Smart meters have become more important over recent years. In an environment where climate change and sustainability have never been higher on the agenda, smart meters allow individuals and organisations alike to get a better sense of energy consumption. The data and insights they generate allow end-users to make more informed decisions about their own energy consumption (something that has become vital among the current cost of living crisis). In addition, it can help utilities and smart grid managers better make data driven decisions about energy demand, best energy mix and when to scale services.
The EU aims to guarantee accessible, affordable, secure, and sustainable energy for all Europeans and to be climate neutral by 2050. A large roll-out of smart meters is part of that drive, with the European Commission predicting that 266 million smart meters will be installed by 2030.
That said, while the benefits of smart meters are evident and numerous, they may also pose a serious cyber security threat if robust security features have not been built in.
In this blog we’ll be looking at what utilities and smart meter vendors alike can do to secure the industry from cybersecurity risks.
As with any connected technology, despite carrying huge benefits, smart meters can also pose opportunities for hackers.
If we look at the individual consumer implications of a hacked smart meter – hackers could get access to private consumption data and household habits, as well as other devices connected to the same network. Beyond data privacy breaches, hackers can also manipulate data and readings – causing consumers to make decisions against their best interests. Not only this, but consumers will also lose trust in the technology which could ultimately lead to resistance to smart meter deployments.
There’s also the wider scale risk of grids becoming compromised. If a hacker were able to override individual meters so they appear to increase demand simultaneously, they could bring down an entire grid, and create large-scale power outages. As cities become increasingly connected, a compromised grid could impact many other applications like smart lights, traffic systems, etc.
Challenges of securing the smart grid
It’s clearly an imperative that the smart grid, and smart meters are secured, but there are several challenges and obstacles in play:
- Evolving threat landscape Cyber threats are constantly evolving, adapting, and getting more sophisticated – it’s never safe to assume that anything is secure. Being able to keep up with and mitigate against these threats requires dedicated cybersecurity expertise.
- Regulation is vital for enforcing a set of standards within an industry. There are currently multiple cybersecurity initiatives in Europe which bring with them a level of confusion. The need for harmonisation is important – organisations, such as ESMIG, help to create unity through the collaboration of multi players in one room to discuss and move things collectively.
- Challenges of retrofitting If security hasn’t been built in from the start it can be hard to solve any security flaws in hindsight. You can always use analytics to see there is something wrong, but you´ll have a hard time solving the issues if security elements have not been integrated at the core of the system.
- Multiple attack vectors There’s a lot of potential attack vectors that need to be secured; the connected meter, the source of the data going to grid managers, the transfer of data itself and who has access to the data.
How to protect the smart meter infrastructure:
As identified above, there are hurdles to securing smart meter infrastructure – requiring a holistic approach to cybersecurity. That said, there are some fundamental principles that need to be followed:
- Proceed to an automatic risk or threat assessment at the beginning of a project to meet regulation and specific context
- Establish a trusted source of data by implementing strong trusted IDs in the core of connected meters
- The data sent from smart meters should be encrypted to ensure confidentiality
- The exchange of data should be done between trusted entities. This is possible through digital mutual authentication
- A strong lifecycle management process should be implemented, assets and credentials should always be updated via secure, remote updates using digital signatures
Only systems that have been built from the ground up with strong security will be robust enough to withstand the growing cyber threats and implement the above best practice. The importance of security by design cannot be underestimated here.
It’s vital that utilities and Distribution System Operators (DSOs) require this from their suppliers. They have a tremendous amount of responsibility towards the future of smart meter development, to protect critical infrastructure, as well as their own revenues and reputation.
In turn smart meter vendors working with a cyber-security provider help designing their security from the outset.
This blog is a space for debate where ESMIG members share their thought leadership. All opinions expressed are the author’s. The content of this article is not an official position paper endorsed by the association.