Utilities should prepare to defend themselves against hackers attempting to access the grid via the new fleet of smart meters, says Emil Gurevitch, Senior Security Architect at Networked Energy Services (NES).
The industry is in a dilemma when it comes to cyber security, as while there is a need to share information, utilities do not want to talk openly for fear of exposing themselves to more threats or attracting negative press.
NES supplies smart meters to many countries in Europe, Middle East, Asia, Africa and Americas. In Europe, this includes Sweden, Finland, Denmark, Poland, Romania, France, Switzerland, Austria, Italy and Germany. Although many of these countries are less worried about the kind of national adversary threat that heightens tensions between the Ukraine, Russia, the US and China bring, there is a growing concern about criminal hackers looking to make financial gains or just disrupt the smart energy transition to make a name for themselves.
Wide attack surface
Not a lot of attention has been paid to smart meters, which is a relatively newer technology than SCADA systems for substation control and management of other parts of the smart grid, Gurevitch says. But clearly smart meter systems will become increasingly interesting for hackers as they create a wide attack surface with a varying range of security. There are easy ways to figure out what technology is out there, Gurevitch says. Public records of utility tenders and standards are all out in the open. A smart meter is very accessible – every home and office has one, normally in a private, out of the way place. Once the serial number is found, that can lead to an accurate account of what the technology is, and it can then be tested against known weaknesses.
The wave of smart meters being rolled out across Europe represents a huge investment, and utilities need to see a return on that expenditure – a single cyber-attack can wreck the business case a smart meter rollout. The life cycle of a smart meter is around 10-15 years, but that is a very long time in cyber security and a long time to be exposed to attack, Gurevitch says. Some utility executives understand the issue and are reviewing and improving their security posture, and some are in standby mode waiting for something to happen before taking action.
A storm brewing
“Utilities have a chance to be proactive and anticipate attack rather than wait for something bad to happen. There’s a storm brewing and we have an opportunity to prepare for it,” he says.
Utilities should focus on monitoring, as at the moment many do not know what is happening at the grid edge Gurevitch says. “Some utilities are completely oblivious to the threat of attack, as if blindfolded.” Once monitoring systems are put in place and a threat is detected, the next stage is implementing the response. NES is developing such monitoring solutions in close collaboration with their utility customers and local partners.
Soon such security measures are likely be mandatory. There is a big push from the US regulator the Federal Energy Regulatory Commission, and Europe has several certifications and other initiatives underway.
Europe has made a lot of progress and new smart meters have embedded security, while Asia and the Middle East are moving a little slower and are still in the development and deployment stage, says Nicolas Viot, head of the penetration testing team at Sogeti, part of the Capgemini group. He agrees with Gurevitch that one of the biggest challenges facing utilities is the length of time the smart meters will be in place. “In IT we are not used to supporting systems for such a long time,” he says. Future challenges include protection for end-user connectivity, as more consumers monitor consumption on mobile phones, smart homes and buildings solutions, smart cars, and digital rights management for example renting movies via smart TVs. “You have to look at new threats that will emerge,” he says. A future trend will be incorporating small producers of renewable energy into the grid, which will create a new cyber security challenge.
While it can be costly, it does not have to be, and cyber security spending will ultimately be worth it just like insurance, Gurevitch says. “Those investments will repay through reduced energy disruption, reduced loss of customer information and improved PR when these systems are subject to attacks by criminals.”