Smart meters are essential to smart grids, empowering utilities and smart grid managers to provide consumers and energy providers with real-time energy consumption data, transparent billing, and demand side management. Nevertheless, despite the many benefits of smart meters, they, including the larger smart grid, are critical infrastructure, making them ideal targets for hackers.
Cyberattacks are growing worldwide, with attacks against critical infrastructure being some of the most prevalent. Research from the International Energy Agency (IEA) shows that cyberattacks aimed at the energy sector, with critical infrastructure, including gas, water and especially power utilities, have been on the rise since 2018. For this reason, smart meter manufacturers and vendors must secure their products and comply with evolving regulations.
How Do Hackers Exploit Smart Meters?
The attack vectors against smart meters are diverse and evolving, with digital systems and Internet of Things (IoT) sensors increasing the attack surface significantly. Typically, attackers will physically or remotely gain access to the smart meter through a remote or local interface. Vulnerabilities exist within the firmware, network interfaces, Application Programming Interfaces (APIs), utility applications or hardware architecture, all of which bad actors seek to exploit. Hackers can also use the communication between the meter and the Head-End System (HES) to gain access to a device. For instance, bad actors could exploit a network interface to remotely access metrology data stored in the smart meter; likewise, they could modify this data as it travels to the HES.
The consequences of these attacks are wide-ranging. Sometimes, an attack can compromise meter-related functions, corrupting metrology data. Attacks can also disrupt tariff management, prevent remote enablement or completely disable the smart meter. Other results of attacks include the theft of personal user data or physical damage to people and properties. In catastrophic cases, a hacker could bring down entire utility system components. One infamous example is the Colonial Oil Pipeline attack, where a hacker group targeted the largest pipeline in the US with a massive ransomware attack that forced the pipeline to shut down, leaving almost 11,000 gas stations without gas and increasing the average cost for fuel per gallon nationally.
Best Smart Meter Security Practices
As cyberattacks continue to increase in frequency, it is paramount that smart meter manufacturers and vendors implement a security strategy that accounts for technology, processes and people throughout the lifetime of a product or service. Although there is no way to prevent 100% of all threats, manufacturers can follow “security-by-design” principles and the CIA model – a system that safeguards the confidentiality and integrity of data while ensuring system availability – to reduce cybersecurity risks.
A security assessment or audit is the first step in achieving a secure end-to-end metering system. It is also important to continuously monitor and analyze supply chain processes for vulnerabilities. Likewise, manufacturers must have the right mindset and recognize that cybersecurity is an ongoing process, necessitating updating and refining. In other words, security doesn’t end after a smart meter gets deployed but continues throughout the device’s entire lifecycle.
SIM card security is another critical element of smart meter security. For starters, manufacturers must determine who manages the connectivity configuration of a smart meter device’s SIM card; put another way, who can activate or deactivate it? Concerning the lifecycle of a smart meter, manufacturers must understand that a device is not just the modem or the module but also the SIM card. To that end, manufacturers can use eSIM (or embedded SIM) to support remote SIM provisioning and keep their devices’ firmware and security up-to-date.
Lastly, smart meter manufacturers should consider artificial intelligence (AI) and its role. In truth, it is not easy to predict how AI will affect IoT and edge device security. The one thing for certain is that AI will be a powerful technology at the disposal of malicious actors, as well as utilities and smart meter vendors. Attacks will become more sophisticated, but so will the countermeasures. For example, utilities can use AI to identify patterns indicative of a cybersecurity breach far faster than a trained human.
Complying with Evolving Regulations
In addition to securing their products, smart meter manufacturers are responsible for complying with the ever-evolving regulations. Recall that smart metering is critical infrastructure, meaning regulators are aware of the risks and are keen to ensure manufacturers abide by industry standards, most of which come from Europe. For example, the EU, as part of the EUCC scheme, adopted the Common Criteria standard ISO15408. Also, there is the IEC 62443, which in Europe is vital to comply with the NIS directive. Likewise, the Cyber Resilience Act rolled out in the EU last year.
Another regulatory that smart meter manufacturers should keep an eye on is the ESMIG, the European Association of Smart Energy Solution Providers. It represents the meter industry by helping overcome barriers to the green energy transition. Although these standards come from the EU, they are pertinent for smart meter manufacturers and vendors looking to do business on the world stage. Nevertheless, observing these various standards and evolving regulations while keeping product timelines can be challenging. As such, manufacturers should seek assistance from a trusted IoT partner.
An Ideal IoT Partner
Ideally, smart meter manufacturers will want a partner that isn’t just an IoT module supplier but an end-to-end IoT system enabler that provides services, solutions and connectivity in addition to hardware. This partner should also follow secure by design principles, embedding components and services into smart meter systems that enhance security to promote a safer smart grid. Moreover, the ideal partner must be committed to life cycle support and security to ensure devices in the field remain protected against evolving threats and compliant with emerging regulations.
About the Author
Jose Sanchez serves as the Senior Director Product Management for IoT Connectivity & Services at Telit Cinterion. In this role, he plays a key part in shaping the company’s global initiatives for IoT services, focusing on aspects such as connectivity, device management, device-to-cloud security, and application enablement.
Before joining Telit Cinterion, Jose gained extensive experience in various product management and marketing positions at Thales, a prominent global leader in IoT and security. He worked there for over a decade, where he managed different product lines related to Cinterion IoT modules and oversaw eSIM services catering to the IoT market segment.
In addition to his corporate experience, Jose is an entrepreneur at heart. He co-founded the tech startup Ubikon at the young age of 25, shortly after completing his master’s degree in telecommunications engineering at RWTH Aachen University in Germany and the University of Malaga in Spain.
Further enhancing his skills, Jose completed the executive program titled “Bringing Technology to Market” at the European School of Management and Technology (ESMT) in Berlin, Germany, in 2019.
Jose can be reached at https://www.linkedin.com/in/josesanchezsantana/?originalSubdomain=de
