The futuristic visions promoted by Smart Metering and Smart Cities are compelling on several levels. Add into the mix an Internet connected car. As a security person it worries be how this all joins up in he home.
Am I a doom monger, or is there an issue that needs proper debate?
There are plenty of articles around the web talking about the privacy aspects, with the typical example being “the electricity company will be able to tell when you are taking a shower”. These issues are attracting healthy debate.
My concern is more about security (which leads to privacy, if you can’t secure data then you can’t ensure privacy). Here are some scenarios that concern me if the system were found to be insecure:
- A burglar could observe via the network when my property is unattended (evidence suggests this is already happening using social media). Worse, they could also check my neighbours to reduce the risk of them being spotted entering my house.
- An accidental (or malicious) remote system update (or malware) could alter system behaviour, for example turning heating down or off. In households with vulnerable people, could this lead to hypothermia (or worse).
- For the real doom mongers, could I cause electrical equipment to overheat, causing a fire – remote arson?
Where I have heard these issues discussed, I have heard phrases like: “don’t worry we use the strongest SSL encryption, with a key length used by the military”; “We have strong access control mechanisms that will prevent that” and “Our quality control procedures will filter any such issues”. Oh dear.
If we have learnt anything as a security profession it is that security is hard, and has to be designed into the whole system. I am sure the some of the people responsible for the security of Nuclear reactors will have used these sorts of claims a few years back, then Stuxnet hit. Part of the resolution to these issues has to be ensuring security analysts and architects are engaged at the start to look at the end to end system, not just elements of protocol and process.
My fear is, the only place the full system comes together is in the home, where Smart Metering, uninformed users, broadband, virus ridden PCs etc all join a mesh of home broadband, wireless networks. So who is the security analyst or architect looking after the consumers interest, the home owner is certainly not equipped to do this.
Will the various service providers consider the home owners full dilemma, I speculate they will most likely take a view that their part of the service is fine, so it is not their problem.
Are the consumer organisations up to the challenge? Certainly not yet.
Am I alone being concerned about how it all comes together in the home?
Once Upon a Camayoc 
Hi Colin
I’ve been including it in my presentations on Wireless and Mobile Security for over a year and nobody seems to care. I included home DLNA in my threats slide and showed that when you searched the DLNA standards site for “Security” the only mention was about protection of Intellectual Property Rights of media companies.
In the smart Meter world I can’t understand why the UK will be rolling out over specified meters at a cost of about £2.5 K each to the subscriber purely due to pressure from the Big 6 Utility companies to have an “Off Switch”.. As far as I am aware we are the only country in the world going this route. What does that say about financial privacy? Simple meters would have fulfilled the basic needs of the Operators and consumers who want more could pay for it.
I beleive that the German roll-out is still held due to privacy concerns.
The Information Security Awareness Forum (ISAF) have been lobbying and some groups like Get Safe Online have held roadshows.. Unfortunately the average citizen doesn’t yet realise how much their privacy is being compromised. (or doesn’t care). If they did they would all be on phones that were secure and not being tracked, they would protect their context.
Maybe we are alone.
LikeLike
Interesting to note that USwitch, a consumer website, is starting to pick up the issue…
http://www.uswitch.com/gas-electricity/news/2012/12/13/smart-move-smart-meter-rollout-on-the-way/
LikeLike
Interesting development…
“Protecting customer privacy is a top concern of policymakers as utilities roll out and utilize smart meters. This month Minnesota requested public input on smart meter privacy — joining a growing list of states and nations considering this matter.”
https://blogs.siemens.com/smartgridwatch/stories/696/main
LikeLike