We Need to Increase Smart Meter Security to Protect Homeowners
- Aug 16, 2021 8:42 pm GMT
Smart meters have become remarkably popular in their relatively short history. Advanced metering infrastructure (AMI) installations doubled between 2010 and 2017, with more than half of U.S. electricity customers using them. While these systems can bring substantial improvements to both utilities and customers, several security concerns have emerged.
AMI’s two-way wireless connectivity introduces cybersecurity risks as it expands grid visibility. As cybercrime against critical infrastructure becomes an increasingly prominent threat, the need for better industry security standards grows all the clearer. If the energy industry hopes to capitalize on AMI fully, it’ll need better smart meter security.
Smart Meter Security Concerns
The same features that make smart meters so helpful to utilities and consumers make them vulnerable to hackers. These devices often feature minimal, if any, built-in security and send information over unsecured networks. As a result, hackers could gain wireless access to homeowners’ meters and use them to disrupt or control their electricity.
These fears aren’t unfounded, either, as hackers have already committed grid-wide attacks on smart energy infrastructure. In 2015, a Russian hacking collective attacked three Ukrainian electrical utilities, affecting more than 225,000 customers. Since then, AMI installations have only increased, expanding grids’ attack surface.
More recently, cybersecurity company Mandiant hacked and switched off a smart meter to demonstrate how easy it is. Using nothing but publicly available hacking tools, the team was able to gain administrator-level access to the electrical system. As cyberattacks grow in both frequency and severity, these threats become more concerning.
Developing Smart Meter Security Standards
In response to these rising threats, the national energy industry must develop smart meter security standards. Just as the National Electrical Code specifies appropriate applications and installation practices for wiring, similar regulations should specify minimum cybersecurity requirements. Other industries already have such standards.
For example, Department of Defense (DoD) contractors must comply with the Cybersecurity Maturity Model Certification (CMMC) to obtain DoD contracts. Similarly, cybersecurity accounts for a considerable portion of HIPAA regulations applying to medical companies. Given rising cybercrime, energy authorities may develop similar standards. Until then, utilities must take security into their own hands.
Smart meter security standards should seek to address AMI’s most glaring vulnerabilities. The areas that deserve the most attention are identity and access controls, network segmentation, software updates, and built-in device security.
Identify Verification and Access Controls
The first area of AMI security to address is implementing a system to identify devices and users. Smart meters and all other internet of things (IoT) devices on the grid should contain unique identifiers and be unclonable. This more specific identity system will clarify which specific device data is flowing through and who is accessing it.
This visibility is the first step towards enacting stricter access controls. After AMI installations have a way to verify device identity, they can restrict it to authorized devices. If they can’t verify a device’s identity or a device doesn’t belong to the specific customer or utility, they should deny it access.
Utility companies should even restrict access among their employees. The fewer people and devices that can access a smart meter’s data, the less risk there is of a breach.
Segmentation is another crucial step for AMI security. One of the most significant threats with the IoT is that seemingly insignificant devices can act as gateways to more critical systems and data. In electrical grids, this may look like a hacker using one resident’s smart meter to infiltrate and shut down multiple parts of the grid.
The way to mitigate this threat is to keep different parts of the network separate. One meter should not be able to act as a doorway to another. Achieving this will likely take a two-step process, first hosting devices on separate communication networks and then isolating critical infrastructure on separate micro-grids.
In a worst-case scenario, ensuring power to critical infrastructure is essential. Keeping them separate from other AMI-enabled networks ensures that a breach on less critical devices won’t jeopardize them. While segmentation won’t decrease the chances of a cyberattack, it will mitigate its impact.
One easily overlookable yet straightforward aspect of smart grid security is software updates. Cybersecurity is an ongoing process in which software developers must continually release patches as hackers find new vulnerabilities. If utilities don’t keep their AMI updated, they’ll remain vulnerable to these exploits.
Many companies fail to keep IoT devices like smart meters updated. A 2020 study found that 57% of all IoT devices are vulnerable to medium- or high-severity attacks, largely because of outdated software. Electric companies must enable automatic updates across their AMI deployments to prevent these vulnerabilities.
Implementing an update verification system is also crucial. Over-the-air updates allow hackers to send malicious code to devices in the guise of an update. Identification systems that verify updates before downloading them help mitigate this risk.
Security by Design
Finally, smart meters must be secure by design. While applying additional security measures to networks is crucial, these devices need better built-in security as well. To achieve this goal, electric companies can analyze their smart devices for vulnerabilities in production to find and fix potential hazards.
There are multiple ways to discover IoT vulnerabilities, but research shows that code-level analysis is best. This involves probing a device’s code to find ways a hacker could potentially use to access it. In a 2019 test, code-level analysis found nine smart meter vulnerabilities in an hour, while design-level analysis only found three.
By understanding these vulnerabilities from the start, utility companies can design more secure AMI devices. More security by design will improve the effectiveness of other security measures.
Smart Meter Security Is Essential
Smart meters are an indispensable part of modern electrical grids, but current vulnerabilities limit their potential. If the U.S. is to benefit fully from these devices, it must raise industry security standards. Otherwise, the risks outweigh the advantages.
Attacks against AMI deployments can be devastating, but these devices don’t have to be vulnerable. Developing standards around these security considerations can protect both homeowners and critical infrastructure. It likely won’t be an easy transition, but it’s a necessary one.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.