Why smart meters need smarter security
Internet-connected smart meters are gaining traction in the energy space but security must be considered, says Rueven Harrison.
Why smart meters need smarter security
The concept of smart energy meters has been embraced by both energy companies enticed by the organisational efficiencies they promise – no more need for an army of people to roam the streets reading meters manually, for example. Politicians too have also welcomed them, sold on the idea such devices are central to meeting green energy reduction targets and in helping consumers manage their burgeoning energy bills.
The official UK smart meter roll-out is due to begin next year and be completed by 2020, although large energy suppliers are already making steady progress with installations. By June 2014, smart meters accounted for around 0.7 percent of all domestic meters managed by large suppliers, as well as 18.9 percent of meters installed in smaller non-domestic sites.
The network-connected meters send regular details of households' and businesses' energy use back to providers, where patterns of consumption can be analysed in detail. Potentially, this data can give people accurate information on how to lower energy use and reduce bills. And increasingly, networked sensors and switches will be able to turn off lights and other equipment when people aren't in a room, or efficiently adjust a building's heating according to known patterns of occupancy.
But since the initial flurry of hype and excitement, there has been a great deal of concern about the potential for these devices to be hacked or tampered with, and of data pertaining to people's energy consumption to be misused by governments, businesses or criminals.
Some of the most respected names in IT security, as well as campaign groups and the wider media, have expressed doubts about the ability of the industry to secure smart meters effectively. For example, they have detailed their well-founded worries over the potential for invasion of privacy (granular data can reveal a lot about people's lifestyles and habits), fraud and even cyber-terrorism (most smart meters are fitted with a ‘kill' switch that allows energy companies to disconnect people's supply remotely).
The latter is no idle threat. In January, CrowdStrike released a report saying hackers with ties to the Russian Federation had used a piece of malware known as the Havex Trojan to target US oil and gas companies. Meanwhile, in a test last November, a Berlin IT security firm successfully hacked into a utility's control systems and could have cut off power, water and gas to the entire German town of Ettingen.
Such concerns are being more widely expressed (and increasingly demonstrated to be real). The energy industry, IT industry and security profession must come together urgently to address these issues from every angle. The task at hand is even more complex than that faced by the banks.
Like bank ATMs, all smart meters will need to be both adequately firewalled and protected from physical attack – except there will be many more of them to manage than there are cashpoints. Similarly, just like the banks, energy companies must deploy myriad technologies and processes that are continually effective at monitoring and protecting access to data, networks and systems end to end. It requires a change of mind-set, energy companies haven't traditionally held high-worth data but smart meters change that. The lack of systems, processes and experience of dealing with regular cyber-threats will undoubtedly make them attractive to hackers.
Simultaneously, the energy sector has to manage the physical logistics of replacing millions of devices in people's homes, as well as implementing the IPv6 infrastructure that will be necessary to support the continued proliferation of internet-connected smart devices in homes and businesses.
Energy companies must take step to ensure their networks are adequately segmented, access strictly controlled, and the effect of system, process or policy changes (of which there are likely to be many) effectively monitored to ensure these don't introduce new vulnerabilities. Security-conscious firms need to know what and where their sensitive assets exist in order to best protect them. The cornerstone of protecting these assets is with restrictive access controls such as network segmentation, blocking off sensitive areas of the network from less sensitive areas of the network to contain a lateral movement of a cyber-attacker once within the network.
The stakes are high, and if the energy sector fails to take heed of the warnings, there could be a backlash against smart meters that could scupper their touted potential to bring big benefits to energy consumers, suppliers and the environment alike.
Rueven Harrison is CTO and co-founder of Tufin Technologies.