Mention ‘security’ today and many people immediately think of hacks or viruses and the need for cybersecurity.
Likewise, many assume that a new IT-based system comes with adequate security built in.
But these assumptions are both quite wrong when it comes to smart meters, says Emil Gurevitch, Security Software Engineer at Networked Energy Services (NES), a provider of smart grid and security solutions globally.
“We often see people equating a smart meter system to a traditional IT system but their characteristics are very different. That needs to be understood or the risk analysis won’t be accurate.”
Smart meter security landscape
There are three sets of threats that need to be addressed for a smart metering system, Gurevitch points out.
There are the ‘old school’ threats of fraud, theft and safety, which have long been a top concern for utilities.
There is a newer and growing group of regulatory threats around non-compliance, such as the General Data Protection Regulation in Europe.
And then there are all the threats associated with IT, such as cyberattacks that can prevent a utility from delivering its services.
“Some of these threats are similar to those of an IT system, but their priorities differ,” comments Gurevitch. “And they are not static and continue to evolve and so the security solutions must likewise continue to evolve.”
SEAS-NVE investigates security
Back in 2014, when utility IT breaches were starting to make headlines, Denmark’s largest cooperative utility SEAS-NVE was encouraged to look more closely into its own security arrangements.
“At the time our smart meters were installed, security wasn’t a priority issue,” says Bo Danielsen, Head of Department at SEAS-NVE. “But with smart meters as a critical infrastructure for our business offering 400,000 potential attack points, we needed to ensure the system was as secure as possible.”
The upshot was an approach to the Technical University of Denmark located near to Copenhagen as an outside party for academic input. This resulted in Gurevitch, then a master’s student there, undertaking for his thesis a detailed investigation of SEAS-NVE’s smart metering system from a security perspective and presenting solutions to address problems found.
“Our intention was to create a win-win-win solution for our customers, the company and the vendor by aiming for the most secure system on the market,” says Danielsen.
Advanced smart meter security
The outcome of that investigation was a series of security enhancements to NES’s Patagonia smart metering platform aimed at addressing both the current security needs as well as future issues that may arise during the lifetime of the system.
“These features provide higher levels of protection end to end across the system, from the central management layer at the utility to the internet-connected devices such as data concentrators and the smart meters themselves,” says Gurevitch.
Examples he quotes include improved communications security between the different layers of the system and a new key management system providing automatic key updates at regular intervals. Others include improved intrusion detection based on the smart meter characteristics to detect abnormal behaviours, and improved ‘compartmentalisation’ to ensure that a breach into a meter is restricted to that meter alone.
“Signals of possible security breaches land at the utility management system and with these enhanced features, the false-positive rate has been reduced. So if a signal is received, one can be very sure there is something going on,” he says.
OSGP security compliance
Another outcome of the project that Gurevitch highlights is an update of the security definitions and specifications of the Open Smart Grid Protocol (OSGP), a global open standard for smart grid applications.
“This positively impacts on all those who implement OSGP-based solutions, while from NES’s perspective, the updates automatically benefit all other customers.”
He comments that when he speaks to customers, he wants to hear that the new enhancements are “just another update” that has come virtually unnoticed via a remote firmware upgrade. “It is essential that updates should not change the performance of the system and that the security features are working behind the scenes without impacting on the meter data collection process.
“If a security feature prevents the utility from meeting its KPIs, then it is not a security feature in our view.”
SEAS-NVE security experience
Danielsen says that from SEAS-NVE’s perspective, the partnership between the three parties - utility, academia and vendor - has been very fruitful.
“Security is a common problem we face as an industry and it has enabled us to have a hands-on role in the direction of developments in this area,” he says.
“If a utility suffers a security breach then it is likely that SEAS-NVE will face a similar attack and we feel it is important to have the bigger picture rather than focus on just our own little corner of the world.”
Danielsen offers one piece of advice to utilities. He states that the remote firmware update process isn’t trivial and needs planning and monitoring to implement and complete for many thousands of smart meters.
For his part, Gurevitch, who notes that further security updates are in the pipeline, advises that utilities looking to enhance their security should complete a risk assessment in advance.
“One of the key lessons here is that you need to understand the security issues you are dealing with in order to determine your security needs and priorities. There is no one solution that fits all and a risk assessment is essential.”