AMI AND SMART METERING SECURING THE SMART METER SUPPLY CHAIN By Bernd Schumacher, Elster EnergyICT Briefly put: The need for security in smart metering is well understood. But ensuring security from end-to-end means addressing potential issues at each stage of the meter’s lifecycle. Security issues have attracted more attention as smart meter rollouts have progressed. Consumers have expressed concerns about the privacy of their data, which has led to delays in smart metering programs in the US and the Netherlands. As this was not an area of focus before and there were no specifications in place, in Europe there have been instances of smart metering implementations where the necessary features are not enabled or older forms of encryption are used. The industry is currently working closely with governments and consumer groups to address the issue of security. Technical specifications continue to evolve, while new or revised security and data privacy mandates may still be introduced. The European Commission’s Smart Grids Task Force now requires that security and privacy be addressed even at the pilot stage of a smart metering program. There are also more governments taking the lead on smart metering programs, which often means more involvement from the regulator or national ministry. This is why information security has to be a core part of smart metering rollouts from the start. Utilities can avoid scenarios where infrastructure must be upgraded or replaced to meet new requirements if end- to-end security is embedded within system design. With several utilities in Europe nearing an installed base of a million smart meters or more, it is important they recognize that security is not just about enabling the technical features on the smart meter, but ensuring the underlying processes are managed in a secure and trusted way across the supply chain. Smart metering lifecycle The lifecycle of the smart meter begins at the design and engineering phase. It is then manufactured and delivered to the party responsible for installing it at the premises of the consumer, at which point, it moves into the operational phase and becomes part of the smart metering network. Finally, at end-of-life, the smart meter must be decommissioned to ensure remaining 58 sensitive data such as security credentials and personal information is disposed of securely. At each phase of the smart meter lifecycle, an unauthorized third party might attempt to gain access to sensitive data and use it to launch a malicious attack on either a consumer or an organization. For example, if architecture design is not robust, an attacker could potentially manipulate the smart meter, data concentrator, or gateways in order to disconnect the supply of electricity. A large scale disconnect across multiple households would not only cause inconvenience to the residents in those locations, but may also lead to issues with the grid itself – such as a power outage. Other potential security threats include tampering with meter data in order to manipulate the outcome of billing, or the leakage of personal information and utility- related data that could provide attackers with insight into a householder’s behavior. Known as a ‘consumption signature’, this type of information can be used to work out the times of day the householder is absent from a property, as well as the types of electronic appliances they own. The attacker would need to be highly sophisticated and have significant resources at their disposal. However, given that data concentrators might not be located within secure premises, there is the potential for unauthorized parties to gain access to the sensitive data they hold by physically breaking into them. There have been several cases of USB sticks shipping direct from offshore factories that contained malware Security by design From the outset, the smart meter engineering process must be suitably robust. If a meter crashes (or is made to crash), attackers could potentially exploit this possibility either by injecting code or executing existing code that would allow them to manipulate the meter. Likewise, the engineering of firmware – i.e. software closely tied to the hardware components of the device – must be robust. Here, functional testing is necessary to ensure it is resistant to malware disguised as standardized communications protocols. Secure firmware engineering will be essential for meter manufacturers moving forward. As recent history has shown, attackers are more likely to target the means of production, and there have been several cases of USB sticks shipping direct from offshore factories that contained malware. As such, even if a product is certified as being functionally compliant to the relevant standards, it doesn’t necessarily mean it is secure, or indeed that there is authentic firmware on it. This is why a ‘security and data protection by design’ approach is recommended whereby data protection and security features are built into smart metering systems before they are rolled out. In the world of IT, robust security design is based on end-to-end communications where the receiver can prove the identity of the sender and knows that the message has not been tampered with in transit. Building a trust provisioning model Manufacturers for example, are trusted for engineering and producing secure and reliable products. To assure all stakeholders (utilities, meter network operators, consumers) that the engineering and production processes of manufacturers are secure, manufacturers can express conformity by obtaining a dedicated certification, for example ISO 27001, the international standard for information security management. In Europe, some manufacturers have created what is effectively a secured cell within their factories. As shown in Figure 1, the meter enters one end of the cell as an untrusted and unsecured device and emerges at the other end fully sealed and provisioned with METERING INTERNATIONAL ISSUE - 4 | 2014