“Who con­trols the off switch?” by Ross Ander­son and Shailen­dra Fuloria.

Abstract: We’re about to acquire a sig­nif­i­cant new cybervul­ner­a­bil­i­ty. The world’s ener­gy util­i­ties are start­ing to install hun­dreds of mil­lions of ‘smart meters’ which con­tain a remote off switch. Its main pur­pose is to ensure that cus­tomers who default on their pay­ments can be switched remote­ly to a pre­pay tar­iff; sec­ondary pur­pos­es include sup­port­ing inter­rupt­ible tar­iffs and imple­ment­ing rolling pow­er cuts at times of sup­ply shortage.

The off switch cre­ates infor­ma­tion secu­ri­ty prob­lems of a kind, and on a scale, that the ener­gy com­pa­nies have not had to face before. From the view­point of a cyber attack­er — whether a hos­tile gov­ern­ment agency, a ter­ror­ist organ­i­sa­tion or even a mil­i­tant envi­ron­men­tal group — the ide­al attack on a tar­get coun­try is to inter­rupt its cit­i­zens’ elec­tric­i­ty sup­ply. This is the cyber equiv­a­lent of a nuclear strike; when elec­tric­i­ty stops, then pret­ty soon every­thing else does too. Until now, the only plau­si­ble ways to do that involved attacks on crit­i­cal gen­er­a­tion, trans­mis­sion and dis­tri­b­u­tion assets, which are increas­ing­ly well defended.

Smart meters change the game. The com­bi­na­tion of com­mands that will cause meters to inter­rupt the sup­ply, of applets and soft­ware upgrades that run in the meters, and of cryp­to­graph­ic keys that are used to authen­ti­cate these com­mands and soft­ware changes, cre­ate a new strate­gic vul­ner­a­bil­i­ty, which we dis­cuss in this paper.

The two have anoth­er paper on the eco­nom­ics of smart meters. Blog post here.