A large-scale cyber incident can amount to hundreds of millions of dollars so it is imperative that utilities are security ready. Potential impacts certainly highlight the need for preparedness.
Staying ahead of the pack is Netbeheer Nederland (NBNL), the Dutch national association of energy grid operators, which asked European Network for Cyber Security (ENCS), a non-profit organisation dedicated to smart grid security, to carry out a seven month audit on the security of smart meters already installed across the Netherlands.
Continued security around smart meters
Since January 2012 regional electricity grid operators began the distribution of smart meters for residential and small business customers throughout the Netherlands, installing gas and electricity meters at 1.5 million households.
After a successful start, the Dutch Authority for Consumers and Markets advised to go ahead with scaling up the smart-meter rollout. In our article, Netherlands Smart Meter Rollout Goes Large-Scale, we write how new contracts for 6 million smart electricity and gas meters will take Dutch grid operators towards a full smart meter rollout by 2020.
Smart meter security is being taken very seriously by the Dutch and for good reason. A presentation by Pascal van Gimst, Director Sales & Business Development, Riscure, The Netherlands, “Achieving a high security for the smart metering industry in time” lays out why tight security measures are key when it comes to successful smart metering.
NBNL approached ENCS to help investigate the security of the meter versions that had already been installed.
“As well as developing new meter versions with enhanced security features, it’s important to monitor the ever-changing threat landscape and make sure the existing meters which have already been set up in people’s homes and businesses remain secure,” says Boas Bierings at NBNL. “Like any remote system, smart meters can be vulnerable to hackers and fraud if left unguarded. We decided to work with ENCS as a trusted party with the security expertise we needed to keep customers and the grid safe”.
Thorough three stage assessment
ENCS tested a cross-section of electricity and gas meter versions at the ENCS security testing lab in The Hague representative of the systems installed up until now at households. Assessing both the meters’ local and remote wireless systems, ENCS submitted the systems to a three-stage assessment including functional security, robustness and penetration tests.
“Functional security is about identifying whether the general security configuration of the device is in good shape and represents best practice,” explains Michael John, Director of Consulting Services, ENCS. “Robustness is then about seeing how stable that security is, how well it’s implemented. For that we have our own “fuzzing” toolkit that’s proven highly effective in the past at finding potential defects which could be exploited. Finally, an experienced security evaluator assesses how easy it is to penetrate and exploit the system using the defects discovered in the first two stages. It’s very thorough.”
Mr Bierings told Engerati that they will continue to carry out these security tests on other smart meter types used in the Netherlands in 2016 to cover the whole installed base. These tests are over and above the security testing that was carried out during the development of the meters, he adds.
Making sure smart meters are secure will help protect consumers from a breach of privacy and protect the grid operators from both fraud and the electricity grid instability a widespread breach could cause.
“ENCS is committed to enhancing the security of critical infrastructure across Europe, and smart meters and smart grids are a key part of that,” says Mr John. “Drawing on our experience working with various European utilities and grid operators, we were delighted to support NBNL in assessing and improving the security of the Dutch smart meter system”.
Among ENCS’s current research activities is a project with Enexis and the electric vehicle (EV) charging infrastructure centre ElaadNL to investigate cyber security around EV smart charging. [Engerati-Dutch EV Charging Infrastructure Gets Cyber Ready] The organization also has in place collaboration agreements with the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT) in Germany and the Control System Security Center (CSSC) and Information Technology Research Institute of the National Institute of Advanced Industrial Science and Technology (AIST) in Japan.
Training is also found to be an important component in advancing cyber preparedness. [Engerati-Business Simulations Help Alliander Get Cyber-Ready]