The promise was to help you control your electricity bill by becoming more aware of your energy use. The downside is that with the data gathered, other people and businesses can also become more aware of your habits, like when you go to work, go on vacation, etc. Is the potential energy savings worth the invasion of privacy trade-off? I sure don’t think so. I really don’t want PG&E or anyone else for that matter knowing how I live my life inside my own home.
To add insult to injury, the Public Utility Commission just granted PG&E a rate hike to pay for lost profits due to these devices that no consumers asked for. In my own conversion experience, PG&E basically said “our way or the highway” – I didn’t have a choice. Now I have a ZigBee WiFi capable datalogger on the side of my house, tracking my family’s habits. Now the EFF is getting involved for privacy protection. Fortunately, the PUC has now ordered PG&E to provide an opt-out plan. With privacy issues rising, there may be more takers now.
From the Electronic Frontier Foundation:
California Proposes Strong Privacy Protections for “Smart Meters”
The California Public Utilities Commission (PUC) has released a proposal for strong privacy protections for “smart meter” data, closely following the recommendations from EFF and the Center for Democracy and Technology. If adopted and finalized, the plan could become a model for how to protect sensitive consumer information while providing new ways to save energy.
California’s PG&E is currently in the process of installing “smart meters” that will collect detailed data of energy use —750 to 3000 data points per month per household—for every energy customer in the state. These meters are aimed at helping consumers monitor and control their energy usage, but the information that is collected can reveal much more about a household’s daily activities: when people wake up, when they come home, when they go on vacation, and maybe even when they take a hot bath.
Many third parties will want access to this sensitive information, and the California PUC has recommended strong protections for the transfer of the data to others. This should help prevent the data’s misuse, hopefully blocking new intrusions into our home and private life. We hope the California PUC goes on to adopt its proposal, creating a blueprint for energy data and privacy protection that can be used across the country.
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
_Jim says:
May 13, 2011 at 10:36 am
Curiousgeorge says on May 13, 2011 at 5:27 am:
There’s another issue with this that hasn’t been discussed much. That being security holes in SCADA software> http://news.cnet.com/8301-27080_3-20062425-245.html .
This is only one example, and as the “Smart” grid/meters become more prevalent, there will inevitably be additional vulnerabilities discovered, and exploited. …
[i]
This is going to be interesting; I can already see the same ‘crew’ who reverse-engineered Apple’s iPod/iPhone product turning their energies to ‘observing’ the behavior and habits of their local electric meter and working out 1) the protocol ‘spoken’ back to the office and, eventually, 2) the encryption (if any) used to encode their data packets…………………………….[/i]
I assume you mean interesting in the Chinese curse sense? 😉 Yes, indeed.
If the backhaul is wireless, sure it will. But you can expect a visit from a utility service tech pretty quickly. And you can expect the utility to be quite unhappy about unauthorized installations on what they claim as their equipment.
If the backhaul is power line communications or another wired external communications network, then a Faraday cage won’t make any difference.
I should have mentioned that there is no hardware difference between the different Focus AX models. The ToU and load profile features are all software enabled. So even if a meter says Focus AX, it could be running as a Focus AXR due to firmware upgrades.
The service disconnect feature though does require a hardware/mechanical addition. Therefore if the meter is not marked “-SD”, it probably does not support service disconnect.
Smokey on May 13, 2011 at 12:13 pm
Sarge on May 13, 2011 at 12:05 pm
Pls pay attention; an actual ‘Faraday screen’ or shield shown about 2/3rds of the way down this page (as labeled):
http://www.w8ji.com/skindepth.htm
Use of a Faraday Shield to prevent detuning of an oscillator coil:
http://books.google.com/books?id=e_oZ69GAuxAC&pg=PA137&lpg=PA137&dq=induction++%22Faraday+shield%22+detuned&source=bl&ots=vXmF1ohP5u&sig=LIvvr79RGmotjfvXI3CbDw5Cqdk&hl=en&ei=wN6qSv7hKdDqlAff5YjmBg&sa=X&oi=book_result&ct=result&resnum=2#v=onepage&q=&f=false
Gentleman, the term you want is EM (Electro-Magnetic Shielding), not simply E-field shielding as a so-called, much-over-used, usually mis-applied Faraday screen term implies. (This is a CLASSICAL case of a little knowledge being dangerous …)
.
Jim,
Thanx for the info and links. [Actually, I was just looking for an excuse to post that cool pic.]
For those people wishing to find ways to block the signal. Don’t bother. Of course it can be done, regardless of the method used, but, as Ron Dean states, you will recieve a visit from the utility company. You’ll be offered a choice. Accept the communication or go without electricity. If you want to stop this, you’re gonna have to organize and present utilities (and lawmakers) a singular voice. And you’re going to have to provide realistic alternatives to what they are trying to accomplish. It won’t be an easy fight and time is short. As I stated earlier, much of this can’t be undone. No one is making the traditional style meters anymore. The capabilities are there. It is up to the public now to discern whether they will be implemented or not.
Public pressure on politicians since these utilities here in Canada are crown corporations. Oh and I forgot the selling point from BC Hydro: it will stop the theft of electricity from grow-ops… which we know are the best export of BC… LOL
Oh and the “potential” savings are about half billion in the next 20years while the goons already spent that much in 9 years promoting conservation while filling up the coffers of Hoggan public relation company, chairman of the Suzuki Foundation, a wonderful organization that gets lots of funding from the US http://fairquestions.typepad.com/rethink_campaigns/david-suzuki-foundation-70-million.html
Re _Jim says:
Take a look at this presentation from 2009
http://data.proidea.org.pl/confidence/6edycja/materialy/prezentacje/CONFidence2009_nick_de_petrillo.pdf
Security on these kinds of networks is pretty much weak by design. They’re cheap, mass market and use COTS components, many of which have existing security problems such as WiFi as a transport. Because they’re mass market, key management is often weak so key extraction can become easier allowing hackers to ‘own’ or abuse large chunks of the network. Meshing networks may just make it easier to spread attacks.
Naturally the utilities will claim they’re secure even when security researchers point out the vulnerabilities. In the small print of consumers contracts, there will no doubt be language limiting or trying to deny any liability for any losses if smart meters are abused. They also won’t prevent fraud if hackers can playback normal looking usage profiles, or solve BC Hydo’s problem that TomRude mentions. A meter reader with a nose is probably better for detecting grow-ops than a smart meter.
@ur momisugly Atomic Hairdryer says:
May 13, 2011 at 2:37 pm
Re: smart meter/grid security. If you go to http://catless.ncl.ac.uk/Risks/ (Run by Peter G. Neumann for a very long time. Techies will know who he is. ) and search for smart grid , or similar keywords it will return several comments and presentations on this issue. It’s not a new issue, but it seems that hardly anyone is paying attention in the rush to get this deployed as widely as possible.
A consultant’s #1 job is to secure more ‘job’. This is done a number of ways, with FUD and the prescription for ‘constant vigilance’ being two ploys …
1) Addressed in Reference A (below) under:
“Myth #1: Nobody’s paying attention to security.”
2) Any more (or less so) than security technologies used every day on the public internet (like HTTPS)?
Addressed in Reference A under:
“Myth #4: Wireless networks lack security and are easy to hack.”
1) Addressed in Reference A under:
“Myth #4: Wireless networks lack security and are easy to hack.” and
2) Addressed in Reference B (“Commissioning a new meter” procedure)
Addressed in Reference A under:
“Myth #5: Cracking one meter provides access to the entire smart grid because everything is interconnected.”
No more (or less) secure than the IP security protocols in use today vis-a-vis HTTPS/SSL?
The rest is standard legalese …
In regards to keys and cryptography in general: If you’re not using one time pads, it’s a matter of time before you’re hacked … but, that may, and depends on, that ‘time’ being a long time (relatively speaking) to the scenario in which then cryptography is being employed … that, and balanced against the ‘worth’ of hacking a scheme or a ‘gain’ of minimal value.
– – – – – – – – – –
References:
Reference A
Reference B
1) Choose “Network Provisioning” on the left.
2) pay attention to the procedure used to ‘commission’ of a new meter, involving a series of steps along with a ‘parallel path’ for making the system aware of the new meter via interaction via the installer and the platform his work orders are handled on.
Hi Jim,
Thanks for those references. I have to say that SSN is being a bit disingenuous with this claim:
SSN makes it sound as if smart meters increase security from the stated threat. This is just not true.
If there was no smart grid or smart meters, the only threat that would exist is a physical one. Just introducing communications enabled devices into the grid, no matter how secure they may be, introduces a risk of being hacked. So how it is “easier” to “put a variety of checks, limits and restrictions at multiple points throughout the network” when compared to simple mechanical meters is beyond me.
Re _Jim says:
True to some degree. I’m a consultant specialising in the design of secure networks so know a lot of the tricks of the trade. Conversely, a suppliers job, like SSN’s is to claim their network is secure and limit any liability if it isn’t. Standard way to do this is via white papers like the one you cite. That paper makes some misleading claims. For example:
This may sound impressive, especially when combined with the previous explanation that FHSS ” changes the channel from 50 to 100 times per second, making it difficult to lock onto”. That’s talking about IEEE802.11 FHSS and what it doesn’t tell you is devices have to maintain sync so hop in a pattern programmed into the devices. Access to the devices allows that to be extracted, or you’d have to do it the harder way by sniffing data and figuring out the sequence. The more data and devices, the easier it is to capture data and do this, and there are tools to help. Another disadvantage of FHSS is because the hop pattern has to be known to the devices, there is less device interoperability. That’s useful if you’re a vendor wanting to lock a customer into a particular hardware ecosystem though. FHSS is also less bandwidth and spectrum efficient, which may cause some problems depending on how heavily the spectrum it’s using is being used by other things.
The paper mentions encryption and certification several times but fails to mention where the keys are stored. They’re in the meters and can potentially be recovered as several security researchers have demonstrated. Then communications would still be authenticated, and appear to be from trusted components. Recent example of this false sense of security is the way Blu-ray was reverse engineered and master keys recovered leading to older Blu-rays being copyable and requiring devices to be re-keyed. If you lose control of the network though, OTA updates won’t work and suppliers would have to manually update or replace meters.
The choice of architecture makes it necessary to do that to try to protect the network. That adds costs and complexity and increases risks to the network compared to classical ‘dumb’ meters. Introducing remote disconnection may be a desireable feature for loss reduction but only if it’s the supplier doing the disconnecting. If it’s not, it may lead to compensation claims.
Taking out smart meter readers also introduces other risks. A smart meter reader may notice dodgy looking wires coming off the supply side. Or funny herbal smells. Or if it’s rolled out to gas networks, gas leaks. A meter reader noticed a small gas leak from my neighbour recently, a ‘smart’ meter probably can’t do that.
Myth 5, well, that one depends on what you attack. It sets up a strawman buy suggesting attacking a single meter can compromise the network and says “for example, two operators must work in concert to initiate system-wide commands (this is also known as “two-party control”)”. Compromise the operator creds and you own the whole network.
The biggest myth the paper perpetuates though is Myth 3. “First used in the 1970s,
IP is a mature, robust protocol suite that offers numerous security mechanisms.” The standard TCP/IP protocol suite offers precisely zero security because it was never designed to be secure. Additions to that suite like IPSec, HTTPS etc have tried to correct this.
It’s a nice paper to give people a false sense of security. Alternative papers such as the one I gave, or the Cambridge research mentioned earlier, or the discussions on comp.risks may provide a different perspective.
Bzzzzt!
Caught/detected by:
a) ‘intrusion detection’ functions (becoming more and more common in equipment designed with some level of security in mind) and
b) the unit will be incommunicado WRT infrastructure pings (this will be noted and logged and is either a sign of an ‘outage’ or a security compromise) during the disassembly and subsequent physical procedure of hacking (EEPROM contents inspection, powering/unpowering the controller, applying the usual bag of ‘tricks’ to get the CPU to possibly come up in an altered state as part of “the attack”); powering the unit back up (they are designed to be ‘always powered’) is going to raise flags … esp. when neighboring units/meters in the area (on the same distribution and/or secondary 120/240 line) didn’t go down (these are some of the aspects so-called security experts and consultant don’t seem to address: the bigger, complete picture rather they focus on the unit itself and stress it’s limitations.)
Overlooked in all this is the minimal value of the comms (the content thereof) that one is endeavoring to intercept (the little data payload) and limited authority a ‘hacked’ meter is going to have in an application like this as well … the meter won’t (shouldn’t!) have much ability to raise havoc/control or inquire into the upper/deeper levels of the AMR/AMI system.
Recall these aren’t comms to/from a foreign embassy with potentially high value content, but lowly, electric power ‘usage’ dumps … security need really only be to the level needed … tampering is still going to leave a trail, with busted/removed physical security rags (like as used now on mechanical meters) with the addition of internal ‘memory’ of events and supervision control messages (including alerts and warnings) to/from the power provider via communications infrastructure …
.
Hi Ron.
Part of the response to this was to A. H. D. (look at that acronym!) above, specifically, the level of security required in the actual meter need only be to a particular level … it certainly needs to be _beyond_ an easy hack, like say an over-the-air protocol that uses say, simple FSK mapped one-to-one to a 300-baud, 8-bit no-parity (with a start-pulse) asynchronous serial data stream straight from a PC’s serial port!
We should all bear in mind these aren’t comms to/from a foreign embassy with potentially high value content, but lowly, electric power ‘usage’ dumps … security need really only be to the level needed … tampering is still going to leave a trail, with busted/removed physical security rags (like as used now on mechanical meters) with the addition of internal ‘memory’ of/for events and supervision control messages (including alerts and warnings) to/from the power provider via communications to the infrastructure which is part of, and integral to, the overall security of the system (hacking, power own of the unit raises suspicion).
True story – in my youth, I thought I had figured out the simple and ubiquitous POTS line the phone company had installed throughout the land … I thought I was ‘clever’ enough even to simulate the dial pulsing by hand even though I seemed to have a low ‘success rate’ (misdialed calls) in dialing … well, it wasn’t but a week or so and a representative from The Bell Telephone Company paid a visit to our house … this was in the day before even the last mechanical cross-bar switches were in operation and probably still in the day the ‘stepper’ style of telephone switch (still in the era of the electromechanical and analog telephone switch) yet they had the ‘supervision’ capability to detect and track down ‘malformed’ dial pulsing entering the facility!
So, to, will they be able to detect hacking and other probes back ‘upstream’ from the lowly service/electric meter which is bestowed with intentionally limited access to info and data further upstream.
.
Re _Jim
Indeed. The meter shown has a tilt detector and capacitors to do ‘last gasp’ transmissions if there is a power outage. When power is restored, how could you be sure it’s still an I-210, with it’s original code? In addition, the SmartMeter can detect and report exceptions for the following tamper events: number of Demand Resets, Loss of AC power and reported power outages.
True, it can be set for polling down to 5-min intervals. That may or may not be enough time to replace or rewrite the meter with new firmware. But then if alarms are tripped after missing a single poll, the alarm centre is likely to get very busy. Especially given the amount of WiFi devices around and potential congestion. Or even due to global warming based on an earlier story.
You’d also not need to hack a live meter. You could just buy one. I couldn’t see any I-210’s on ebay at the moment but there’s a couple of L+G’s for sale. Or you could steal one. Or you could privately rent a holiday home for a couple of weeks and experiment there. Or you could just download the firmware. Doing proof of concepts is fairly easy, as security researchers have already demonstrated. Problem is still using a wireless network vulnerable to man-in-the-middle monitoring and attacks, and installing millions of low cost devices in untrusted locations. Standard revenue protection measures would still work, ie you’re billing less than consumers are using. But then you have to find the hooky meters. Meter readers could perhaps be useful for that, but they’re being replaced with ‘smart’ meters complete with 3.3v TTL interfaces to reprogramme them. And it’s being done to increase customer’s energy bills, or inconvenience them by load shedding, so providing additional motivation for fraud. Not to mention the potential ability for script kiddies or other criminals to remotely disconnect people.
How does any of that benefit the consumer?
Of course suppliers could reassure consumers by agreeing to liability for any loss or damages caused by 3rd parties getting smart with the meters. They don’t, so what does that suggest about actual security?
Mods, the corrected post …
There are a number of other holes in your arguments or points that were brought up that I just hadn’t had time to address … this seeks to remediate that.
Bzzzt!
Grainger is a supplier, as is and Mouser and DigiKey.
SSN develops/engineers/creates whole products, per their About Us descrip: “We provide the hardware, software and services that connect every device on the smart grid, creating a unified Smart Energy Platform.”
On a par with observing “The sun rises in the morning and sets in the evening”. Nothing new; issuing verbiage to up the word count.
A true statement (all after “Mitigation” that is).
A judgment call; not an observation even.
Extracted from a sentence which began: “RF spectrum jamming and jabbering at the RF level are countered by use of frequency-hopping spread spectrum (FHSS), which changes the channel from 50 to 100 times per second, making it difficult to lock onto.”
FHSS or, more to the point DSSS does offer those two benefits, and is far superior to single fixed carrier using say GMSK modulation … so, what is the beef?
FHSS/DSSS is par for the course these days with the benefits as stated.
Standards-based, which it looks like this product appears to be, already should detail what is necessary as to ‘hop’ (spreading code) .
See above.
See above; Also, more confusion, as there always seems to be, by non-RF savvy personnel between DSSS and FHSS.
For me, FHSS is _not_ ‘spread spectrum’, therefore, it is only FH (Freq Hopping)
Hint:
If your receiver_IF_BW = data_rate it’s Frequency Hopping
If your receiver_IF_BW = chip_rate it’s Discrete Sequence Spread Spectrum
(Note: Chip rate will be greater than, say, 10x data_rate)
IF = Intermediate Frequency
BW = Bandwidth
Recovery of keys brute force method will trigger Intrusion Detection as spelled out in a prior post; not repeated here.
Also, any encryption technique can be broken w/o direct access to the hardware, given enough time and a couple other parameters (like the message being known), save for one-time pad techniques.
ANY system requires these types of security considerations; of course that includes cellular … e.g. access to the HLR (subscriber database), the SWITCH itself (system/cell site parameters, neighbor cells for hand-off), etc
Segmentation of (job) responsibility works towards mitigating most all of this (nothing will ever be perfect in human security)
Now we’re crossing into a new area; should be addressed separately (law enf related subject); leaking nat gas should be reported by property owners …
The “Myth 5″ strawman is one set up by others, one of six this paper addresses as myths.
For the balance of the post see ans 2 blocks above this one (internal company controls as they regard personnel for ‘security’ are not under discussion).
Re-read that sentence.
On second thought, let me help you:
“First used in the 1970s, IP is a mature, robust protocol suite that offers numerous security mechanisms.”
Notice the comma (I bolded it for you)? The above statement, BTW, is true.
Newsflash: The security ‘design’ focus has changed WRT to Internet Protocol (IP) in the last, what, twenty years?
http://www.silverspringnet.com/pdfs/SilverSpring-Whitepaper-SmartGridSecurity-MythsReality.pdf
I would suggest you read the balance of that paper, commencing with page 5; Those folks aren’t hiding much that I can see (although implementation details remain undiscussed as they are competition-sensitive and so I’m sure you won’t see them spelled out in a white paper by SSN or by anybody else in industry.)
Also note that various ‘eggheads’ in industry (and in tightly focused groups like comp.risks) do a good job of addressing individual-unit ‘weaknesses’, but tying these small units into a much larger system with active feedback (e.g. active periodic pings and heartbeat pings) and ‘supervision’ work to clean up and minimize these perceived weaknesses …
To their credit and very much on the upside, they are emphasizing the use of IP security measures, measures that have received some of the most intense scrutiny of any protocols on the planet.
.
I think we’ll have to agree to disagree on many of these points. We could probably argue all day about whether SSN is a supplier, systems integrator or whatever. We could debate the merits of DSSS vs FHSS and why if it isn’t using FHSS, the whitepaper chose to use that description.
Ultimately it’s all about the risks, costs and benefits. Time will tell who’s right about that. We ‘eggheads’ will carry on warning about vulnerabilities and risks, and hope we’re proven wrong. There’s still good money to be made fixing networks that were sold secure, and found wanting. Personally I’d much prefer not to do that, but it pays the rent.
Hi chris y, we are in northern Canada (around 55 degrees north), so we run a big system, definitely bigger than what you need in Florida. We have a 24 volt system with battery bank that can store 2400 amp hours. The dollar value would be lower for you also, with the exchange rate. Depending on the size of your family (we are 4) and lifestyle, you could probably run a system half the size (and half the cost).
We installed the system ourselves with the help of an electrician friend to do the wiring in the house, so the $25000 for the system does not include installation, but that is the total cost (panels, solar inverter with charge controller, battery bank, materials). Our area is among the highest in Canada for electricity charges; in 2008/09 we were paying about $2500 per year.
We have reduced our consumption somewhat (mostly in winter months). We now run a gas dryer and oven/stove. In the next couple of years we plan to also convert all of our appliances to high energy efficiency (i.e. fridge, deep freezer). We no longer leave the computer or satellite receiver on unless we are using them (huge electricity vampires). Overall, just more conscious of turning off lights, etc.
Because of where we live, daylight hours are shorter in winter, thus we must periodically run a generator to charge the batteries. You won’t have that problem where you are, but it might be necessary for ongoing cloudly weather (i.e. more than three/four days depending on your system). If 100% off the grid you would probably want to have a back-up generator anyway.
The other 9 months of the year are simply fabulous. Today we made over 17 kw hours of electricity, more than we could possibly use in one day. Conservation becomes a non-issue, as we could literally run every electrical appliance in the house all day long and would still be storing the extra volts into our batteries. We are also never impacted by storms and power outages, relatively commonplace in our rural neighbourhood.
Cheers
Sorry, that is $2500 per month for electricity, not $2500 per year.
lol, no $2500 per year, I must be tired, $2500 per month would be a bit expensive
Toshiba to buy Landis+Gyr for $2.3bn
http://www.environmental-finance.com/news/view/1724
Anyone can walk up to your meter and read it, do you really think it has ever been secure? Its the same information the utility has been getting. Meter number and readings.