“Hello, this is the British Electricity Smart Meter hotline. You are number two million, four hundred and sixty eight thousand, two hundred and twenty three in a queue. We’re sorry your smart meter has disconnected you and that you have no electricity. We are working to upgrade the firmware in all of our smart meters and hope to have your power restored sometime in the next six months. Thank you for your call.”
It’s the scenario that no-one in the energy industry wants to talk about – the day that Britain’s smart meters go wrong or get hacked and millions of users lose power. It will probably never happen, but some things have such appalling consequences that we shouldn’t design and deploy something that makes even that small probability possible. But we have. And nobody appears to have thought about making sure it’s possible to recover from it.
An amazingly complex smart metering programme
The GB Smart metering specification grew out of a British Gas specification, published in 2010, which owed more to the potential for customer acquisition than any advantage it gave to personal energy efficiency or grid management. With mis-selling contracts on the doorstep being the industry’s main route to customer acquisition, they saw the ability of smart meters to offer tailored tariffs as an important advantage. Within a year, doorstep selling had been outlawed, but that original specification lived on, morphing into the amazingly complex GB Smart Metering Programme.
Whilst other energy suppliers have prevaricated about deploying smart meters ahead of DECC’s final specification, British Gas has gone ahead and now has around 2.6 million smart meters installed. They’ve just announced that any of their customers with one of them can sign up to their FreeTime tariff to get free electricity between 9am and 5pm on a Saturday or Sunday. That’s a very compelling offer and will almost certainly attract new customers. The other energy companies are now beginning to realise that they’ve been outmanoeuvred. They’ve allowed British Gas to establish a Government policy which they’re using to steal their competitors’ customers, with the added advantage to British Gas that their competitors will end up helping to finance it. It shows very clearly that this is not about grid management, energy efficiency or network automation – it’s about competitive marketing.
It’s a brilliant example of using technology for commercial one-upmanship. The only flip side is that the technology has proven to be a lot more complex than anyone in the industry anticipated, but that’s a result of letting marketing get ahead of technology or evidence. As a result, our smart meters have been designed in such a way that if they go wrong, or get hacked, all of our lights could go out.
Smart meter security
I’ve written about the issues in smart meter security before. [UK Parliament Calls for Evidence on Smart Metering Programme and Squirrels, Grid Security and a Stuffed Rudd], I’m revisiting this because of a number of recent developments which open more questions about the GB programme. The first is the fact that we’re still waiting for a specification to be finished. Every smart meter needs to comply with the Smart Metering Equipment Technical Specification (SMETS2) requirements. Despite the fact that the mass rollout of meters is meant to start this month, SMETS2 is still not finished. According to DECC officials at the start of July 2016, not a single SMETS2 compliant meter had yet been installed, so the meters already out there will need to be replaced or upgraded. The ability to upgrade them is where we hit the problem. Everyone talks glibly about upgrading the firmware on meters, but it doesn’t appear that they’ve thought through the practicalities of doing that.
It’s widely accepted in the Internet of Things community that security will get broken and that the connected things will get hacked, especially if there are lots of them and they continue to be used for five years or more. For that reason, good designers make sure that their devices can be upgraded over the air (OTA). When something goes wrong (and the operative word in this new world of connected Internet of Things is when and not if), a new firmware image (the embedded software which controls the thing) can be sent over a wireless connection to replace the broken or insecure firmware. Doing it wirelessly removes the need for a service engineer to be sent out.Sending an engineer out is not just expensive, it’s slow if you need to upgrade millions of meters. When lots of things need upgrading at the same time, which will be the case if the security in smart meters is compromised, then the ability to update the firmware in all of them very rapidly is paramount.
Upgrading would be easy if the meters had a high speed wireless connection, but they don’t. In order to minimise the ongoing communications cost, i.e. their annual mobile contract cost, smart metering systems are designed with hardware and a communications infrastructure which only supports very low data rates. Meters typically send just a few hundred bytes of data to the server each day and rarely need any data to be sent back. To make this efficient, networks are optimised for data being sent from meters, not to them. They are not designed to send firmware update files to millions of meters at the same time. SMETS2 makes the situation worse, as its complexity means these update files may be several megabytes in size. The spec allows for meters to be gradually updated as an ongoing maintenance activity, but if an update needs to be applied to millions of meters, it could take days or even months.
We need to know how long it would take if a security breach is detected which could disconnect meters, as my opening paragraph paints a picture of just how bad it could be. The Federal Communications Commission (FCC) in the US has explored this and has a similar concern, pointing out to the industry that “Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise. We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched.”
The communications network
Given the importance of the communications network as part of the overall system which delivers these updates, the sensible approach would have been to include it as part of the overall SMETS standard, with a single communications infrastructure which was matched to the meter protocols. DECC didn’t do that. Instead they split the country into three areas and then awarded the contracts for communications to two companies – Telefonica for the South and Central areas and Arqiva for the North. They did not even specify that the same technology be used across all of the areas. Telefonica are using GPRS – the well-tried and trusted element of the 2G cellular system which will be deployed for our smart meters just at the point that the rest of the world is deeming it obsolete and turning it off. So by 2025, Britain will probably have the most out of date cellular infrastructure in the world, thanks to smart metering. Arqiva are using their own proprietary system, running at a lower frequency of 422 and 424 MHz. The question is whether either network is capable of supporting a rapid upgrade of millions of meters?
I’m particularly concerned about the Arqiva option. Most sub-GHz radio networks are optimised for uplink – sending data from sensors to the cloud. They typically only support downlink rates of a few hundred bytes of information per day to each device. I’ve been looking at other LPWAN standards like Sigfox and LoRa and I’m concerned that they could take months or years to upgrade millions of meters. As far as I’m aware, neither Arqiva’s solution nor Telefonica’s GPRS system supports a broadcast mode, which would send a single update file to all meters. Instead, a separate firmware update needs to be sent to each individual meter. If we make the assumption that Arqiva is deploying an LPWAN type of system, it could take months to update ten million smart meters.
The original European mandate for smart metering (which was never an absolute mandate, but that’s another story) insisted that the major technical components of the deployments must be based on recognised standards. That caused DECC months of heartache, as the ZigBee standard they chose and have since heavily modified for the in-house component of SMETS does not meet that requirement. Neither, I assume, does the Arqiva solution. I say I assume, as I don’t know. In the contract, the entire technology section for the Northern area contract (Section D, pp36-39) has been redacted:
DECC loves secrecy. That’s probably because most of their policies have such a shaky evidence base that they want to discourage any close examination. I have a lot of time and respect for Arqiva, particularly for their technology; but for something as important as this, it is vital that the performance of the network is open for external scrutiny. There is no reason that this technology section should be redacted, unless they or DECC are concerned it will not work. The fact that it is redacted may mean that the contract is illegal under the requirements of the European mandate, which demands the use of technology based on specifications from a recognised standards organisation. We need reassurance that it is and that it would be possible to update millions of meters within a maximum of a few days.
Post Brexit and DECC
Of course, post Brexit, that may not matter. Post Brexit, there is no mandate for smart metering which the UK will have to follow. DECC interpreted the EU mandate predominantly to provide climate friendly sound bites for successive flavours of Government ministers, not for any financial or technical reasons. An evidence-based review in Germany has recently concluded that it makes no sense to install smart meters for the bulk of domestic homes, so they are not. There’s no reason we can’t make the same decision.
Things are changing. Post Brexit, DECC is no more and our energy policy is now officially RUDDerless, as Amber has moved on to greater things. I do wonder how much DECC’s demise and integration into the Department for Business, Energy and Industrial Strategy is a result of what Amber Rudd saw during her tenure there? It could equally be due to Nick Timothy, who served as Theresa May’s special adviser and was billed as May’s brain. The final nail in the coffin was hammered in by the Infrastructure and Projects Authority who released their annual report on major projects the week that Theresa May became PM. As in previous years, DECC remains at the bottom of the class, with a definite implication of “needs to try harder”.
Although some of DECC’s other major projects were cancelled by Amber Rudd, the GB Smart Metering project lives on. We’re still to see who gets handed the poisoned chalice, taking on the mantle of fall guy or gal. Whoever it is may have a limited political career. At some point soon they will need to release the latest Impact Assessment for the project, which will provide an update of costs and benefits. That’s now almost a year late and rumour around the industry suggests that the delay in releasing it is because it shows a significant increase in costs, with a fall in net benefits. That could signal the start of a costly unravelling of the project. It probably won’t be the only DECC programme to fail. The recently announced delay in Hinkley Point C provides hope that common sense may finally be making a comeback.
Are smart meters fit for purpose?
Returning to the subject of updates, we need to know that the smart meters which are about to be deployed are fit for purpose. The energy industry should have an equivalent of the Hippocratic oath in which as a minimum, smart meters should do no harm. These are complex, connected devices, so that minimum should mean that they can be quickly updated en masse if security issues are detected, to ensure that they could not be compromised and cut off a household’s electricity.
As the late professor David Mackay said, shortly before his untimely death earlier this year, “The whole of European energy policy is technically illiterate” explaining that “There is so much delusion because people don’t pay attention to arithmetic or the laws of physics”. DECC has been complicit in fostering that illiteracy. The new Government does appear to have recognised that DECC was not fit for purpose, which is a step in the right direction, but it doesn’t address the lack of evidence and continuing vacillation that has crippled our energy policy. It is time for change. I would like to hope that our energy policy’s new master or mistress will bring a better approach to honesty and openness before the lights start to go out.