Grid lock: cybersecurity for smart meters

​Smart meters will revolutionize the way we use and pay for our energy, but they can also be a back door for malicious hackers.  Willem Strabbing, Managing Director of ESMIG (the European smart energy solution providers) - the body representing European metering companies - shares his views on the steps being taken to secure the smart grid.

What is ESMIG doing to encourage cybersecurity best practice among its members?

"The Security and Privacy Group of ESMIG has defined a common set of security requirements for smart meters, based on the requirements found in EU member states. The meters produced by ESMIG members comply with these requirements. Currently, we are defining a security certification approach using the common requirements as a starting point. The next step will be pilots to certify meters produced by ESMIG. This process will not only lead to a more security focused development and operation, but also more trust in the product."

Can you tell us about any new standards or legislation that is being introduced to boost security in the smart grid?

"ESMIG is reviewing and commenting on new regulations for data protection and cybersecurity. The Cyber Security Act is explicitly demanding the development and implementation of European certification approaches in order to prevent further fragmentation. At this moment there are already four different certification processes in place for smart meters. The meter data collectors are obliged to perform a data protection impact assessment, to make it clear what data they are collecting, for what purpose and how they protect this data against risks such as loss, modification and illegal access.

There are always risks when introducing new technology. Why are smart meters so much better than what we already have?

"The reasons for introducing smart meters are multiple. In the first place, the digitalization of technology leads to new types of meters when they are replaced. The replacement of meters has been accelerated because the transition of the energy systems requires more functionalities in meters. For example, the introduction of multiple and dynamic energy tariffs in meters enables demand response: the price of energy consumption can increase when there is a lack of energy generation. This lack can occur because we are shifting to natural, sustainable resources such as solar and wind power. Furthermore, smart meters provide near real-time data to consumers, so display functions (in home display or smartphone apps, for example) can give consumers detailed insight into their energy consumption and generation."

What would you say to consumers who are concerned about the potential privacy issues that smart meters raise? For instance, those who have concerns about their data being sold/exposed to the external world, which can build up individual profiles of their behavior.

"In general, the digitalization of consumer products introduces new risks regarding access to personal data. That is why the European Commission introduced the new legislation (mentioned above) to protect the privacy of consumers. Since smart metering is a regulated business, there is a much stronger government supervision of this process as compared to commercial infrastructure related services such as phone, TV and internet. Meter data cannot be exchanged with third parties (beyond the consumer and meter data collector) without explicit and documented consent from the consumer."

Are smart grid managers aware enough of cybersecurity best practices, to fight against hacking threats or private data theft? 

"Cybersecurity is a new topic for the traditional utility business, introduced because of the digitalization of the grid. We see that these utilities are aware of the new risks and are exchanging best practices to mitigate those risks. New organizations have been created for sharing information regarding security breaches and the possible counter measures to be taken, so it is a process under development. Either way, when awareness and best practices to deal with vulnerabilities are in place, there is still no guarantee that the system cannot be compromised. So, ensuring that infrastructure is continuously monitored for potential security breaches is a very important, new process that needs to be put in place."

Related content: Are smart meters helping or invading our homes?