By Garry Bentlin, National Director of Cyber Security, Deloitte, and Roger Jeffrey, Consulting Partner, Deloitte Energy & Resources
Data security is a critical focus area for modern, digital utilities, with smart meters at the frontline for potential attack. Garry Bentlin and Roger Jeffrey outline the key risks utilities need to consider when it comes to the security of their metering technology, and provide strategies to mitigate these risks.
Smart meters are no longer an emerging technology. They are central to the functioning of smarter electricity networks, allowing utilities to provide dynamic pricing services, demand response, and better management.
Smart meters enable better environmental performance and greater efficiencies by reducing overall energy consumption, enabling the integration of renewable or alternative technologies, and providing support for smart appliances and electric vehicles.
For consumers, benefits include supporting smart appliances which can take advantage of off-peak savings, automated control of power levels in appliances such as air conditioners, online viewing of power consumption via web portals, and options for the integration of renewable energy sources.
Smart meters are a maturing technology underpinned by computing capability. Lessons have been learned by smart meter vendors and users from the principles used to protect information technology environments, but breaches will still occur and organisations need to be prepared. One of the key risks in IT, which is now emerging in smart metering, is the end user, who may be ignorant of the cyber security issues in their home environment introduced by smart appliances connected to the meter.
Those utilities considering the use of Internet of Things (IoT) devices, such as cameras, need to be aware that these technologies are still maturing and are only now commencing the security development lifecycle in response to significant security breaches.
Risks to consider, and mitigations
Stricter standards and controls over technologies, which have been identified, tested, implemented and used for a number years, demonstrate the maturing capabilities and protection mechanisms of smart meters.
Smart meters use wireless communications and are thus vulnerable to attacks at the network layer, where there are none of the physical protections inherent in wired networks. Mesh or wireless networks are able to be attacked by a malicious actor via methods such as impersonating mobile towers, authentication attacks, and encryption attacks on the traffic between the meter and the upstream relays or access points. As such, security design considerations need to include strong authentication and encrypted management of credentials.
Smart meters have followed the lifecycle of IT assets and software. Immature emerging technologies are easily compromised due to time-to-market pressure and a lack of understanding of the vulnerabilities inherent to the technology.
As the technology becomes more prevalent, it becomes a target for malicious actors and the maturity curve increases as regulators, the public, and vendors respond to concerns and breaches. Standards are developed and organisations purchase technologies that meet the standards to reduce risk and maintain availability of service.
From a consumer’s perspective, smart meters connect smart appliances in the home. These implementations have been known to contain serious cyber vulnerabilities. As smart meters do not contain the processing power and memory resources of other computing devices, they lack the capacity to include the basic security checks more mature systems perform.
Malicious attackers can therefore try to use these networks to impersonate a device and take control of other devices in the home. The potential exists for an attacker to hijack connected home systems via the smart meter, including smart door locks.
Consumers will need to be educated to ensure their smart appliances are able to be updated regularly and robustly to avoid compromise by an attacker using commonly available hacking toolkits.
The responsibility for security then moves down the supply chain to the consumer in the home, who possesses the refrigerators, smart televisions, and other connected devices, but may be ignorant of the need to update these devices to avoid security incidents directly affecting them. Retailers providing smart metering capability should consider educating customers to reduce the risk of consumer compromise and breaches of privacy.
IoT devices are repeating the same journey from emerging technology to mature deployments, but the legacy of mass-produced cheap devices adopted in their millions has already resulted in the largest ever number of denial-of-service attacks experienced on the internet.
For example, the Mirai virus infected hundreds of thousands of IoT devices. These were used to launch multiple internet attacks, which blocked a large number of popular internet services. IoT devices are now being subjected to the maturity roadmap of examination and rigour that smart meters have undergone previously.
What can organisations responsible for smart meters do?
Identify which advanced metering infrastructure assets are vulnerable to malicious attacks.
Understand what your baseline environment is, what assets are deployed, and what vulnerabilities they possess. Use encryption to protect wireless communications.
Vigilance via proactive monitoring is critical. Organisations must gather event data, and constantly monitor activities to find and correlate patterns that can indicate an attack, and expand the scope of monitoring and security tests to include the advanced metering infrastructure.
Integrate commercial, public, and open-source threat intelligence into the monitoring platforms and risk reporting, to enable detection of threats pertinent to the electricity sector. These could include disgruntled employees, activists, or third parties who have been compromised by hackers looking to penetrate the network.
Ensure the organisation’s stakeholders understand all the inherent risks. Utilities must understand a breach could expose regulatory data or customers’ personal information. Breach management for smart networks is a complex area, as there are many parties involved, for example, the retail and distribution, and customer. Breaches of customer information could occur in this supply chain and be attributed to an incorrect party.
Smart meter technology has matured, but as with all technologies, risks still exist. Cyber-attack risk is managed using the same process as other business risks, by implementing appropriate controls to manage and minimise the risk. However, organisations must still be prepared for a breach to occur, from an internal or external source, and have tested response plans in place.