Most electric utility companies are moving to what are commonly called “smart meters.” Smart meters report back to the electric utility on relatively short intervals, usually every hour, and provide the electrical usage of your home or business for that interval. They also allow the utility to control the meter and your electrical access remotely. Utilities are moving to these smart meters for a variety of reasons:
- Competitive: a utility with smart meters can offer additional services to an increasingly more energy-conscious customer base. You can go to your utility’s web site and see your hourly usage over the past 30 or so days.
- Legislation and regulation: in many states, the body that oversees utilities (the PUC, Public Utilities Commission, in most states) has mandated that electric utilities reduce their peak demand usage as part of the state’s conservation efforts, usually driven by the state legislature.
- Control: it enables the utility to better monitor for tampered meters or stolen electricity, permits the utility to charge different rates at different times of the day to provide an economic incentive for business and individuals to limit their usage during peak times of the day, and even to shut down power to your house or business whenever the utility decides it is in the utility’s best interests to do so.
These are (mostly) all good results, so what is the problem? The potential problem is that the information from smart meters is sent wirelessly to the utility’s datacenter and then made available over the Internet to the consumer. This information provides near real-time electrical usage, and likely the ability to determine whether you are home or your business is open, your typical daily schedule of absences, and an indication about the amount of technology you use. While it is true that in the old days, someone could wander by periodically and look at your electric meter and get the same information, there was some risk of discovery and at a fairly high cost in terms of time. With a smart meter, a cybercriminal in Romania could be selling that information to criminals in your neighborhood.
There are three vulnerability points for this data:
- From the meter to the utility.
- Within the utility’s IT environment.
- Internet access to your data.
You have a lot of control over the last one. I have little sympathy for someone who doesn’t use reasonably complex passwords and periodically change them. The suggestion here is to treat your electric utility web site password with the same care you treat your bank web site password.
It is not easy to find out what is going on within the first two points. At least with my electric utility, there is no information about the security of these meters on their web site or in their PUC filings.
The first step in the smart meter installation process is a phone call from a third party company hired by the utility to tell you that you are getting a “meter upgrade” soon, and that it will involve shutting off your power for a few minutes only. Do not try to ask these people anything. They know absolutely nothing but the script they were given. I said “no thanks” to that call, and within a week I received a letter from a customer service representative on their smart meter installation team. This person worked for the utility. I sent her a list of my concerns and questions. She set up a meeting with a number of their technical people from both the smart meter project and IT. I was pleasantly surprised that I got to talk to people who were knowledgeable, able to understand the questions, and willing to answer them. Here is a summary of what I learned from my electric utility company:
1. Meter to utility:
- There is not much information sent from the meter to the utility: the meter number (which identifies your location), the electrical usage over the last interval, and a means of determining that a message is not lost nor duplicated.
- This information is encrypted at the meter with a FIPS 140-2 certified encryption algorithm. At most, the information passes through one additional meter before jumping to the utilities wireless network.
2. Within the utility’s IT environment:
- All data is encrypted when stored, and an encrypted link is used to transfer the data between IT sites (e.g., disaster recovery).
- The individual hourly records are kept for 45 days and then erased.
- Employees are trained in the importance of protecting customer data.
- The utility runs periodic internal audits of the data and processes surrounding this data.
Based on what I heard, my electric utility is serious about protecting this data within their IT environment.
Smart meters are coming your way, if you don’t have one already. The meters are provided by and managed by a regulated monopoly. No matter who actually generates the power you use, there is only one choice of delivery agent.
Perhaps if more people raised these questions with their electric utility, the utility would provide more information about the security of this data on their web site. At least in my case, they have a good story. When they hide the information, it makes it looks like they have a reason to hide it.
The last word:
Since this blog is focused on the security of your personal data, I glossed over the third reason I listed for your utility company to move to smart meters: control.
In the mid 1970s (in Pennsylvania) we had two electric meters: one for almost everything that worked all of the time, and one for the clothes dryer and hot water heater that was turned off during peak usage periods. The rate for the always-on meter was noticeably higher than the non-peak only meter. It allowed us to save money without much inconvenience.
In the mid 1980s (in California) we volunteered for a peak usage reduction program. It was not benign as the utility simply cut all power to the house at their discretion without warning. The cuts were relatively short term: 30 – 60 minutes. Image that in your home or business today.
Keep your sense of humor.