During the inquiry we held a private informal meeting with a representative of GCHQ to discuss smart meter security issues. The Government subsequently submitted the following memorandum on the points we raised during the session:
1)The Department of Energy and Climate Change (DECC) has worked with GCHQ since the very early design stage of the rollout, when the programme was initiated. The engagement with GCHQ has been one of partnership, issue discussion and resolution. DECC has worked with GCHQ to provide the following information about the security of smart meters.
2)The media reports relating to “loopholes” in the Smart Meter system are based on misunderstanding. Security lies at the heart of the smart metering system and has been a key consideration at every stage of system development to ensure there are no ‘loopholes’. The system operates on a national scale and has been designed as a secure end-to-end system, not just a collection of meters, energy suppliers and other components that have evolved individually. This is particularly evident from the GCHQ description of smart metering security on their website.
3)DECC, working with GCHQ and industry experts, designed the Smart Metering System with layers of security controls that can practicably be implemented by industry participants. Detailed threat modelling of hypothetical attacks, errors and failures has been undertaken to ensure these controls are proportionate to the current threat landscape and, together with trust modelling, cryptography and other controls that have been applied, are designed to ensure that the system is as secure as it needs to be in relation to this threat landscape.
4)Trust modelling has been used to identify and segment the transactions between energy suppliers and network operators with meters to ensure that each transaction is adequately protected. Symmetric and asymmetric cryptography is used to ensure the authenticity of transactions (i.e. that it originates from an authorised party) and the integrity of the transaction (i.e. that the transaction cannot be altered in transit) and also to ensure non-repudiation (i.e. that the originator cannot deny that they initiated the transaction).
5)Each component part of the system is subject to a very detailed and comprehensive set of security obligations and regular ongoing independent security assessment. The nature of the threat landscape means that individual components of the system will be subject to new compromise methods over time. The end-to-end security architecture minimises the risk that a single compromise to any one component could have a significant impact and allows for new threats to be addressed.
6)The smart metering security architecture has been designed to ensure that any unintended impact on energy supply would require the compromise of multiple layers of security by multiple parties. The layers of security controls that have been designed into the end to end smart metering system ensure that messages sent to the meter that could affect supply must be digitally signed by the sender and checked for any unintended consequences. The message must then be digitally countersigned by the Data and Communications Company (DCC) and subjected to a further check to detect any potential for anomalous consequences.
7)Each message received by a meter is authenticated via a secure cryptographic algorithm, where the authentication code is unique to each message and each meter. The meter will not respond to any message that does not have the correct cryptographic signatures of both the sender (the ‘owner’ of the meter who has the private key that will be recognised by the meter) and the additional message authentication code appended by the DCC.
8)It is clear therefore that that any message that has the potential to affect supply is very tightly controlled and is protected by multiple layers of security controls in different organisations and different locations that would all need to be compromised to achieve an unintended disconnection.
9)The Smart Energy Code (SEC) is a multi-party agreement which defines the rights and obligations of industry parties involved in the end-to-end management of smart metering in Great Britain.
10)GCHQ will continue to be available to attend the SEC Panel Security Sub-Committee if it is necessary to provide expert security advice. However, GCHQ does not consider it appropriate to have a seat on the SEC Panel Security Sub-Committee, as industry are responsible for ensuring the security of the enduring system and we expect them to proactively manage the risk. A representative from DECC is invited to attend SEC Panel Security Sub-Committee meetings enabling GCHQ to be called upon when needed, as well as continuing to proactively monitor the threats to key national infrastructure.
11)CESG (GCHQ’s security arm) has been working with DECC and the Commercial Product Assurance (CPA) test labs to define the security standards that the end point equipment manufacturers (Electric & Gas meters and communication hubs) need to meet. The manufacturers are working with the test labs to gain assurance and CPA certification of these components.
12)During the foundation phase of the programme energy suppliers are responsible for developing systems capable of communicating with their SMETS1 meters. Energy supplier licence conditions require them to take the right steps to securing these systems. Each metering system in SMETS1 therefore has its own security model. Arrangements are in place to ensure the security of these systems are independently assessed annually, with energy suppliers obligated to take steps to address any issues that are identified.
13)There is ongoing work relating to the enrolment and adoption of these meters into the DCC infrastructure. The requirement is to ensure that such adoption does not materially reduce the security of the overall system.
14)Throughout the system design information regarding changes to the threat landscape has been incorporated into the ongoing risk assessment process. These assessments have been informed by the UK intelligence community and augmented by industry knowledge and real-world incident reporting.
15)The DCC services are segmented into a number of core components. These include the systems which provide data transformation services, communications and the public key infrastructure. The DCC is required to employ proportionate technical controls to separate these systems to improve the resilience of the overall infrastructure. Business continuity and disaster recovery arrangements must be established and annually tested.
16)Personnel security arrangements must be implemented by the DCC, energy suppliers and any other users of the system. These arrangements will include segregation of duties and security vetting for privileged users that have access to sensitive system components.
17)Under the CPA Scheme meter manufacturers will need to build their devices against a set of relevant security characteristics. Build standards are in place aimed at ensuring meter manufacturers adhere to security good practice standards within their organisation, including personnel security arrangements. The CPA scheme will also cover secure coding practices and assess whether an appropriate fault remediation process is in place.
18)The end-to-end security architecture further mitigates the potential impact that a rogue employee could have on the overall system, and the capability for any vulnerability to be exploited at scale.
19)There is no central repository of energy consumption data held by Government, the DCC or any other organisation. Where data is held, for example by energy suppliers, the provisions of the Data Access and Privacy Framework apply. This Framework imposes requirements on those parties accessing data, including obligations regarding the provision of information to consumers about how often data is being collected, for what purposes and what choices are available to the consumer.
20)Where network operators wish to access detailed consumption data for regulated purposes, such as planning network reinforcement, they are required (under the Electricity Distribution Standard Licence Condition 10A.9) to treat the data so that it is no longer possible to identify a particular household. Network operators’ plans for treating the data must be approved by Ofgem. There are a number of different approaches to making data anonymous, but we recognise that removing the ability to relate data to individuals is not always straightforward.
21)There is currently a large volume of academic work on the potential for reidentification in anonymised datasets, an example of which is a paper by Paul Ohm which raises a potential problem in managing privacy and the laws that surround it. The paper highlights that our faith in the privacy protecting power of anonymising “personal data” in large data sets has been undermined and that the possibility to “reidentify” or “deanonymise” individuals hidden in anonymised data has been demonstrated sometimes with astonishing ease. The paper also contains the observation that the usefulness and privacy of data are intrinsically linked in such a way that regulation cannot increase data privacy without decreasing the usefulness of the data. Once again, appropriate balances need to be struck.
22)We are aware that GCHQ has started some research work to quantify and understand the risks in this area, resulting in the production of a set of authoritative advice for government and other parties about anonymisation and the risks of unintended disclosure.
23)The energy supplier is the ‘owner’ and operator of the smart meter and any command to update firmware must be initiated by them. Meter manufacturers, the DCC, and the SEC Panel will also play a role in this process to protect the integrity of the firmware image and ensure that the meter has all necessary certifications prior to a new version of firmware being updated.
24)The SEC places obligations on suppliers to ensure that any firmware updates they receive are digitally signed by the manufacturer (to ensure authenticity of the origin) with a SHA 256 hash across the face of the image (to ensure integrity i.e. no tampering after it has left the manufacturer). As a further security control, before acting on any request by the supplier to update the firmware on a device, the DCC will check the digital signatures of the supplier and independently validate the SHA 256 hash against that held on the SEC Panel Certified Product List. Only after these checks have been validated will it add the DCC’s message authentication code. The meter will not activate the firmware without verifying the digital signature, the message authentication code and the firmware hash from the manufacturer.
25)An assurance maintenance plan must be agreed between each meter manufacturer and their CPA lab. This will describe the changes to the device that will trigger re-evaluation by the CPA lab, in particular any which could impact the security of the device. This re-evaluation must be completed prior to any firmware update being authorised and listed on the CPL.
148 , UCLA Law Review, vol 57 (2010) pp1701–1777
16 September 2016