Great piece from FT’s Pilita Clark and Sam Jones crediting my interview with GCHQ’s Dr Ian Levy in new TalkTalk/Freud’s Cybercrime Journal.
GCHQ steps in to foil smart-meter hackers
GCHQ has intervened in the design of an £11bn nationwide system of smart energy meters to secure them against attempts by hackers to crash the country’s power grids.
The agency built in additional security measures for the UK metering system after discovering loopholes in meter designs in use abroad that it believed could pose a national security risk if rolled out in Britain.
The communication channel between each meter and the utilities operating them was designed to be encrypted. But the encryption key, the code used to unscramble the data each meter sends and receives, was the same for all of them.
If a hacker was able to crack the key, they could potentially gain control of every meter, GCHQ feared, according to a senior Whitehall official. That would allow them to “start blowing things up”, the official said.
Ian Levy, the technical director of GCHQ’s communications electronic security group, said in a separate interview that a number of security challenges surrounded the millions of gas and electricity smart meters being installed.
“The issue is will they let someone disconnect all the power to your house? Or can someone turn off the right number of meters in the right way to cause a collapse in the grid’s systems?” he told a cyber crime industry journal published by Freud Communications, the public relations group. “I’m not talking about small outages here, because frankly you could take out the supply cabinets of 100 houses with just a hammer.”
GCHQ is helping the Department of Energy and Climate Change securely design the new metering system, one of the UK’s biggest IT projects in a generation. Energy companies have already installed about 2m of the 53m smart meters due to be rolled out in homes and small businesses across the country by 2020.
Each one lets people see their power or gas use in real time, ending the need for meter-reader visits and estimated bills, and allowing consumers to save energy at certain times of day.
This should lead to savings of about £26 on the average dual fuel household bill by 2020, the energy department estimates, and cut millions of tonnes of greenhouse gas emissions.
The meters are to be hooked up to a custom-made data network linking the devices with energy utilities, due to go live in August. That should help cut the time it takes to switch energy suppliers from six weeks to as little as 24 hours, says Smart Energy GB, a campaign group for the smart meter rollout.
But Mr Levy says there have been big challenges ensuring all the different components of the new system are secure.
“The guys making the meters are really good at making the meters, but they might not know a lot about making them secure. The guys making headend systems know a lot about making them secure, but not about what vulnerabilities might be built into them,” he said.
To guard against these risks, the system has been designed in a way that means it can remain secure overall even if parts of it are compromised by a cyber attack, he added.
“The resilience is gained by needing three independent exploits or failures to happen to cause any large-scale effect.”
The National Grid said the IT systems used to operate gas and electricity networks were isolated from everyday business systems and built to ensure the networks remained safe and reliable.
‘The guys making the meters are really good but they might not know a lot about making them secure’
END
@themoment 