Is Your Meter Smart Enough to Defend Against Attack?
Sophie Bessin-Py, IoT Security Marketing Communication Manager at Gemalto
As the global need for power and clean energy grows exponentially, traditional energy markets are rapidly transforming. Consumers are evolving into producers, or “prosumers”, by tapping into the sun and wind and investing in renewable micro-generation technologies, or distributed energy resources (DERs). These small-scale “power plants”, located in homes or offices, offer an alternative not just for meeting personal energy needs, but also an opportunity to make a profit and sell power back to the grid. The exchange of accurate and secure real-time consumption and generation data enabled by the smart grid is at the heart of this new economy. Trusted data exchange provides producers, distributors and consumers with unprecedented levels of responsiveness, dynamism and opportunity. And the whole world wins as we reduce our collective reliance on fossil fuels in favor of clean, green but often less predictable energy sources. But how do we secure decentralized global systems?
Every smart grid connection creates a new vulnerability
Every connected device deployed within these vast networks creates a new point of vulnerability, and the incentives for hackers are clear. Some are motivated to manipulate consumption data to reduce bills. Others plan burglaries leveraging stolen information to identify when householders are away, and any database of personal information represents an attractive target for ID theft. Cybercrime is even becoming an extension of some countries’ foreign policy, underlining the urgent need to protect critical infrastructures such as power, water, transportation and healthcare.
Tackling a vast and complex security challenge
The sheer size of the security challenge should not be underestimated. With roll-out underway across Europe, the Americas, Asia and Africa, an estimated 872 million new smart meters are expected to be in use by 2022. Furthermore, the overall energy grid is becoming far more complex. At one end is an increasingly diverse array of energy generators, at the other end, the fast-growing population of smart meters that provide householder identification and accurate real time consumption data. Between the two lie the distribution systems operators (DSOs), receiving information from meters via data concentrators and converting this into actionable business intelligence through their backend systems, or head end systems (HES).
Smart grid security is a shared responsibility where DSOs take the lead
All stakeholders bear important responsibilities in achieving effective smart grid security with DSOs taking the lead in mitigating security risks. In simple terms, there are four critical issues to address. To start with, every single device within a smart grid must be able to prove its identity to the recipient of transmitted data. Likewise, the recipient of the data must also prove its identity to the sender and prove it is authorized to access the information. Strong mutual authentication is critical to establishing trust throughout the network.
In addition, integrity of data must be guaranteed from end-to-end. This means stakeholders must be able to trust data wherever it resides, at rest in the device, in gateways or data concentrators, as data is exchanged over wireless networks, and in the back-end or cloud platform. To protect data at rest or in transit, strong encryption is a must. Encryption renders information useless should an unauthorized party ever intercept it. Finally, any security strategy must plan for reliability and evolving threats over the long lifespan of smart energy solutions. A platform for security lifecycle management is essential to handle the numerous updates that will need to be accommodated to keep a secure infrastructure in place.
Leveraging digital security success to build trust in smart grids
The smart energy sector faces challenges similar to data sensitive sectors, such as mobile financial services, banking and telecommunications. The good news is, digital security solutions have been used effectively for decades in these sectors. To ensure meters and grids are smart enough to defend against attack, DSOs and smart grid actors should take a page from existing playbooks and adopt solutions based on the same, proven principles and technologies. Specifically, public key infrastructure (PKI)-based systems with digital ‘keys’ and authentication certificates issued by certificate authorities (CAs) enable solid credential management.
GlobalPlatform introduces a platform ensuring trust and lifecycle management
In the context of the smart grid, participants should ensure that digital keys are embedded in all energy assets during the manufacturing process. As well as providing a basis to identify genuine devices throughout the network, the presence of these keys ensures tamper-proof data transmission between trusted elements within the network; only devices equipped with the appropriate key sets can encrypt/decrypt information. Keys are ideally provisioned at the time of smart meter manufacture and kept in hardware security containers (such as an embedded Secure Element) to avoid malevolent manufacturing suppliers to steal IDs for cloning or device misuse.
In addition, the solution should support over-the-air lifecycle management, enabling secure updates and revocation of keys as needed over time. Assets will be in the field for an extended period – 10 years or more. New players will join, new end points will be introduced, and security protocols and regulatory demands will inevitably evolve. Thanks to proven security strategies including PKI-based systems, SEs, hardware security modules (HSMs) and remote lifecycle management platforms, stakeholders in the new energy ecosystem can actively participate in protecting smart meters and building trust in the smart grids of the future.