GCHQ forced to intervene to prevent catastrophically insecure smart metering plan

Schoolboy encryption error could have left the UK's 53 million smart meters wide open to hacking

Intelligence agency GCHQ has been forced to intervene in the UK's smart metering rollout to prevent gas and electricity companies from installing systems that would be catastrophically insecure and wide open to hacking.

GCHQ intervened after seeing plans by the companies behind the scheme to use a single decryption key across the whole of the network to decrypt communications between smart meters and providers. With just one decryption key effectively securing some 53 million smart meters across the UK, a hacker could conceivably cause chaos across the network by shutting off power to people's electricity meters.

The plans would have left the UK's power and gas infrastructure wide open to hacking: the UK's smart metering scheme doesn't just communicate usage for the purpose of billing back to the power companies. It can also restrict consumption and, if necessary, cut off supply.

The UK's smart metering plans have been criticised for being expensive - an attempt to roll out a Rolls-Royce scheme - and using proprietary technology that will make it more difficult and costly for customers to tap their own smart meters to find out how much gas and electricity they are using.

Telecoms veteran Nick Hunn, the director of WiFore Consulting, told Computing 15 months ago that the system cooked up between the utilities and metering industries were "fiendishly complicated". And he warned: "Too many cooks have ratcheted up the technical complexity to the point where it is no longer fit for purpose. As a result, it's lining up to be the next major government IT disaster."

Hunn suggested that old-style gas and electricity meter makers in the UK are typically metal bashers rather than technology companies, which may account for the schoolboy error in their security plans. Dr Ian Levy, in an interview cited by the Financial Times, suggested that this may be the case.

"The guys making the meters are really good at making meters, but they might not know a lot about making them secure. They guys making head-end systems know a lot about making them secure, but not about what vulnerabilities might be built into them," he said.

Most other countries across the world rolling out smart meters have gone for far less ambitious and expensive schemes, largely focusing on communicating usage data back to base - securely - in a bid to identify theft and fraud. This has contributed to the big savings in schemes in places like India and Brazil where power theft is rife.

In the UK, the savings are expected to come from consumers using the information generated by smart meters to cut down on wasteful consumption.

TOMORROW, Computing will be running the online seminar "Anti-Virus Software Has Had Its Day - How Can You Protect Against Advanced Threats?" - register free now