Cyber Security Report

Introduction and Background

This report on ‘Smart Meter Cyber Security Survey’ discusses cyber security issues in smart meters and the associated advance metering infrastructure. It is expected that the global smart meter deployment would cross 800 million by 2020. Several geographies including North America and Europe have achieved a significant portion of their targets already. Smart meters will provide a platform to utilities for optimizing their overall infrastructure, improving efficiency and managing demand-supply in a better way. While these are significant benefits, it is also understood that as software and communications become more pervasive, systems will become prone to previously alien issues – security being one of them. A global picture of the smart metering rollout is presented while illustrating the nuances in system architecture. Several challenges are also presented from a privacy and system security standpoint that must be addressed at the design and rollout phase. The objective is to highlight the fact that security and reliability can’t be isolated from each other. For a system to be dependable, security is just as important as reliability.

While utilities can realize substantial benefits from smart meters and associated platforms, there are also concerns from a security standpoint with a risk of widespread fraud if a security vulnerability is industrialized. Manipulated meter readings can lead to substantial revenue loss for the utility. Presence of features such as a remote connect/disconnect switch can lead to a strategic vulnerability if an adversary is able to get the ability to turn off power from millions of households. Regulation and universal standardization would need to be just right – lack of it can lead to interoperability issues thus limiting the overall benefits a consumer and the industry can get from the ecosystem.

Security and Privacy Landscape

The network operators as well as the energy suppliers will have to conduct frequent Vulnerability/Threat/Risk assessments on their systems to ensure that they understand the system risks as it evolves and appropriate mitigation actions are planned. NERC-CIP Version 5 has already introduced a new standard (NERC-CIP-010-1) to mandate such audits at a defined time interval. The energy regulator must play a significant role in ensure that such activities are monitored at a defined frequency. Incident response and management is another critical area where it is critical to have pre-defined responsibilities for all stakeholders in a complex socio-technical system such as the power infrastructure. The US utilities are mandated through NERC-CIP-08-V5 to have in place a well-defined process to identify, classify and respond to cyber incidents. There must be a clearly defined incident management team and an incident handling procedure that they must follow at times of crisis. While other geographies like Europe, India are working on similar mandatory standards, they are yet to evolve to a mature state. This is absolutely critical for the dependable functioning of the multi-stakeholder modern electricity infrastructure where information sharing between multiple principals during crisis would be inevitable.

In 2014-15 India Smart Grid Forum (ISGF) and NCIIPC (National Critical Information Infrastructure Protection Center) toether conducted a survey of 7 leading utilities in India to understand the cybersecuirty culture and level of preparedness in each organization, commencing from the senior most management, to the actual ground / operational personnel, including those in departments not traditionally associated with cyber security such as Legal or Human Resource Development. The top 10 findings and recommendations of the exercise are now published. More such exercises would be needed globally to identify the cybersecurity postures of utilities and provide them a foundation to lay out their roadmap.

‘Over the air upgrades’ where the smart meter can be programmed with new firmware remotely is an attractive option as it reduces human intervention. However, this much wanted feature does come with its share of potential risks. If proper security measures are not taken, an attacker can patch a meter with his own malicious firmware. The utility can cope up if this attack leads to a localized compromise of a single meter. However, if the attack can be propagated to a larger install base, it can lead to serious problems; as we have already agreed, manually updating firmware isn’t easy from a cost as well as manpower standpoint.

The functionality of remote connect/disconnect can however lead to serious strategic vulnerabilities – an attacker who can gain of a head-end can remotely turn off the meters it can talk to. An attack on a higher level system can be even more devastating. Again, it will require well thought of security architectures to ensure that such a scenario does not happen and even if it does, there are mechanisms built-in which can let the utility wrestle back control of its meters from the attacker. This is why appropriate security controls are required at a broader level (not just smart metering!). These security controls are both, technical and procedural in nature, and require the Chief Information Security Officer (CISO), in cognizance with the senior management, to show the way forward in securing the security landscape of the utility.

In Europe, citizens have the right, under section 8 of the European Convention on Human Rights, to respect for the privacy of their family life. European privacy law was principally expressed in the IT sphere via the Data Protection Directive according to which personally identifiable information may be collected for the purpose of performance of a contract or enforcement of a legal obligation, but it may be processed only in so far as it is adequate, relevant and not excessive in relation to these purposes. This directive is now being replaced with the General Data Protection Regulation (GDPR) with a view to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Also, it is important to note that data-collection is just but one part of the overall privacy landscape. It is equally important to clearly articulate access control policies for such data – something which we did not find mentioned explicitly in most smart metering projects. Depending on the system architecture, the network operator or/and the energy supplier may be the custodian of this data. In many countries, regulation requires that meter data needed for billing purpose be stored for a prolonged period of time (7 years in Ireland for instance). It is however not clear yet whether all other data gathered from meters would also have to be (or should be) stored for such a prolonged duration. It is also important to note that information rests in more than one places in the entire infrastructure: meters, the head-ends and the back-end systems. We are yet to see how some of the guidelines on minimizing data retention in multiple parts of the eco-system and destroying it once no longer needed is being implemented in the rollout projects. The ‘Meter-ON’ project report does mention that out of the 8 projects reviewed, 7  had elements of security and they did so by “…the use of the cyber security mechanisms defined in the communication protocol used. However, any explicit information about where and how this data is being stored, the Confidentiality, Integrity and Availability requirements and how is role based access control implemented and monitored is still missing. Most of the Privacy Impact Assessments highlight the importance of explicit consumer consent before the custodian of their data decides to share it with any other principal. Many of the project rollouts don’t mention if they intend to share this data with anyone else and if so, what is the mechanism to gather consent from consumers.