GCHQ and the Smart Meter Fiasco

Earlier this year, a story was brought to our attention that sent reverberations around the office. As digital security experts, we believe that tightly securing electronic items is an absolute must, and that any company or organisation releasing technology should have a plan in place from the outset. Imagine our surprise when articles regarding the Government Communications Headquarters (GCHQ) surfaced, reporting that the intelligence agency had been forced to intervene in the roll-out of Smart Meters, due to the use of a single encryption key.

It had been found that UK electricity and gas suppliers had intended to install over 53 million Smart Meters across the country, all with a single decryption key for communications. This incredibly naïve and dangerous act highlighted a real complacency from those involved. An obvious security risk, had the meters been distributed, it would have meant that hackers would only have had to gain access to a single network to bring chaos and deliver power surges across the country.

The real issue was the speed with which the roll-out was expected to happen. Adding encryption to a communication link isn’t necessarily a complicated task, but it does require time and dedication from an IT security specialist. The least that should have happened is an ongoing security review, to allow these simple issues to be addressed during manufacture, rather than at the end when little can be done without great expense. Had the GCHQ not intervened, then tens of millions of homes would immediately have been at risk, due to nothing more than incompetence on behalf of their energy supplier.

Digital security is something that is often taken for granted. As the Internet of Things continues to build momentum, and more and more appliances and devices are given inter-connectivity features, the greater the need will be. With an ongoing system review throughout the development process, a developer can be sure that all weaknesses are closed, and the product that eventually goes to market has the protection a consumer would expect. Unfortunately, time restraints and laziness often mean that this doesn’t happen, and individuals who aren’t to blame are put at risk.

In this particular case, it was an organisation who wasn’t necessarily capable of integrating the digital security protection required. Old-style meter makers had been asked to develop something completely new. Smart Meters are an innovative invention, but the companies who had developed them were perhaps less technically minded than was required. This isn’t their fault necessarily, but had they involved a security company from the beginning, they could have built up protection stage by stage. This would surely have been better than having to write 1000’s of lines of code at the end of what is likely to have been a long and arduous process anyway.

This is not an isolated incident, and is something we are likely to continue seeing for the foreseeable future. Until mandatory legislation is introduced that demands an ongoing security review for all interconnected ‘smart’ devices, there will always be instances where corners are cut. Whether it is down to ignorance, time restraints or budget restrictions, security is often at the bottom of a manufacturers list, when in reality it should be crucial as to whether the technology is even released.

If you have any questions regarding your digital security, please get in touch 0844 586 0040 or email [email protected].