Malicious or mischievous hackers, disgruntled employees or dissatisfied customers – all pose a potential threat to the increasingly digitized and interconnected 21st century utility. Security attacks against utilities are not only taking place, they are on the increase. [Engerati-Electricity Authorities Face Severe Cybersecurity Attacks] Utilities need to take action and solutions are needed from vendors.
“We see three main drivers for increased cybersecurity,” Ronald Hermans, product manager for alliances at Honeywell, told Engerati in an exclusive interview. “These are data privacy and security, the stable and trustworthy operation of the business, and the stability of the grid and the economy it serves, given that utilities are effectively a national lifeline.”
Next to territorial sovereignty and integrity, countries are more and more looking to “digital sovereignty and integrity,” he comments, pointing to examples such as the increasingly detailed security requirements for the sector developed by the German Federal Office for Information Security and the Association of Network Energy Operators in the Netherlands, and the stringent security compliance requirements set out for the DLMS/COSEM standard.
“Cybersecurity concerns are significant, and we have seen some of the major smart meter rollouts slowing down until security requirements could be met,” Mr Hermans said.
Cybersecurity for utilities
It is possible to introduce cybersecurity measures to deter attacks.
Mr Hermans indicates that a solution should be based on a holistic approach that encompasses people, processes and technology. People must be trained on how to use systems securely, and made aware of what social attacks look like. Utilities must have robust processes in place, such as those defined by ISO-27001. Technology, the utility’s overall system architecture and all of its components and processes, must be configured with security in mind.
“There are two aspects that should be fundamental throughout all aspects of a solution – secrecy and trust,” he believes. “Secrecy is about avoiding interpretation of shared information by third parties and implies the need for encryption and strong access controls. Trust is about being certain that the senders and recipients of information are legitimate and implies the need for authentication and authorization that senders and recipients are authorized to perform the function they are attempting.”
Very often these are then embodied in the solution on the basis of using ‘keys’, either asymmetric or symmetric, i.e. whether different or identical for ‘sender’ and ‘receiver’ and according to the degree of security required. In normal practice a combination of both key types would be used, with the asymmetric security applied to establish trust by authentication between the 'sender' and 'receiver' and symmetric security applied to the messages exchanged between the two parties once they are authenticated to maintain secrecy.
Honeywell’s cybersecurity solution, developed in partnership with digital solution provider Worldline, is designed as a full end-to-end solution for utilities to manage and use security keys and certificates in an effective and scalable way.
“The solution covers the lifecycle of assets such as meters from the time of production and shipping from the manufacturer to eventual end-of-life in recycling or destruction. Each step, and its involved personnel, systems, tools and processes, need to be secure, based on the same principles assuring trust and secrecy – when transporting, installing, operating and removing smart grid assets,” says Mr Hermans.
At its basis is the security baseline documentation, which sets out the organizational structures and responsibilities and processes for implementing and managing the solution. The technical solution itself includes a cryptoserver for storing keys, along with key management software for generating and exchanging keys, etc. and the infrastructure for example, to securely manage certificates.
The solution manages the trust relationships for all operations including factory and onsite operations. It is also compliant with DLMS security suites 0, 1 and 2.
Cybersecurity at Dutch utility
Honeywell and Worldline’s solution has been implemented at a Dutch utility to provide security for the company’s smart meter rollout – currently more than 1 million meters, but which is expected to expand to more than 2 million households for which the utility provides energy.
“We have implemented DLMS Suite 0 initially and effectively integrated it with the smart meter solution,” says Mr Hermans. He adds that it was done in two stages, the first effectively a pilot to ensure that there was no impact on the company’s core systems before the second, full deployment.
Currently it is running at approximately 4,000 decryption operations per second, or 2.9 million secure smart meter communication sessions per hour.
The solution is also under implementation at Suite 1, and other utilities assessing and testing the use of Suite 2 in the near future.
In conclusion, Mr Hermans comments on overcoming the primary barriers to implementing cybersecurity – the complexity, cost and impacts across the organization.
“Most utilities are already working on security for example at the level of a public website. If the company is open and ready to expand their security capability the process needn’t be burdensome.
“Bear in mind also the risk of not doing so. Often hackers just want to prove that smart metering is not secure. Security breaches can cause significant operational and reputational issues for utilities and its smart meter supplier. Is it worth putting the company at risk rather than invest in cybersecurity?”