My colleague Martin Kuppinger recently (and quite a while ago) has posted some critical articles on smart infrastructures in his blog.Yes, security is a big issue there. However, it is not only about security in these more or (in most cases) less smart infrastructures. It is also about making these infrastructures work at all and, last but not least feasible for a large audience.
In my home, which is a so called passive house (well insulated, large, south bound windows for passive solar heating, saving 98.5% of heating energy compared to a standard building...) I have a smart meter. I have solar panels on my roof and the sun also is producing the warm water. Altogether, the house is producing more energy than we are consuming, so that we can sell electric energy back to the supplier during the day. The utility company, which had to install such smart meters by law, would not have done that if I had not insisted on doing that. And I know now why.
Because the utility company is not able to “meter smartly”. During the past few weeks we had repeated visits by their employees trying to collect the data the smart meter has collected. They are using the human interface between their central and my house with somebody making an appointment and then visiting me, bringing along some small device for infrared for communication between the smart meter and his own mobile device. That infrared device than should send the data via Bluetooth to an iPhone app. So the interface looks like this: phone-appointment -- car -- walk -- doorbell -- visiting the smartmeter -- attaching the infrared device to the smart meter -- waiting with the iPhone in hands until something happens -- and waiting -- and waiting -- and back to start. This obviously is a perfect mix of unsecure devices and unsecure and inefficient communication standards and processes.
However, the risk is limited given that it just does not work. The utility companies’ employees are waiting for minutes in front of the smart meter, hoping that something shows up in their app. That did not happen. On the other hand, he was not able to manually read the data from the smart meter because he just had no clue what the different values shown on the smart meter’s display are about. Eh -- I didn't mention before -- it is more than one smart meter. We have a separate one for the solar energy we sell to the utility and we have one that counts the solar energy we user ourselves. But those meters are read by a different person and not together with the reading of the meter measuring the inbound energy consumption.
Now, luckily enough, I have a door with motor lock at my home, which I can operate remotely though my windows phone, so that I don't necessarily need to be at home when somebody from the local utility company makes appointment (or just rings the doorbell). Until the day I got these smart meters in my home, I thought that they are built to be connected and read remotely. But this is not the case. The meter would be able to, but oviously the infrastructure for accessing those meters remotely does not exist. And also, having experienced the skills level of the person operating the reading device, it probably is better for me if the utility don't even try to remotely connect to my meters. Being smart is definitely being something different. And no one needs to wonder why I’m the only one in my neighborhood with a smart meter.
This story and the topic of smart metering is not only about security. It is about building an infrastructure that works smart. It is about having smart, well educated, and informed employees that can handle that new infrastructure. Both security and the lack of usability are symptoms of a horribly planned entry into smart infrastructures. This is probably one of the very big misses over here in Europe and the main reason why we are now entering a period of ultra-high hacking damages ….