Security Beyond Smart Meters – Smart Homes (By Luay Baltaji, Cybersecurity Manager, OMNETRIC Group)

This will be your typical morning in a few years’ time: Early in the morning your smart wearable senses that you’re about to wake up and so your home starts preparing for the day. Your smart meter builds a picture of your anticipated energy consumption for this morning, and then agrees with the energy supplier how your home routine should be executed.

This activity could be performed every day in harmony with millions of other smart meters across the country, intelligently orchestrating smart home appliances, electric vehicle chargers and domestic energy sources, like a beehive to save us money and to help the grid operators reduce congestion on the energy grid.

The fact that our little ‘smart’ helpers can ‘negotiate’ with energy companies on our behalf to get us the best deal in near real-time sounds like science fiction, but is indeed becoming reality.

In Britain, it is starting with the rollout of smart meters into every home, the GB Smart Metering Rollout programme is targeted for completion by 2020. By then, there will be more than 50 million smart meters across the nation, sending out about 25 TB of energy consumption data every day to energy providers. With personal permission, this data can be shared with other companies interested in knowing how we use energy. The smart meters rely on an Advanced Metering Infrastructure (AMI) for communication and data management, which is governed by the Smart Energy Code (SEC) and overseen by the energy regulator OFGEM.

The SEC specifies the rules for the whole smart metering operations, it includes detailed sections for security and privacy. Encryption is heavily utilised across the AMI and there are very strict rules for handling consumption data which is classed as personal information. The data flow and trust relationships between all parties in the infrastructure are controlled by a central hub called the Data and Communication Company (DCC). The design and implementation of the national Rollout Programme have been put under the microscope of academics, security experts and government agencies (Anderson & Fuloria, 2010; Levy, 2016). In this series of articles, we will look at how the industry is moving towards the ‘next generation’ applications of smart meters. We will try to apply a different lens to study the challenges arising from the integration of smart meters with disruptive IoT technologies and legacy industrial control silos. This part highlights the key energy security challenges in designing and implementing smart homes. The rest of the series (to be published in upcoming editions of Cyber World) will discuss the cyber-physical risks of increased automation and intelligence in the energy grid, and the impacts of converging IoT/IT/OT silos in order to form a functional smart grid.

Embracing the ‘Smart’ Culture

Energy companies in the UK are looking for ways to leverage the power of the information collected from smart data points, industry use cases are emerging to convert the current AMI progress into an operational smart grid; most themes are taking place within two technology domains:

1. The Internet of Things (IoT) domain, smart home devices such as smart locks and washing machines, will help us automate parts of our lives in ways that give us more control of our energy bills. This is realised through the analysis of high resolution information that is produced by smart homes; also giving the energy companies more insights into energy usage patterns to offer their customers more competitive and tailored services.
2. The Operational Technology (OT) domain, feeding the information gathered by smart meters into the grid infrastructure in order to generate intelligence in the grid network to automate tasks in load and outage management.

These themes would require increased automation and interconnection, as well as more intelligent software systems that are capable of taking complex decisions whilst ensuring safe operation. These factors pose unprecedented challenges to privacy and security (Schneier, 2016). The latest Cyber Threat to UK Business report, issued by the National Cyber Security Centre (NCSC), predicts that it is ’highly likely that connected devices in industry are already targeted and that incidents are more common than are currently reported or that have been detected’.

Understanding the complexity of Smart Homes

The consumer market has been flooded with technology to automate homes. Devices such as Amazon Echo and Google Home, as well as smart appliances such as Smart TVs and washing machines, are being increasingly adopted. Many of these technologies are able to connect to smart meters through a module called ’Consumer Access Device’ or CAD, which comes with default support for many wireless communication protocols such as ZigBee and Z-wave. Although CADs and smart meters in the UK are certified by the NCSC, they open a door for new and emerging threats. Last year, the Mirai attack specifically used internet-connected home devices as botnets to attack the internet infrastructure (Kerbs, 2016). The exploited devices, such as IP cameras and routers, are not tested or assured in any way, and, given the economy of scale in IoTs, they’re unlikely to be tested for cyber threats. The rise of millions of identical smart devices living in similar setups, such as smart thermostats, raises some concerns. If a vulnerability is found on one device, a million others can be exploited at the same time: turning a million thermostats on or off at the same time can cause serious damage to the power infrastructure. This is not a fully fictional scenario, it has already been partially demonstrated (Tierney, 2016).

New approaches to address security

The IoT technology moves the control of devices from a central authority to the hands of consumers without a clear accountability model. For instance, if a smart device comes with a password that reads ‘1234’, is it the fault of the vendor for not building a secure product, the supplier for not doing a proper due diligence, or the consumer for not changing the default password? This ambiguity in governance, coupled with the added cost of securing products, are cited by official agencies as elements that derail efforts in building secure and privacy-oriented IoTs (European Union Agency for Network and Information Security, 2015).

These challenges are not unique in the utility industry, and the risks on the energy supply resulting from this decentralisation of control are not yet fully understood. Utilities can leverage the contractual relationship they already have with their customers to start tackling the responsibility and accountability challenges. But with a lack of industry incentive, it is unlikely that we will see a proportionate progress of security in the IoT-Energy ecosystem in the near future.

Addressing the issue of incentives is fundamental to improving the security of smart homes. The traditional approach of a regulatory force driving change in the Utility business may not be fit for purpose, especially now that unregulated technology firms are active players in the game of smart homes.

Utilities providing IoT services are generally aware that a purely reactive posture will be less permissible as societal awareness of the value of data grows, and as the reputational and regulatory consequences of data breaches increase (Clemente & Fell, 2015). Many have opted to use proprietary protocols and certified products in an attempt to limit threats from unsecure IoT devices. This poses a commercial challenge: the security features come with an additional cost and could limit some functionality, leading consumers who are more influenced by functionality and cost to look elsewhere for smart home solutions. Balancing security with value and functionality would require a joint effort from all parties involved, including governments, to build a holistic view of the IoT risks on the energy supply. This effort is starting to take shape with initiatives from the UK government to sponsor dialogs between technology vendors and energy suppliers, and with a new wave of EU policies targeting the IoT technology (The European Commission, 2017).

This article originally appeared in Cyber World, published by Secgate.

ABOUT THE AUTHOR

Luay Baltaji is a Cybersecurity Manager within OMNETRIC Group, a Siemens and Accenture joint venture which specialises in smart grid transformation. Luay is a recognised expert in the field of IT/OT integration and industrial Cybersecurity. Luay currently serves as Cybersecurity architect and advisor to a number of critical infrastructure operators in the UK. He holds an MSc in Computer Security and is a certified security practitioner from SANS, ISC2 and SABSA.

Bibliography

Anderson, R. & Fuloria, S., 2010. On the security economics of electricity metering, s.l.: Cambridge University Computer Laboratory.

Clemente, D. & Fell, M., 2015. Information Security in Smart Cities, London: Information Security Forum.

European Union Agency for Network and Information Security, 2015. Threat Landscape for Smart Home and Media Convergence. [Online]
Available at: https://www.enisa.europa.eu/publications/threat-landscape-for-smart-home-and-media-convergence
[Accessed 24 May 2017].

Kerbs, B., 2016. Hacked Cameras, DVRs Powered Today’s Massive Internet Outage. [Online]
Available at: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
[Accessed 24 May 2017].

Levy, I., 2016. The smart security behind the GB Smart Metering System. [Online]
Available at: https://www.ncsc.gov.uk/articles/smart-security-behind-gb-smart-metering-system
[Accessed 24 May 2017].

Schneier, B., 2016. The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters. [Online]
Available at: https://motherboard.vice.com/en_us/article/the-internet-of-things-will-cause-the-first-ever-large-scale-internet-disaster
[Accessed 24 May 2017].

The European Commission, 2017. The Internet of Things. [Online]
Available at: https://ec.europa.eu/digital-single-market/en/internet-of-things
[Accessed 24 May 2017].

Tierney, A., 2016. Thermostat Ransomware: a lesson in IoT security. [Online]
Available at: https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/
[Accessed 24 May 2017].