As we implement more and more IoT technology into different aspects of our lives we should be aware of sensitive data and ensure that we further equip applications with the right level of security precautions. Within fields like smart grid and smart metering manipulations can result in high economic losses or even shut down power supply for a whole region. Therefor security is of high priority within electronic metering and grid applications.
If you google for scholar articles about security incidents and vulnerabilities within smart grid and smart metering applications you will find tons of publications and studies – most of them published sometime between 2009-2011. Therefore we should be able to assume that after a rough start five years ago smart metering applications are now grown up and secure enough for widespread roll outs.
Nope. Ironically everyone has been talking about security issues but nobody really came up with a plan to fix things. That doesn’t mean that technology companies didn’t develop the technical prerequisites for secure applications; the issue is rather that there is no real strategy on how to ensure everyone implements those solutions.
Do you want proof? In 2009 the US government reported that the nation wide power grid is vulnerable to cyber attacks after reports claimed that it has been infiltrated by foreign spies. In 2012 a document appeared and the FBI admited that many smart meters in Puerto Rico had been hacked by former employees of the meter manufacturer and employees of the utility to commit electricity theft. In 2014 researchers discovered that network-connected electricity meters installed in millions of homes across Spain lack essential security controls.
Most recently, in March 2016, we got another perfect example from the UK when the intelligence agency Government Communications Headquarters (GCHQ) had to intervene in the rollout of 53 million smart meters across the country because power companies were proposing to use a single decryption key for communications.
Experts form the GCHQ had to intervene in the roll out of smart meters in the UK (image: ©GCHQ)
With the growing number of smart meter installations and increasing quantity of home appliances which are able to connect and communicate with the intelligent electricity counters we create more and more potential for power savings and implementation of sustainable energy. To take advantage of those possibilities however requires accurate and secure networks from single households up to nationwide smart grids.
One of the main issues with security in smart metering applications is that there are many people involved. Security is literally messed up by “too many cooks”. In case of UK’s smart metering system it is problematic that the system designed by the utilities and metering industries became more and more complex during the development process up to a point where it is no longer fit for purpose. Compromises between many different power suppliers and pressure to reduce costs result in shortcomings regarding protection against hacker attacks. As soon as the GCHQ got involved it had to stop the project.
Within the other examples above it is quite similar. The crux is that the technological prerequisites to build secure systems are available nowadays. In order to build a secure grid and network across all stages of power distribution from household to power plant we will need more than the current regulations.
To improve the situation, above all, we would need real standards for smart grid and smart metering systems. Currently (or more like since years) the CENELEC (European Committee for Electrotechnical Standardisation) is working on standards for smart grid systems. While we know how critical results of this project would be there was nothing too promising released so far.
Smart meters could further profit from a system similar to the roadworthiness tests performed by institutions like the German TÜV or MOT in Great Britain. This would ensure that smart meters are inspected and certified by experts who are able to evaluate the implemented security features. However, such a model would need more than the inspection of finished products. The reason is, that in many cases the metering systems grow to a point at which security can only be “nailed” on the nearly market-ready smart meters in a non-satisfactory way.
To prevent this experts would need to be involved in the system design from the first day on in order to implement effective security solutions like embedded secure elements, which can be used for authentication and encryption e.g. via TLS. During projects which are advanced beyond the initial system design phase there are often issues with the fix of security gaps as no one wants to be reliable for a change of course as expenses are already very high. This circumstance is probably also the reason that it required a federal agency in the UK in order to stop the roll out of the imperfect smart meters.
A big problem however is, that it will be hard for experts to evaluate and give advice to smart meter manufacturers as long as their is no basis in form of standards. The German BSI (Federal Office for Information Security) released several strict security requirements for Germany – an action that caused a lot of criticism as these requirements mean higher development costs.
On the customer side a possible solution could be a “smart metering as a service” model, in which the meters are rented to customers. This would make it feasible to keep all meters registered and up to date.
The German TÜV already observes security in data centres and could provide similar services for smart metering.
Will we see such a model and new standards any time soon? Well, as there are many cooks who need to work on such a model we remain sceptical. The real dilemma however is that customers as well as our environment will have to suffer most from security failures.
One thing is certain: the earlier you get a clear picture on which security features and technologies you need to implement, the more options you will have to save cost and to build a really smart and secure product. If you need help with the implementation of security features and smart metering technology into your applications feel free to contact us here and to checkout our Renewable Energies Website here.
Want to get some quick insights on how smart meters work and how they get hacked? Check out the infographic below.
How A Smart Meter Can Shut Off Your Home’s Power [Infographic] – By the team at Jones Oil
Cover Image: GCHQ Foyer ©GCHQ 2014