Over time, utility providers have rolled out increasingly advanced digitally connected devices to make their service infrastructure more efficient. One such product is the smart meter. These modernized meters bring many advantages over previous iterations, particularly with regard to efficiency, safety, and environmental impact. They also deliver utilities and customers real-time transparency into energy usage. This data from connected smart meters will allow utilities to build flexible pricing models, to create pricing incentives to encourage energy saving, and to better balance power loads to foster a cleaner, more sustainable grid.
As connectivity rises, however, so too does the surface area for potential cyberattacks. Securing breachable meters against surging cyberthreats is and will continue to be necessary as these profit-driving devices become a larger part of state electrical grids.
Smart meters drive profitability
Advanced metering infrastructure (AMI) has transformed the way utility providers are able to monitor distribution, usage, and performance and the sheer volume of data they collect is incredibly lucrative. When analyzed by meter data management software, the AMI data can help technicians detect hardware failures and imbalances in energy outputs while allowing executives to generate new customer insights, build predictive models for demand program planning, and refine rate plans and services.
AMI also dramatically cuts down on theft, which accounts for an estimated $96 billion in losses each year. Still, despite all this, adoption is inconsistent.
In the United States in 2018 — the latest year in which data is publicly available — electric utilities had about 86.8 million smart meters installed, according to the U.S Energy Information Administration. This share accounts for roughly half of all meters in the country, though smart meter penetration varies state by state. This variance is largely attributable to state-level legislation, whether in the form of a soft mandate that will drive meter penetration or regulations that temper utilities’ understandably ambitious roll out plans.
For example, Nevada has the highest rate of smart meter adoption at over 96% primarily because the state essentially mandated the adoption of smart meters, though “refurbished analog meters” are still permitted. In contrast, New York state has less than 5% smart meter penetration. This mirrors the situation in India, where smart meters only account for 1% of the market, with just around three million smart meters in operation compared to 270 million traditional meters. Penetration in Europe lingers around 40% of all utility customers, though estimates vary given the heterogenous regulation across the continent’s many countries.
As penetration rises, so will cyberthreats
The places without comprehensive AMIs will have them soon, especially among the locations listed above. Con Edison has been approved for a $1.3 billion project to overhaul New York state’s energy grid in compliance with the state legislature’s new guidelines. India’s largest energy provider, Energy Efficiency Services Limited (EESL), has plans to install 240 million new smart meters across the country by 2023. And in Europe, Italy should expect a boost in smart meter penetration, as 2020 marks the end of life for the country’s first generation of intelligent AMI devices, while widespread rollouts are planned for the near future in the UK, pending various challenges both of the technical and consumer-related variety. Globally, smart meter shipments are forecasted to exceed 200 million by 2024. Suffice it to say, smart meters are coming. Unfortunately, so are bad actors looking to exploit the vulnerabilities of newly connected grids, either for personal gain or to introduce chaos by separating vast swaths of customers from the resources they need, thereby sewing mistrust towards the providers or state-level entities.
Cyberattacks, especially at the IoT device-level, have risen sharply in the last year, and the rollout of smart meters only gives criminals a greater number of potential breach points. While smart meters transmit their data to deliver convenience and efficiency, they also open the door to potential threats. Just recently, The Foundation for Scientific and Industrial Research (SINTEF), in cooperation with Telenor, identified 30 threats and five different ways to attacks smart meters. Utility providers and other key players in the industry must understand that such attacks are going to happen.
With the knowledge that threats will arise comes the ability to mitigate the risks. Below are a few considerations that utility providers, both public and private, with plans to roll out smart metering infrastructure must keep in mind.
Rather than adopting reactive security software based on the attacks of the past, utilities need to proactively prepare for preventing and recovering from cyberattacks. Hackers understand that security loopholes are rarely open more than once. Cybersecurity is often described as an arms race, with malicious actors constantly trying to stay one step ahead of their targets, identifying and exploiting the loopholes that always exist in reactive systems. Utilities and their smart meter providers must flip this dichotomy by switching to proactive security systems operating with Zero Trust.
In the past, security was about establishing a secured perimeter, trusting everything inside it and rejecting everything outside it until verification. Recent attacks on AMIs, such as the insider breach in Uttar Pradesh and the massive consequent shutdowns, have proven this strategy is no longer viable. Comprehensive cybersecurity systems must now embrace Zero Trust, the concept coined by John Kindervag on the premise that systems should never automatically trust anything prior to verification, regardless of whether it comes from within or without the established security perimeter. A chain is only as strong as its weakest link but when it comes to cybersecurity, that link could just as easily be a disgruntled employee as it could a coding loophole. The difference matters not to bad actors — it shouldn’t matter to utilities either.
Act at the device level
All it takes to corrupt a system is a way in. While there is need for security at all three levels of IoT systems — the device, network, and system levels – for bad actors targeting utility infrastructures, a single connected device is sometimes all it takes. To prepare for such threats, utilities must ensure that each device they roll out is itself impermeable, a guarantee they can only make by introducing device-level security that protects smart meters from all attack vectors from the moment they’re developed on a factory floor throughout installation, implementation and maintenance.
Eran Fine is an experienced entrepreneur and senior executive with more than 20 years of international experience in founding¸ fundraising, managing, and leading high-tech companies. He is currently the CEO and co-founder of NanoLock, a cybersecurity startup based in Israel. NanoLock specializes in device-level cybersecurity protection and management to prevent malicious access to critical code by outsiders¸ insiders and supply chain attackers. Prior to co-founding NanoLock, Eran was the Founder and CEO of OREE¸ which was subsequently sold to Juganu, SVP of On-Eden (acquired). He also served as the CEO and Co-Founder of MobileSpear, and was on the Advisory Board of Cimagine (which was acquired by Snapchat). He has also served as a consultant to the Nano Science Technology Centre of TAU and Tsinghua University. Eran is the author of 22 patents. www.nanolocksecurity.com