Smart meters need to be harder to hack, experts say

By the year 2020 about 30 million British homes will have digital smart meters monitoring their gas and electricity usage, according to government plans.

The scheme promises to reduce costs as in-house monitors will make energy consumption more visible and therefore controllable, and will remove the need for estimated bills.

However this month the roll-out was delayed by the Department of Energy and Climate Change for more than a year as the government admitted more tests were still needed.

One big issue for information security experts is the safety of the data collected by the meters and transferred back to the utility companies.

While there are many different brands of meter, the communications hubs which transmit this information often use the mobile data network via a SIM card, security consultant Eireann Leverett from IO Active told the BBC.

"There are two main ways of hacking the meters," he said.

"Through the mobile network they use to communicate, or through hardware hacking - opening the meter up, tampering, altering the firmware or removing the cryptographic keys."

Utility companies are reluctant to use home broadband services for data transmission because they could be liable if an individual's account was hacked, he added, and the meters themselves could be vulnerable as many of them will be outside properties or in communal areas.

The problem is that making the new digital meters more secure requires considerable investment for a relatively low-cost product, Mr Leverett explained.

"It's hard to do," he said.

"The meters have to be very inexpensive to roll out across the country - it's a real challenge fitting in the security that people need with keeping the cost down."

Some manufacturers have been more involved with the information security community than others, he added.

"Those that have solved problems have generally solved them in one dimension. So they've protected the privacy of the customer - actually we don't see that very often - or they've protected the flow of data to the communications hub and the data centre but they haven' t necessarily protected the hardware."

But why is someone else's energy use of interest to a hacker?

"There are many diverse reasons for hacking attacks - one of them might be revenge. They can put a business out of business - if I can raise the price of electricity for a business I don't like for three months they might have trouble paying that off."

On a national level, the hacking of a nation's entire power grid via its smart meter network could be catastrophic.

"While you as the individual may not be an important person that is worth hacking, being able to hack lots of devices at the same time can produce other effects on the country that we are concerned about," said Mr Leverett.

In 2010 Prof Ross Anderson of the computer science department at Cambridge University wrote a paper , externalexpressing his concerns about "strategic vulnerability" for the UK's infrastructure with the introduction of smart meters.

He rather scathingly told the BBC he believed the scheme remained "as much as a mess as ever" and blamed political decisions.

That same year the FBI discovered hacks on smart meters in Puerto Rico.

Security expert Brian Krebs reported on his blog, external that the FBI found that using cheap tools and software available online, former employees of the power firm and meter maker made gadgets under-report energy use by up to 75%.

Eireann Leverett does believe that ultimately the meters, if they are properly secured, will be beneficial for households.

"The idea is that you don't have any visibility of what price you're using electricity at. This will give you a real-time examination of that," he said.

"You can say,' I'm going to stop using my washing machine at peak time...' - users who have trialled the meters say their bills went down by 20% to 30%."

Energy and Climate Change minister Baroness Verma told the BBC the government was working with the National Technical Authority on security issues.

"It's right that we look at security because security will be a key issue for everyone, but the way we've done it and the way we expect industry to respond to it is by making sure they are working to very vigorous and robust measurements to ensure that consumers' privacy and data are absolutely secure," she said.

"[Manufacturers] will have to produce annual audits and make sure their own risk assessments are meeting the standards we are putting into place."