With cyber attacks and data losses affecting many companies, consideration into what data could and will be held on smart meters and associated IT systems about a customer will mean that utility companies will need to make sure that they have the right security controls in place to protect this information. Prosenjit Dutta, head of advanced metering infrastructure (AMI) practice within the Utilities division of Infosys explains.
The feedback we’ve received from some of our utility customers has shown that they are faced with between 800-1,000 attacks on their networks each month, and whilst this isn’t necessarily strictly related to smart meters, it does highlight the need to have security controls in place before mass smart meter roll-outs when huge amounts of customer data will be stored and transmitted across the communication network and various support systems.
By taking a systematic approach to security, organisations can identify and prioritise key areas to ensure information is protected. A first step is for utility companies to ensure that a full security assessment is completed on their systems and networks to identify any potential security pain points. Currently, there is no set way in which infrastructure security issues can be identified and anticipated, meaning that more standards are required to protect not only customer experience, but personal information. Additionally, given the raft of personal information which each utility holds, any losses could have a significant impact not only on customer privacy, but also on the reputation of that utility.
Traditionally, security was a reactive task for organisations and was only considered when something went wrong. It is now clear that utilities need to take a proactive stance when it comes to the security and privacy capabilities of their network.
Lessons can be learnt from US utility companies, with the most important including getting smart meter standards in place from the outset. In the US, the National Institute of Standards and Technology (an agency of the US Department of Energy) oversees not only the management of these standards, but also the development of testing, measurements, and the reference materials needed to ensure the quality of energy related products and services whilst ensuring fairness in the market.
The UK government has taken some positive steps with the establishment of a central change programme – the Smart Metering Implementation Programme Prospectus, which set outs plans for the mass roll-out of smart meters (estimated to be worth £7.2bn). As a result, we are starting to see clients become more proactive in regards to their security processes to future-proof their smart meter networks. If privacy and security processes are locked in place from the outset, then this will in-turn increase privacy measures to protect customers.
An advanced metering infrastructure (AMI) is widely known to be the basic building block for the smart grid enabled utility of the future. However, in an AMI enabled environment, the initial and biggest challenge a utility will face is the surge of customer data and the strain on the network which could expose it to a variety of vulnerabilities.
Key vulnerabilities currently facing AMI ecosystems include:
• End point devices (meters, gateways and data collectors) – denial of service, unauthorised access to devices, modification of customer data, firmware/data extraction, circuit Analysis, etc.
• Utility’s datacentre (collection engine and upstream systems) – spurious device reprogramming and remote disconnect requests originating from customer information systems.
• Communication network (HAN, WAN backhaul and RF mesh) – man in the middle, masquerade, service spoofing, encryption key theft, etc.
To mitigate the risks and vulnerabilities posed by AMI adoption, it is recommended that utilities engage in an upstream assessment of their existing systems and AMI impacts. This process has to be iterative and subsequently needs to be practiced even during steady state, once the AMI roll-out starts or is fully completed.
For utilities with AMI deployments in progress, or near completion, instead of responding to security events in a reactive mode, they should proactively pull data from smart meters at defined intervals and run correlation logics to identify and subsequently address possible vulnerabilities. Based on our observation, most utilities are currently handling AMI security threats in a reactive mode, which clearly needs to be changed.
It is therefore important that utilities modify their strategy to handle threats in a proactive method by gathering near real time information from smart meters. The adoption of proactive security practices should be enabled with real time dashboards that alert system administrators of possible attacks. This should be backed up by tools to counter such attacks, resulting in a system that is made progressively secure.
There are a number of ways utilities can ensure customer data is secured in a smart meter environment such as by implementing electronic perimeter security, securing the device itself, protecting devices from tampering and safeguarding AMI through isolated and propriety standards, due to a lack of mandated security standards. But most importantly of all, utilities need to be more proactive when protecting customer information for example by fixing an issue before it becomes a problem. This is the only way to protect the utility’s own network and as a result, customer information.