Beroset on AMI and Smart Meter Security Considerations - Late 2013

Ed Beroset is the Director of Technology and Standards at one of the main smart meter making companies, Elster, and I've had the good fortune of meeting him on several occasions when both had speaking duties at grid security conferences. In this case, tech director also = security strategist and spokesman.

Recently, as I've started to prepare myself for work with Greentech Media's Grid Edge council, I wanted to check up on the current state of security thinking around AMI and smart meters.

Lo and behold, here's Ed who just put it down in pixels with 3 questions to ask yourself, along the lines of what are you protecting and why, and 7 to ask your vendors.  In the latter category, I particularly like #1 and the advice that follows:

What security measures does your system employ? 

Don’t settle for vague or imprecise answers to this question. Any reputable vendor will be able to give you a clear and detailed answer. Furthermore, don’t accept the excuse that the security measures are proprietary and top secret. As any security expert can attest, in modern systems, it is not a secret algorithm, but a secret key, that ensures security.

This may be more advanced than your typical energy sector start-up is ready for or need be ready for, but it's a good example of the types of scrutiny mature product suppliers like Elster have come to expect as a matter of doing business with increasingly security-aware customers.

You can read the full article HERE.

Absurd David Chalk Smart Grid Security Talk

I know I tend to respond, Pavlovian dog style, when awful stuff like this pops up, but I can't help it. Perhaps you've seen THIS already, as Jesse Berst wrote a post around it on his widely read SmartGridNews site.

Purported Canadian security expert David Chalk is saying to anyone who will listen (and that's a lot of people) that there's a "100% certainty of catastrophic failure of the energy grid within 3 years."

Chalk's eight-minute, Smart Grid snuff film has all the requisite apocalyptic theatrics of a political attack ad. It shows light bulbs exploding in slow motion, shaky images of the 2007 DHS Aurora attack demonstration already posted on Youtube (HERE again if you like), and the following "Smart Grid Facts":

• Completely Hackable
• Bills Going Up
• Privacy cost
• Health Issues
• Fires
• Democracy Gone?

Beyond Chalk and the apparently unhinged Citizens for Safe Technology, not sure who benefits from this craziness. But it seems to be another odd thing for the media to shine a light on, attract moths and eyeballs, and spur less-than-lucid conversation.

The video concludes with a message that solar power is the one proven path to the world's energy salvation and away from the sure perils of the Smart Grid. As SGSB readers and many others already know, the current grid isn't well suited to handle large amounts of intermittent cleantech power.

Since one of the drivers for deploying Smart Grid tech is to allow wider use of wind and solar, Chalk and fellow film-makers, please figure out what you want. And please do so in private.

Former on Current and Future Grid Security Challenges

I've had a dozen or so copies of this article mailed to me in the past 24 hours. It describes attacks against 2009 vintage, semi-Smart Meters in Puerto Rico that appear to have cost the utility, PREPA, quite a bit of money.

The FBI is involved, and you get some good commentary from InGuardians as well as Itron. Security Engineer Robert Former, from the latter, has the best and final word I think:

What you’re hearing is the sound of [a] paradigm shifting without a clutch,” Former said. “Utilities have to be more enterprise security-aware. With these incidents at organizations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we’re going to fix a security problem is to expose it.

Back to the thorny subjects of information sharing and disclosure, not to mention future proofing. Let's keep pushing on all fronts, people. And sorry if all the puns in this post made you tense.

Smart Grid Privacy for Real

I find I like reading stuff by Jeff St. John at Greentech Media, because he covers all the bases. Almost a month ago he did a piece around San Diego Gas & Electric (SDG&E)'s use of the Ontario's "Privacy by Design" principles to ensure proper protections for their customers, and hopefully, in-so-doing, meet the requirements of the California PUC's privacy rules for the big 3 Investor Owned Utilities (IOUs).

I'll give him a little grief for this section:

... customers ... are worried that their smart meters will allow hackers, data thieves or other nefarious parties to know when they’re home and when they’re away, or to piece together other personal information. Sure, people tend to give away lots more personal information when they’re surfing the internet -- but they do so by choice, whereas smart meters are being installed on their homes without their direct permission. 

IMHO the additional behavioral information that can be gleaned from Smart Meters is incremental, not a game changing tidal wave of previously unknowable, super personal dirty laundry. And though no one, including the government, is making people: buy computers and smart phones, and no one is forcing them to use the web to buy things, consume entertainment, stay in touch with loved ones, get educated, find new friends, share secrets, do their banking, and even adjust their electrical plans, it would take an army to take that all away from folks now.

Survey after survey says they demand more self service, more flexibility and more options from their service providers. Smart Meters will eventually enable all of that and then some, so for me saying their having the meters forced on them is a bit of a rhetorical red herring. Like saying ATMs were forced on people. You want them gone too cause you weren't asked up front?

But I began by saying I generally like Jeff's stuff and this article is no exception. He handles citations from Ontario's Privacy Commissioner, Ann Cavoukian, with aplomb. I particularly like this one:

... the real threat utilities should be worried about is the dreaded privacy breach, Cavoukian said. Measured against the public relations and political ramifications for the smart grid of the possibility of a major loss or theft of customer data, “utilities shouldn’t be asking how much money it costs -- they should be asking how much money it will save,” to invest in privacy protection upfront, she said.

I won't throw numbers at you here, but suffice it to say that when you read about the weekly exposure of personal account information from successful cyber breaches of banks, retails, credit card companies, etc., one thing the public isn't exposed to are the amazing (and amazingly expensive) gyrations those companies go through to try and make things right. Picture boatloads of attorneys. Picture the mass combustion of 55 gallons drums worth of midnight oil. In other words, Cavoukian's got a point.

This is an interesting international collaboration between a Canadian province and an entity regulated by a US state. One thing they have in common is that both are very forward leaning in a number of ways, not the least of which is in their enthusiasm for modernizing the grid and grid systems. It's good to see that both acknowledge the responsibility to their citizens that comes with that.

And by the way, the other 2 California IOUs, Southern California Edison (SCE) and Pacific Gas & Electric (PG&E) are moving out on privacy and protection of customer data as well.

I'll leave it at that for now. Best thing you can do is read St. John's article yourself which you can do by clicking HERE. And be careful about what you put on Facebook ...

Balu Ambody on Smart Grid Security Gains at IBM's 2012 Pulse Conference

I'm still back in unusually warm Boston, about to head to Houston to join a cybersecurity panel at CERAWEEK on Wednesday.

But want you to know that a smart guy I've shared the stage with before, AMI vendor Sensus' Director of Information Security Balu Ambody, will be giving a talk on Smart Grid Security at the MGM Grand tomorrow.

It's part of IBM's huge annual "Pulse" conference, and if you happen to be there, you can bee-line it to his session armed with the following info:

• Session ID: BSI-1714
• Title: "Smart Grid Security" 
• Day/Time: Tuesday 3/6/12 at 14:00-15:00 Pacific Time
• Venue: MGM Grand Conference Center, Room 306
• Abstract: An introduction to smart grid security challenges, followed by a discussion of Sensus' use of IBM's security solutions to enhance the security of their smart meters and smart meter management system

Photo credit: Kevin Hutchinson on Flickr.com

Weekend Youtubing: "Smart Meters are not a Killer Fascist Conspiracy"

I have found the ultimate antidote to the sum of all Smart Meter fears in the form of this video. Before you start it, however, please note that it's really not entirely safe for work. It has many funny bits but a few naughty bits too. Ok, you've been warned ... now enjoy.

GoodSpeed to the Rescue for Pernicious Smart Grid Hardware/Firmware Security Problems

Very much in the spirit of an SGSB post that's turned out to be pretty popular: The Value of Black Hat to Smart Grid Security, free spirited hacker genius Travis Goodspeed is starting something that might raise a few vendors' hackles. But actually, because it may incite some anxiety, it may also get some results.

In Travis' own words, here's the raison d'etre of his new iniative, called "Smart Grid Skunkworks":  

Recent vulnerabilities found in smart meters and HAN devices have shown a number of weaknesses in the engineering practices used to build these devices and their constituent components. A vulnerability in a chip or library is fixed slowly, and it is a very rare event that the meter and thermostat vendors affected by the vulnerability are notified by their suppliers. Because of this, vulnerabilities are spreading downward through the supply chain, and the engineers of smart grid devices are left uninformed.

There are technology and business issues at work here. And more than a little corporate psychology too. 

Left alone, this seemingly intractable set of esoteric problems would likely never be solved. But that's what got Travis charged up, it seems, so much so that he dreamed up this movement and ended his call to action with:

I invite you to join me in preventing smart grid vulnerabilities before they are created.

I've given you the bookends, but you should definitely read the whole piece yourself, HERE. And then if you've got the technical chops to help, and you won't get yourself in too much hot water, this might be just the thing for you.

Photo credit: Travis Goodspeed on Flickr.com

A Couple of Closing Thoughts on Hurricane Irene

Hurricane Irene fully cleared my city (Boston) last week, we've had nice weather since, and everyone (or almost everyone) in Massachusetts has their power back at the time of this writing. Folks in some other states aren't quite so lucky.

But before we file away the memory and move on to the next storm or cyber incident, check out this Irene-related online exchange between a residential customer and a utility executive doing his best to keep his customers as informed as possible:

Q: Why am I getting calls to see if my power has been restored when in fact it has not been? I have a 4 year old and 1 year old and you can imagine what it is like being without power. 

A: One of the reasons we perform call backs is because crews have made repairs in the neighborhood and surrounding areas, and we want to ensure that each house has been restored. Without requesting a call back when you report an outage, we wouldn't know the service to your house is still out. Please make sure to report all outages to 1-877-xxx-yyyy.

Sounds like a region ripe and ready for its residential Smart Meter deployments, doesn't it? I'd say it's well worth the extra time and effort cyber professionals need to develop a secure Smart Grid to relegate conversations like this to history.

And the image of the totally chewed up poles (from Nag's Head, North Carolina) really caught my eye. Aren't the poles supposed to be holding up the lines ... and not the other way around? As immigrants to the electric sector quickly learn: cyber risks are one thing; Mother Nature is something else entirely.

Photo credit: Nicholas Kamm of AFP

The Value of Black Hat for Smart Grid Security

When it comes to spotting flies in the energy sector security ointment, perhaps regulators are too polite to utilities, and utilities too polite to their suppliers. No such problem with the security hackers who jump up on Black Hat's global soap box every year and show the world what they've found.

The conference wrapped up last week, and I've got two completely different types of finding for you. One has to do with huge vulnerabilities in the systems related to home networks at the edge of the Smart Grid. The other is targeted at the heart of the legacy grid itself: SCADA systems and the programmable logic controllers (PLCs) that run important transmission and distribution equipment.

• Click HERE for the home network piece
• And HERE for the grid equipment vulnerability demo

Two years ago it was Smart Meter vendors who found themselves embarrassed, in the cross hairs of security pro's, who showed how easy it was to exploit weaknesses in their products. Now attention has shifted to other grid elements. And the beatings continue!

Suppliers thinking they'll save money by moving slowing on improving the security characteristics of their products are playing with fire. The lesson of Black Hat is that they'll be found out. It may not be by NERC. And their utility customers may be focusing on other pressing challenges. But man, sooner or later, the Black Hat crew will be on your case and when they do it'll take more than tons of money to get your troubles behind you.

For this, we should be grateful. Keep it up guys!

From the Left Coast comes Big News on Smart Meter Data Privacy Regs

No time to pontificate on this now, but wanted to make sure you saw the news. CPUC's formerly proposed decision has just become a decision. One, the implications of which, could ripple across the US and impact future Smart Meter and Smart Grid deployments. See the Jesse Berst quick take on it HERE.

2nd Smart Grid Security TwitterStorm Spotted

Social media storm chasers have identified this Wednesday afternoon (330 pm ET to be precise) as the likely time the next security related Smart Grid twitter discussion is likely to hit. The previous one, that I was involved in anyway, was last fall, and it was a pretty interesting and educational affair. See announcement HERE.

Subject this time will be the deployment of security controls at a US utility for two primary objectives:

1. To protect itself from potential attacks coming from outside, particularly the Smart Meters and AMI network it's been standing up for customers recently
2. To protect Smart Meter-enabled residential and commercial customers from potential attacks (or accidental, incorrect instructions) originating inside the utility or its systems

Please note, this will be an IBM-centric discussion so I'll be speaking/tweeting from the perspective of my day job using the Twitter ID: @IBMSmartrEnergy and to follow or participate in the conversation folks should use the Twitter hashtag: #IBMSG.

Looking forward to this event: please join in if your schedule allows. BTW I'll be using the TweetDeck app for this event and recommend you give it a try if you haven't already.

Good Smart Grid Security News from the Land of Nowitzki

You know, as a staunch anti Smart Grid FUDdite, it's not easy for me to praise the article that contains this quote:

If I’m a burglar, for example, all I’ve got to do is hack into the smart grid, and I know when you’re home and when you’re not home.

Ha, it's clear that hacking meters is easy as pie !!!

I think of burglars and immediately wonder what's this person thinking (I almost wrote smoking)? Unless you view what the MIT students famously pulled off in Vegas (as depicted in the film Numbers) as burglary, I just don't see the average, or even the above average burglar investing in Smart Meter hacking school tuition. Heck, they probably don't even have the SATs to get in.

It may be important to note that said quote is from an attorney (and likely a good one) whose helps run his firm's Cloud Computing and Cyber-Security practice team. Certainly that type of statement could drive some revenue.

Nevertheless, the reason for this post isn't the quote and commentary above, it's the title and tone of the larger article that caught my eye. Goes against the grain of 99% of media reports warning of the impending Smart Meter led apocalypse.

Especially good, I think, is this bit near the end:

“It’s impossible to design an impenetrable security system, but we have a multi-layered approach that’s overseen by several offices.” Oncor has a full-time security team that is constantly monitoring and addressing each security alert ... If there are irregularities, the team investigates them. If a problem were to arise, the team would take measures to lock it out of the system.

You don't have to be bullet proof to be secure (enough). And being able to see what's happening, and ready to respond, is key. Got to like it.

How like Texas to be so unlike the rest. You'll find the full article HERE.

Oh yeah, and way to go Mavs !!!

Insane in the Brain - Why your Smart Meter may soon be on the Most Wanted List

Words fail me (which is weird, right?). Way too many radiating radio waves for comfort:

Although smart meters are too new to form definitive conclusions regarding their long-term risk, data from several studies show about twice the risk of a rare kind of brain tumour in those who've used a cellphone half an hour a day for 10 years. These tumours normally take 40 years to develop.

If the so-called nuclear expert from California, referenced in this article, is right, you need to get out of your house immediately, wireless, wired or no Smart Meter. And don't go outdoors either ... far too many radio waves out there as well, not to mention the sun. And wolverines.

Hmm, that's funny, sounds like a cave is your best bet. Which is where I said you should consider going in the previous post. I'm detecting an early trend.

It's going to be ok, though. Our ancestors did some of their best work in caves, as you can see in Werner Herzog's latest film.

The Fruits of Smart Meter Phobia

OK, so you don't want a wireless Smart Meter on the side of your house because you're sure, despite copious scientific evidence to the contrary, that its radio frequency emissions are going to kill you.

Well, after organizing and making your intentions clear, you have won. Congratulations! You can have it your way and keep the darn thing off your house. One small catch, though: you'll cost a lot more money to support so you'll have to pay extra.

We're working on modernizing the grid so it can support greatly increased amounts of intermittent wind and solar energy. We're trying to reduce our use of, and dependence on, fossil fuels, which will make our world a healthier place by far. Smart Meters have an important role to play by giving utilities a better picture of near-real time energy demand, as well as the means to manage demand during periods of peak consumption.

So, about that cell phone you press against your head? And the computer screens you stare at all day. And the wifi router that forms your home network. And the microwave that's running sometimes while you tidy up in the kitchen. You've tolerated, if not embraced, modernization of other sectors of the economy. Please be a bit more consistent with your fears and let us get on with our work.

Image credit: Zazzle.com

Smart Meter Health Fears Allayed ... thanks to Science !!!

In early December 2010 I wrote a piece on how groups were forming on both coasts to fight the deployment of Smart Meters in their regions titled Smart Meter Resistance Movements. As you  can probably tell, as a staunch anti-FUD spreader, I'm not a big fan of these hysteria spouting folks. Today, the verdict is in, and I offer you an antidote to one of their principle contentions.

The non profit California Council on Science and Technology, an organization "designed to offer expert advice to the state government and to recommend solutions to science and technology-related policy issues" has just released a report weighing in on the "Smart Meters give you brain cancer" debate.

And they did so rather decisively. As their just released study revealed:

Wireless smart meters, when installed and properly maintained, result in much smaller levels of radio frequency (RF) exposure than many existing common household electronic devices, particularly cell phones and microwave ovens.

I saw this first on SmartGridNews which covered it HERE.  Or you can go directly to the CCS&T report by clicking HERE.

You can still argue privacy. One can (and should) quite reasonably voice concerns over security. And maybe the economic advantages haven't proven themselves yet, at least from the individual home owner's perspective. But as regards the purported threat from RF emissions, I think we can all sleep well now. That claim's been put to bed.

Photo credit: Sam Howzit on Flickr.com

Life's Rich Pageant: Smart Grid Resistance Movements

Since I've been covering their emergence, Smart Meters, the gateway drug for the Smart Grid, have been  alleged to do some or all of the following:

• Cause confusion or brain cancer
• Facilitate attack by foreign nations
• Help utilities get rich by cranking up rates forever
• Give Barack Obama control of your house
• Signal criminals when your house is ready to be robbed
• Reveal to the government when you're doing naughty things
• Reduce fertility in laboratory mice

These stories pop up all over, but here's the latest from Maine and California. And lest you think this is a phenomenon unique to the USA alone, here's a vigilant gentleman chiming in from north of the border:

... these so-called 'Smart Meters' may be deliberately 'tricked' to register a higher consumption reading than is actually true. Obviously, this would produce more revenue for the greedy utilities and the greedy governments which are constantly looking for new ways to screw the people.

Well said Sir! And tell you what - if after reading these you find yourself converted, you can go HERE for all your anti-Smart Meter propaganda needs including bumper stickers and yard signs.

We're trying to update the grid for the 21st century: bringing better efficiencies, improving reliability, and enabling greatly increased use of renewables and EVs, and this is the response from some folks.

As Charlie Brown used to say, "Good grief."

Photo credit: "Radio Waves" by Thomas Anderson on Flickr.com

Common Sense and Common Knowledge

At the 2010 RSA Conference in London this week, long-established security visionary Ira Winkler was giving a speech entitled "If you tweet what you had for lunch, you deserve to be robbed". It was a very entertaining presentation about the amount of information people are unintentionally sharing into a public environment that is populated with both well-meaning and ill-intentioned folks. Perhaps a summary would be useful here, but that isn't really the point of this piece.

During Ira's presentation, he discussed the linked concepts of "common sense" and "common knowledge". In the social networking community, a lack of knowledge among many, particularly the young, about how all of this sharing could really hurt them, leads to decisions that we see as stupid, as lacking any sort of common sense about privacy, propriety, and personal space. As he was describing the disconnect between these adult values and the narcissistic need to share, I started to think about the challenges we are seeing in achieving a real and consistent set of common goals or methodologies as we work to secure the Smart Grid.

We see some organizations expressing security in terms of reliability, others in terms of privacy, still others in terms of financial justification and utility viability. A quick couple of keystrokes brought up some examples:

• NRECA has provided some content that is customized and adapted to various smaller utility newsletters that talks about "Balancing Smart Grid Buzz with Common Sense". It presents a view of the coming Smart Grid in more conservative terms, tamping down some of the projected customer enthusiasm about new features with a strong dose of cautionary logic. The Dawson Public Power version of the piece closes with:

  "There’s a big difference between being on the cutting edge or the bleeding edge of technology. Dawson Power wants neither. We want the “proven edge”..."



• On the other hand, common sense means something very different to some Smart Grid deployers in Texas. According to an article in Electric Light and Power, It is about evolution and revolution:

  “Texas is the one I always point to, and the main reason, I would say, is they are taking a very common sense approach,” [eMeter chief regulatory officer Chris] King said. “The legislature passed a law saying, ‘We want smart meters.’ They didn’t spend 10 years trying to boil the ocean. They have home area network interfaces in the meters, as does California, but in Texas they’re already live. California is a year away, maybe two."
  
  “Texas knows they’re making mistakes—they’re small—and they make a fix.”



• In April, the New York Times carried this thought on a differing style of Smart Grid common sense:
  

  ...Ralph Izzo, chairman and CEO of New Jersey's Public Service Enterprise Group, said better marketing may not be the answer to addressing the gap in consumer understanding of electricity use or changing consumer behavior.
  
  "I think we tend to overstate the contribution that sophisticated technology can and should make," Izzo said.
  
  "I feel like just shouting, 'Stop. Apply some common sense,'" he said. "Before we start championing multibillion-dollar investments in smart grids that control set-back temperatures on refrigerators because there is or isn't going to be a Super Bowl ... we need to get folks to caulk around their windows,"
  

So what do we do with all of this?

The fact of the matter is that there does not exist a common base of knowledge, objectives, or outcomes, that can be applied to the megalithic, polymorphic, thing we think of as the Smart Grid. This means that individual organizations, regulators, customers, and implementers will likely have a different basis from which to develop appropriate solutions and timetables. As so often happens, the definition of common sense is not so common. That isn't because the concerned parties aren't sensible, it's because they are highly sensible to their own uncommon needs.

This teaches us a new lesson, that solutions and proposals need to be very specific in their goals and rationales, and organizations must establish a common base of knowledge for discussions on any proposal's merits. Only with that shared understanding can we rely on the "common sense" of good people to create solutions that will ultimately make sense for the common good.

Image courtesy of Casey Brown

The 1st Smart Grid Cyber Security Summit is Toast - Selected Notes from Day 2

As good as the utility panel was at the end of Day 1 (see final bullet here), Day 2's vendor panel comprised mainly of meter guys was another clear standout. On the stage were:

• Robert Former, Itron, Principal Security Engineer
• Edward Beroset, Elster, Director of Technology and Standards
• Stan Chan, Verisign/Symantec, Director of Strategic Initiatives

Here are some of what this panel conveyed, sans attribution:

• We've gotten much more serious about security in the past year and we're making changes at a rapid pace
• All products go through rigorous security tests by reputable third parties pre-release, and security testing is continuous throughout the lifecycle
• Plans to share vulnerabilities ID'd in these 3rd party tests with PUCs and other regulators and stakeholders
• Additional attention to security driven by huge push for more security from customers: utilities
• A question was raised on whether Smart Meters could trust smart toasters. There was no answer to this question as it was rhetorical I believe. Certainly thought provoking
• Meters must withstand extreme weather conditions and consume no more than 5 watts. Think about it - a one watt difference per meter x 1 million meters = a megawatt

Later, a question from the back row to the microgrid panel caused a stir. What was that question? Something like: "Are utilities aware of the possible disruptive nature of microgrids to their well established business models?"

Murmuring and agitation ensued ... along with very many words flowing high rates of speed. To sum it up, I believe the response was along the lines of "hell yes and they're using lawyers and all other means at their disposal to slow microgrid deployments down." Personally, I don't believe that response captures what I see as a range of microgrid thinking by utilities. Some of them, I'm sure we'll see, want to get out in front of this movement and will make it another part of their offerings.

In marked contrast, the final panel, which included Elinor Mills of CNET, was a thoughtful and somber meditation on the near-perfect relationship between the media and Smart Grid utilities and vendors. NOT!!! It was fairly raucous and included a course mixture of literal and figurative finger pointing. In the end, neither side was completely innocent of wrong doing and neither side was completely guilty. Both sides agreed to keep talking with hopes that better understanding and communications would follow in the fullness of time.

As for the conference itself, I spoke with a couple dozen folks before we disbanded and all were well pleased with what they'd experienced and all pledged to attend the next Smart Grid Cyber Security Summit event. I have it on good faith that videos and other useful artifacts from the conference will soon appear on the summit site. When they do, I'll be sure to send out a heads-up here on the SGSB.

That's a wrap for now. I've got a red eye back to Beantown to catch. Go Sox!

Photo credit: The Social Blog Network on Flickr.com

Smart Meter Increases "Suit" Pacific Gas and Electric

On November 16, 2006, at a lucky customer's home in Bakersfield, CA, PG&E launched its SmartMeter program, designed to alleviate costs for customers, costs for supporting the power grid, and the cost of generating so much energy in the area. Even the commissioners were optimistic, as reported in a PG&E press release:

"I am pleased to witness today the installation of the first smart meter for a PG&E customer," said Michael R. Peevey, president of the California Public Utilities Commission. "This technology will link the prices energy consumers pay to the costs of that energy in the wholesale market, empowering consumers with the information necessary to make sound energy choices. Research suggests that even modest levels of price sensitivity in the retail market can yield substantial benefits as customers decrease or shift their energy usage. These types of demand response programs are one of the best ways to meet the energy needs of California's growing population, as outlined in our Energy Action Plan."

It is hard to know exactly when the honeymoon ended, whether it was when Bakersfield.com reported on a customer who found his power usage had tripled during a six-hour blackout, or at the town meeting in Fresno on October 20th which quickly became a unanimous indictment of Smart Meter-ing, or now in November, as a class-action suit has been filed against PG&E, asserting a variety of mistakes and misrepresentations. For those of us who have spent a fair amount of time researching the potential for advances derived from Smart Metering, these developments are disconcerting.

From a security perspective, there are two very important areas of guidance to take from these developments, and from the likely continuing negative perception of Smart Metering in some areas.

Integrity and Availability of Data

As we wrote here, and as others opined elsewhere, there is likely an abundance of information about to flood utilities. Some have rejected, or at least resisted, the idea that anything like high volume sampling would happen, and that aggregated data would be the more probable artifacts that utilities would store for billing and management. This suit and the ongoing outcry for justification of higher bills are exactly the reason why more detailed and regular metering information will need to be gathered and stored.

See, it is likely that these bills are actually accurate. As the commissioner stated at the outset, "modest levels of price sensitivity in the retail market can yield substantial benefits". Ok, so maybe the hot tar and chicken feathers are not necessarily a benefit, but they highlight a new awareness on the part of the consumers. It is surprising that this message of usage and contention for power has not been better absorbed by the public. Take an average citizen. They use power, like everybody else, from 8-6. Enter the Smart Grid, and the smart meters. In an attempt to incent off-peak usage, and to compensate for the increased cost of peak generation, power is more expensive from 8-6, and so the average consumer's bill, if they do not change their behaviors, is going to be higher. The smart meter only becomes an engine of positive financial impact for consumers when they figure out ways in which to really alter their power use to advantage the off-hour charges.

Until that happens, expect that there will be continuing challenges to the veracity of the smart meter data, and continuing scrutiny of the systems that collect and store it. This equals what we described in earlier posts, a need for lots of data, lots of governance of that data, and good security from authenticating the user to authorizing the billing.

Actual Smart Meter Opponents

Any publicly-perceived inequitable grab for cash by a business or utility can spawn a grass-roots movement in opposition. Ignoring the more fringe folks who bring you the youtube videos of jack-booted thugs monitoring your hot-tub to charge you with profligate energy spending, there are others who are more credibly mobilizing around this issue. An example is San Francisco-based TURN (Toward Utility Rate Normalization). With a 35 year history in utility consumer advocacy and activism, the have a new focus on the perceived inequity of a smart metering infrastructure that saves costs for utilities (better management, less truck-rolls, easier disconnects) while increasing the actual bills for consumers.

With group action, and organized effort, there comes increasing visibility and controversy around the issues, and there are likely to be more critical assessments made of Smart Metering infrastructures. This will naturally splash as well onto the overall Smart Grid approach of which smart meters are such an important part. With any such increase in visibility and controversy, individuals outside the credible groups may well begin to conspire to take more aggressive action, potentially creating a new wave of "hacktivism", with the focus in this cycle being the Grid. This will change the nature of the threat to the Smart Grid enormously, making it much more likely to experience the types of attacks that more typically plague governmental and military infrastructures.

Some of the Solution is in the Data

Many of the same constituencies who are actively opposing the Smart Meter evolution are also very much interested and involved in the promotion of more efficient energy usage and more integration of alternative sources. It is now the responsibility of the utilities to educate their customers about the actual dynamics of power and power pricing, to help them to better understand the choices that they will need to make.

For those utilities who have not yet begun to alter the finances of their customers through higher peak pricing, there is a cautionary tale here. It seems that it might well be worth 3-6 months of reporting on usage, with simulated billing and recommendations for changes, prior to actually instituting those changes. It would better showcase the insight provided by Smart Metering, would provide a sense of empowerment for the users, and would certainly eliminate some of what seems to be a sense of blindsiding on the part of the consumer.

Image thanks to the whimsical stylings of Roger Wood

Smart Meters as Rough Yardsticks

In reading through the successful Grant recipients from the Smart Grid Investment Grant Program, it was interesting to make a couple of notes:

1. Smart Meter Roll-out
   

   In the FERC's Demand-Response Paper from September of 2009, the number of Smart Meters currently implemented is roughly 8 million. Looking at the total of the specifically identified smart meters implemented as a result of successful SGIG requests, that number is now funded to get to a total of 18 million with the SGIG funding. That means that the SGIG will carry smart meter deployment to more than 20% of the FERC demand response projection of 80 million meters by 2019. Let's hope that the meters are chosen correctly.

   Per-Meter Costs
   There is enormous variability in the costs of the smart-meter roll-outs as described by the various grants. This is understandable in that the number of meters is only one criteria of many of these proposals. For some, these are an initial effort, for others they are scaling existing investment up. The meters, though, do loosely equate to the public involvement (connected by meters) that the SGIG is attempting to accelerate. As such the range and variety are worth noting.

   • 79% of grants expect associated costs of < $500/meter
   • 18% of grants expect associated costs of $500-$1000/meter
     
   • 2% of grants expect associated costs of $1000-$2000/meter
     
   • 1% of grants expect associated costs of >$2000/meter

So what does this tell us?
The information is pretty scant in the released SGIG award documents, but there are some insights, if not actual conclusions, that can be drawn from it.

1. Its about Usage
   According to the rudimentary data that is provided, Smart Meter-related projects are consuming by far the largest section of SGIG funding, and at least 85% of the total investment (SGIG and Utility/Vendor) expected for these projects. There are mentions of accommodating other energy sources, but the projects seem pretty focused on how power is consumed, and how that consumption is measured, as opposed to how it will be generated and distributed.


2. There is No Clear Standardization of Direction
   While these grants are providing the impetus for some organizations to begin work on Smart Grid infrastructure, the sheer size of them make the investment much more about rapidly scaling that adoption. Given that, and given the need to maintain stability in power, the projects themselves seem to be surprisingly one-off's, each intending to validate or optimize one organization's view of the new generation of Grid. As an example of this, take a look at the wording provided for two projects in North Carolina, from Duke Energy and Progress Energy, respectively
   

   [Duke Energy] Comprehensive grid modernization for Duke Energy’s Midwest electric system encompassing Ohio, Indiana, and Kentucky. Includes installing open, interoperable, two-way communications networks, deploying smart meters for 1.4 million customers, automating advanced distribution applications, developing dynamic pricing programs, and supporting the deployment of plug-in electric vehicles. Will also benefit customers in IN and OH. ($200,000,000 SGIG/$851,700,000 Total)

   and
   

   [Progress Energy]Build a green Smart Grid virtual power plant through conservation, efficiency and advanced load shaping technologies, including installation of over 160,000 meters across its multi-state service area. Will also benefit customers in SC. ($200,000,000 SGIG/$520,000,000 Total)

   It is hard to think of projects of this magnitude as test beds


3. Ready or Not, Here We Come
   From a security perspective, this is a massive investment in expanding the exposed surface of the grid, and it will impact a new generation of underlying communications infrastructure. Most of the synopsis data includes things like two-way communications, interactivity, new networking infrastructure, etc. That is a wholesale shift for millions of customers, and we continue to hope that people are putting hard thought into it, because those dollars will be spent, and we will need to reconcile the security one way or another.
   

I guess that last conclusion that I draw is that this program also tells us that even in these small-ish numbers, the costs are huge. Through either market forces or another wave of government investment, getting to the FERC's "partial adoption" could easily cost another $15B of government funding on this route, and another $20-30B in private investment. The numbers to get to a fuller adoption are far higher. From a security perspective, all of this continues to point back to understanding what is necessary within the new infrastructure, and what acquisition guidelines should drive these enormous purchases, because it will be impossible to unwind this once it gets moving.

The SGIG has put fuel into a very powerful and creative technical engine within the energy industry, and like an automobile, that power is generating speed. As that speed builds up, we need to see similar emphasis on keeping the headlights on so we don't crash on these unfamiliar roads.