Smart Meter Companies Sue Local Activist and City to Block Disclosure of Security Audits

Comments

2
@1: No.
3
@1 As with a lot of internet connected hardware, security flaws could allow all sorts of issues.

If the security sucks it's reasonable that someone could turn your house's power off from the other side of the globe, or watch which houses are not using a power because no one is home) and then burgle them, or change how much power the meter reports, causing you to get a bill for thousands of dollars with no recourse.
4
Thanks Phil,

Besides monitoring, I'm assuming functionality built into the "Smart meters" includes the ability to remotely disconnect, and that's the major concern of using a transceiver that hackers will eventually figure out. What damage could other kinds of hacks do?

I can see where the hardware architecture of a remote monitoring CPU (and its server) could be considered proprietary, but that's it, nothing else. The data generated/received by such a "Smart Meter" device has to follow communication protocols, and that data packet (contents, format, etc) must be defined somewhere, which should be subject to public inspection.

The city has another option In this issue: devise a test using the communication protocols to attempt to hack the device (and server) for the worst case. If the suppliers device passes, it could be considered for the bid-list.

Otherwise, the city needs to establish a requirement that a RFP response must include a security audit or be considered a no-bid.

What do you think?
5
@3: Correct.

Even our city's cybersecurity-cybervendor-cyberfriendly former CISO publicly recognized that this looks like an effort on the part of smart meter vendors (Landis+Gyr, Sensus, and Trilliant) "to cover for crappy security."

If these vendors' network security relies on keeping the sort of basic information that lands in a response to an RFP secret, we're in for a bumpy road. That they are specifically resisting the release of records related to security audits (or lack thereof), is truly cause for alarm.

City Light should redact any information that is exempt from disclosure under the Public Records Act and hand over the rest of the records as the law requires. Instead, they're waiting around for the vendors to go to court and bamboozle a judge into allowing them to hide basic details from the public under the guise of trade secrets (e.g., How will meters communicate when base station is unavailable? Will their system comply with the RFP's encryption requirements? Are meters field programmable w/out removing cover or remotely programmable? Who is the vendor's project manager and what is his/her experience?
6
To be clear: I don't know why I am being sued. I requested public records from our public utility, and those which SCL already sent were automatically published when received. That's it. I'm not demanding un-redacted documents. I just want the public to be able to be able to review that which we have the right to review under our state's Public Records Act. Best I can tell, naming me as a defendant is simply an intimidation tactic waged in hopes that I, out of fear or inability to afford legal defense (see: SLAPP), will quiet down and refrain from drawing attention to this boondogle.
7
The two public records that the city already sent to Muckrock for me--those that are clearly public now even if they were not previously--were automatically published: "Req 9_Security Overview" and "Landis+Gyr Managed Services Report 2015…. In case Muckrock are convinced to take them down as requested by the vendors: Cryptome are mirroring the public records. And if you're browsing with Tor and want to reach them without anyone finding out, you can reach them via onion site asxilmkqj3uw3qtw.

See also: "Streisand Effect".
8
@4: "Remote disconnection"? Shhhhh. You might bring down the multi-billion-dollar smart meter industry by waving those trade secrets around.

But seriously: They almost certainly do allow remote disconnection. And someone with access to the sooper-sekrit admin Web page very likely can remotely disconnect many thousands of meters just as easily as they can disconnect one. And these vendors security plan for preventing such mayhem includes keeping the public in the dark about the systems' capabilities and preventing us from verifying that these systems are secured against attacks, instead citing a bunch of certification mumbo-jumbo and waving their hands until the money starts flowing.

Industrial controls are notoriously-poorly-secured. Look into SCADA weaknesses for more on that (e.g., "SCADA systems’ vulnerability key weakness in Smart Grid deployments").

City Light claim not to have even basic expertise in these matters, yet they are selecting vendors of related equipment, and intend to push these things onto every ratepayer, maaaaaaaaybe allowing people to opt-out, but definitely not restricting deployment of the smart meters to those who people opt-in.
9
Keep up the good work Phil. Security through obscurity is not acceptable for anything in any industry.
10
Sadly 'The Stranger'knows nothing about the downside of smart utility meters. Contrary to popular belief they do not report outages sooner: http://marylandsmartmeterawareness.org/s… for more on this. They do not save people energy except perhaps with 2% of the population -- hardly worth the power grid vulnerability, fire risks, and hacker vulnerability at the cost of millions of dollars of cost while providing nothing for rate payers. Smart meters do not improve the smart grid. Only those uninformed confuse the two. Smart grids actually don't require the smart meter to be effective. I implore the Stranger to do better investigative journalism.
11
@1 - here is an entertaining and terrifying article that will give you an idea of how badly companies are bungling security for the Internet of Things, and how most of them would rather attack researchers than deal with their own problems. I have no fear whatsoever of smart meters as objects, but poor security on wireless devices is going to lead to trouble sooner or later. https://www.wired.com/2015/07/hackers-re…
12
The smart meter vendors have succeeded, at least temporarily, in blocking public access to public records regarding security audits of City Light's planned system.
13
Thanks Phil for exposing the lack of transparency in City Light's "smart" meter project. Corporate profiteers claim releasing the information about Seattle City Light's new energy monitoring system would jeopardize the security (i.e. hackability) of their system. Well, if they are that worried even before the system has been rolled out, I can't imagine that it will take hackers much time to bring down this vaunted new "green" technology.

This is nothing but a smokescreen to prevent the public from fully realizing that this expensive new technology is not worth the increased utility rates, increased microwave radiation exposure, reduced privacy, reduced energy security, increased fire exposure, that all comes with as part of this shiny new package paid for with federal tax incentives (i.e. giveaways), and your hard earned wages." Adam and Ms. Minard, please do a little more thorough research before you dismiss opponents of this new technology as "idiots". Start by watching the film: "Microwave Science and Lies." Thanks nonetheless for printing this story.