[Cryptography] Smart electricity meters can be dangerously insecure, warns expert

Jerry Leichter leichter at lrw.com
Tue Jan 3 22:44:03 EST 2017


> How much would it add to the cost of an electric meter to employ an SoC with enough power to implement the security standards? A dollar? Two? That cost would presumably be recovered from the rate payer over the life of the meter, a few cents a month. 
I'm not sure that cost is the driving factor here.  What seems to be more relevant is that power companies are simply unfamiliar with modern computing technology.  They have a long-standing, very sophisticated understanding of high-power systems, which are basically electromechanical.  When you unit of power is the megawatt, very few semiconductor - much less IC - parts are relevant.  It took years to build workable rectifier stacks.

An idea of the kind of technology base that power companies build on:  Primary power distribution lines - which carry power, typically at 3-15KV, from substations to local step-down transformers - typically have fuses or breakers of some sort at each transformer, and elsewhere along the line.  However, most power faults on overhead lines are transient - caused by things like falling branches.  So a fuse or breaker that must be manually replace or reset can unnecessarily length outages.  So ... there are more modern devices known as reclosers.  A recloser responds to a current surge by disconnecting the line, but then it re-connects it.  Typically, it has one or more "fast" cycles in which it reconnects within a 30 seconds or less.  Then it may have a longer cycle.  Finally, if the line is still faulted, the recloser will stay open, requiring manual reset.  If no faults occur for a while, the recloser will eventually go back to its initial "a couple of fast cycles" state.

Now, as you read this description, the implementation that probably came into your mind was of a SoC controlling the timing and some kind of software-controlled switch.  Reclosers like that exist today, but the most common ones use much older technologies.  The mechanical engineering is complicated, but the way some models work is basically as follows:  On a fault, the switch opens, and a vane in a vat of insulating oil moves to the "open" position.  A spring tries to drive it back to the "closed" position, but this takes the requisite time because the oil has to be forced through an opening in the vane.  After the vane makes it back, it also moves over a bit.  By the time it needs to do a "slow" cycle, it presents a much smaller hole for the oil to flow through - so it takes longer to close again.  If it trips in this state, the next jog of the vane leaves no hole at all, so the vane can't move back to the "closed" position.  It locks here.  If the vane is left in any other position, some secondary mechanism - probably oil flowing slowly through other channels - eventually "unjogs" the vane back to its original position.  Fluidic computing at its finest!

You might think these are antiques - but reclosers are relatively new devices.  I don't know when they were first introduced, but they seem to have become common (at least on primary distribution circuits0 only in the last decade or so.

Sounds absurdly complex - but the engineering of such systems has a long, successful history.  It integrates easily with the switches needed to actually cut and restore multi-KV, multi-megawatt power lines.  (These switch are typically bathed in oil for insulation anyway.  A system like this is very rugged, unfazed by electrical surges.  Building and certifying a microprocessor-controlled equivalent to serve out on top of a power pole, unattended, for many years, is not an easy task.

So ... I think the power guys are just out of their depths here.  It'll take a while for them to develop the necessary expertise to integrate modern processors properly.
                                                        -- Jerry



More information about the cryptography mailing list