|A Secured Cell for the Factory Environment|
By Michael John, Elster
Security issues have attracted more attention as smart meter rollouts have progressed. Consumers have expressed concerns about data privacy, which has led to delays in smart metering programs in the U.S. and the Netherlands. Because this was not a focus before, in Europe there have been instances of smart metering implementations where the necessary features have not been enabled or older forms of encryption are used.
The industry is working closely with governments and consumer groups to address security.
Technical specifications continue to evolve, and new or revised security and data privacy mandates still might be introduced. The European Commission’s Smart Grids Task Force requires that security and privacy be addressed even at the pilot stage of a smart metering program. More governments also are taking the lead on smart metering programs, which often means more involvement from regulators and national ministries.
This is why information security must be a core part of smart metering rollouts from the start. Utilities can avoid scenarios where infrastructure must be upgraded or replaced to meet new requirements if end-to-end security is embedded within system design. As several European utilities near an installed base of a million smart meters or more, they must recognize that security is not just about enabling the technical features on the smart meter but ensuring the underlying processes are managed in a secure and trusted way across the supply chain.
Smart Metering Life Cycle
The life cycle of the smart meter begins at the design and engineering phase. It is then manufactured and delivered to the party responsible for installing it at the premises of the consumer, at which point it moves into the operational phase and becomes part of the smart metering network. Finally, at end of life, the smart meter must be decommissioned to ensure remaining sensitive data such as security credentials and personal information is disposed of securely.
At each phase of the smart meter life cycle, an unauthorized third party might attempt to gain access to sensitive data and use it to launch a malicious attack on a consumer or an organization. For example, if architecture design is not robust, an attacker potentially could manipulate the smart meter, data concentrator or gateways to disconnect electricity supply. A large-scale disconnect across multiple households would inconvenience residents in those locations and might lead to grid issues such as a power outage.
Other potential security threats include tampering with meter data to manipulate billing or the leakage of personal information and utility-related data that could provide attackers with insight into a customer’s behavior. Known as a consumption signature, this type of information can be used to work out the times of day the customer is absent from a property, as well as the types of electronic appliances he or she owns.
The attacker would need to be highly sophisticated and have significant resources at his or her disposal. Given that data concentrators might not be located within secure premises, however, there is the potential for unauthorized parties to gain access to the sensitive data they hold by physically breaking into them.
Security by Design
From the outset, the smart meter engineering process must be suitably robust. If a meter crashes or is made to crash, attackers potentially could exploit this possibility either by injecting code or executing existing code that would allow them to manipulate the meter. Likewise, the engineering of firmware, i.e., software closely tied to the hardware components of the device, must be robust. Here, functional testing is necessary to ensure it is resistant to malware disguised as standardized communications protocols.
Secure firmware engineering will be essential for meter manufacturers. As recent history has shown, attackers are more likely to target the means of production, and there have been several cases of USB sticks’ shipping directly from offshore factories that contained malware. As such, even if a product is certified as being functionally compliant to the relevant standards, it doesn’t necessarily mean it is secure or that there is authentic firmware on it.
This is why a security and data protection by design approach is recommended, whereby data protection and security features are built into smart metering systems before they are rolled out. In the world of information technology, robust security design is based on end-to-end communications where the receiver can prove the identity of the sender and knows the message has not been tampered with in transit.
Building a Trust
Manufacturers, for example, are trusted for engineering and producing secure and reliable products. To assure all stakeholders—utilities, meter network operators, consumers—that engineering and production processes of manufacturers are secure, manufacturers can express conformity by obtaining a dedicated certification such as ISO 27001, the international standard for information security management.
In Europe, Elster, which recently was awarded ISO 27001 certification, has created a secured cell within its factory. As shown in the figure, the meter enters one end of the cell as an un-trusted and unsecured device and emerges at the other end fully sealed and provisioned with unique key material and its trust anchors. The smart meter is supplied to the utility as a trusted device, i.e., loaded and preconfigured with the correct, authentic firmware and credentials. Elster also has developed a secure process for exchanging the provisioned information with its customers.
A key benefit of the trust provisioning approach is that it is agnostic of market design and the smart metering infrastructure, given that every member state chooses its own model of smart metering implementation and will be at a different stage of liberalization.
Once the meter is installed, ownership transfers to the utility or the party responsible for operating the meter. At this point, it is critical that the appropriate data security protocols and privacy protection are enabled. Further down the line, the decommissioning is just as important because there still might be security-relevant data stored on the meter that if obtained could allow unauthorized parties to observe or decrypt previous communication or any personally identifiable information left on the meter.
Similarly, a secure process is required for re-provisioning devices. Utilities will need to ensure they have unique keys for all of their smart meters and a management process to update them and to alter access controls should a smart meter be re-provisioned for a new tenant.
Road Map and Ramp-up Plan
Although there are no standards designed to address the smart metering and smart grid supply chain specifically, existing standards provide a baseline and others are being enhanced to meet the requirements of smart metering and smart grid programs.
In the U.K., the central Data and Communications Co. (DCC), the function established to manage the data that travels to and from gas and electricity smart meters in households over the wide-area network, will rely on external assurance and certification. This will be achieved via the CESG, which is the U.K. Government’s National Technical Authority for Information Assurance (IA).
CESG is developing Commercial Product Assurance security characteristics for smart metering equipment. Once approved by DECC and CESG, they will be published to enable equipment manufacturers to have their equipment tested against the characteristics.
Meanwhile, in Germany the Federal Office of Information Security (Bundesamt fàƒ¼r Sicherheit in der Informationstechnik–BSI) has specified the smart meter protection profile (PP for the Gateway of a Smart Metering System). It is based on the international Common Criteria (CC) and secures the communication between the smart meter in each household and the smart grid and addresses German privacy laws. In meeting these rigorous requirements and being focused around a single device, however, there is the possibility for further delays to rollout.
All stakeholders must have confidence in the standardization and specification process, that the markets be better educated about the tools and technologies available to them, and that government and industry agree on a sufficient rather than minimum set of security design requirements. Otherwise, the commercial introduction of certified devices can prove challenging.
With a current understanding of threats and the required architecture, it is possible to agree on a road map that gets rollouts underway and a ramp-up plan to assure manufacturers achieve volume. Utilities that have yet to commence commercial smart meter rollouts have the opportunity to address security from the outset, specify options that are well-aligned with the recommendations made by the EC and relevant industry bodies, and avoid the complexity and expense of implementing security in retrospect.
Michael John is solution manager at Elster, where he has played a key role in developing privacy-enhancing technologies for smart grids. He also is involved in the European Commission’s Smart Grids Task Force Expert Group 2, which focuses on the regulatory recommendations for privacy, data protection and cybersecurity, and is collaborating with the U.K.’s department for energy and client change on smart meter security. He is involved in ESMIG’s Security and Privacy Group and is engaged in several related groups at member state level in Europe. He is also security coordinator for The PRIME Alliance, whose goal is the development of a global power line standard to enable multivendor interoperability for flexible and efficient smart grid networks.More PowerGrid International Issue Articles
PowerGrid International Articles Archives
View Power Generation Articles on PennEnergy.com