't forgotten this thread but have been overrun by personal stuff. Sorry, will do more in the not hugely distant future.

And I used Xmas to talk to telecoms-y friends who are doing the silent scream about the insecure mobile phone technology some meters are using.

So more anon.

"Many so-called smart devices, such as home routers, CCTV cameras, baby monitors and home-management gadgets that control heating and power, were now known to be vulnerable to Heartbleed-based attacks..."

Imagine my surprise.

As it happens, the device confirmed as vulnerable was the Nest internet-controlled thermostat ("It’s Crazy What Can Be Hacked Thanks to Heartbleed", Wired, Apr 2014), but this is the future.

If you connect an object in your house to the internet, eventually it will be hacked.

Just updating with an article about, well, mostly about how things haven't improved since I started the thread in 2011. And for a Ukraine electricity company got very much worse.

Could hackers turn the lights out? (BBC News, 16 Mar 2016)

While confirming that, yup, organisations really are that stupid.

Mr Gordeychik helps co-ordinate Scada Strangelove - a community of security researchers who seek out ICS systems openly exposed online. Scada (Supervisory Control and Data Acquisition) systems are used to oversee plant and machinery in industrial installations.
"We can discover more than 80,000 different kinds of ICS systems connected to the internet directly," he told the BBC.
That's bad, he said.
...
What had been a surprise, said Mr Glover, was the attitude of many companies who run the nation's infrastructure.
"That's what's been most disturbing to me," he said. "That people did not think they were going to be attacked."

On the plus side, the Scada Strangelove did persuade some companies that systems controlling railways really shouldn't be accessible from the internet.

And some control system makers have even gone so far as to update security without being asked by customers.

Advanced, huh?

Oh crap - had no idea about this and BG installed a smart meter in our house last week - is there anything I can do about it now, do you know? Or anything I should keep an eye on? We're on DD rather than prepayment if that's relevant...

DON'T PANIC! Well, not yet anyway.

BG aren't yet using most of the functionality of their Smart Meters, if I understand correctly. TOU tariffs aren't yet available, by and large.

Not sure about the remote reprogramming to prepayment mode. But IIUC, transfer of Smart Meters when you change electricity provider hasn't been ironed out yet. So it's possible that switching to another provider will remove BG's control of the Smart Meter.

Hacking... Some external hacks you can't protect against.

Others, well, have BG offered you any control facilities via a website? Switching your heating on before you get home, etc? You'd need suitable Smart devices attached to a Home Area Network, so it's unlikely you've got all this yet.

But BG customer account details were stolen in a hack in Oct 2015. The hackers didn't get any financial information but they did get logins which could be used to view customers' names, addresses and past energy bills.

And interestingly, BG doesn't seem to think this is particularly valuable data: 'An email sent to affected customers states: "I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk. As you'd expect, we encrypt and store this information securely."'

Ie sound like your other data wasn't in a secure data storage system.

Once there are control facilities via a BG website, this sort of data theft is going to lay you wide open to every Jeffrey* on the internet fiddling with your house.

But at this stage, I doubt you have all this vulnerable technology tacked onto the Smart Meter.

(*MNers' name for the hackers who recently attacked us via Heartbleed.)

Re keeping an eye.

I'd suggest taking monthly meter readings, as you may do already, to spot any obvious problems of inaccuracy. I'm not aware that BG Smart Meters are more prone to such problems than ordinary meters (although if there ever were problems, BG'd almost certainly deny it to the death as threatening their massive investment).

And obviously read carefully any future mailouts or press announcements about the wonderful, new "opportunities" the Smart Meter is about to start inflicting on offering you. Now you know the background, you'll easily read between the lines!

Thanks - you're right, no "smart" devices attached yet, though techhead DH has already been talking about them with enthusiasm - will fill him in!

Will also take monthly readings and see what happens. Thanks for your help, Tianc!

Free and impartial advice from a charity is available from Citrus energy (NOT A POWER SUPPLIER) 0800 221 8089 .
I used to work there and we helped a lot of people with gas and electric problems, helped with billing issues, and arranged warm home discounts, refund of charges, and advocacy up to and past the ombudsman.

If anyone still can't fathom what could possibly go wrong with so-called "smart meters" just go through this thread - as much relevant today as it was 12 years ago.