Why every smart meter needs its own identity
Estimated reading time: 5 minutes
Smart grids comprise thousands of smart meters – all in constant 'conversation' with each other and with network managers. How can providers keep their operations efficient and secure? The answer is to give every meter a unique identity...
The age of the smart meter is well underway. There could be nearly 250 million of these intelligent energy devices installed in the EU alone by 2026. This is exciting news. Smart grids have the potential to make power distribution much more efficient – reducing costs and environmental impact.
But smart meters are much more vulnerable to cyberattack than the ‘dumb’ devices that went before them. There’s an ever present risk that hackers can take control of a meter or intercept the sensitive data traversing the network. The consequence? Everything from personal data breaches to national blackouts.
Security experts agree that the best way to mitigate the risk is with a built-in security architecture that is reliable for the entire device lifetime – one that is embraced by all ecosystem partners.
And this security architecture must start with smart meter identity. In simple terms, stakeholders must provision encrypted keys in cryptographic hardware to ensure every meter is unique – and resistant to take over.
In this article, we will dive deeper into this topic. But before we do, let’s review the fundamentals of the smart grid ecosystem.
What is a smart grid?
To understand the concept of a smart grid, it helps to think about what it replaces. The traditional grid is a network of transmission lines, substations and transformers that transmits electricity from a power plant to homes and businesses. The earliest grids were built as long ago as the 19th century.
Needless to say, technological advances have improved these networks over the decades. Still, there’s a limit to what can be achieved when the underlying structure is the same as it was more than a century ago.
The smart grid concept is different. It is not an incremental update on what has gone before. Instead, it is a new kind of grid – built from the bottom up on a digital foundation capable of automating key functions. The efficiency of the smart grid opens the way for a new era of economic and environmental progress.
At the heart of the smart grid is the smart meter. Its purpose is to measure real-time energy consumption and then send the data back to the supplier. In so doing the smart meter provides the end user with complete transparency. It also gives the provider a real-time view of demand and supply. With this information, it can manage its network more efficiently.
We can summarise the benefits of the smart grid as follows:
• Efficient transmission of power
• Better fault diagnosis – speedy restoration of the network after a failure
• Automation to reduce running costs
• Better management of peak demand
• Easier to integrate fluctuating renewable energy sources.
What is the status of the smart grid market?
The first smart grids emerged in the early 2000s. Many cite Italy’s Telegestore project as the first major commercial launch. Between 2001 and 2006, the supplier Enel connected more than 32 million customers to its digital distribution network.
But others soon followed. Today, according to a 2021 report by Berg Insight, France is the largest European market by volume with more than 35 million units installed. Overall, it estimates that around 49 percent of the electricity customers in the EU’s member states had a smart meter by 2021.
Berg says 133 million smart electricity meters will be deployed across the EU from 2021 to 2026. This will bring the penetration rate to 72 percent.
And the rest of the world? The analyst estimates that 68 per cent of all electricity meters in North America are now smart. It forecasts that 572.3 million smart electricity meters will be deployed in China, India, Japan and South Korea during 2021 to 2025.
Smart grid security: the vulnerabilities
As any computer user knows, the threat of a security breach rises when you go online. As soon as your device connects to a network, your risk goes up exponentially.
Naturally, this is also true for the smart grid. A network composed of millions of devices all taking to each other? That’s an invitation to bad actors to gain access to equipment or data.
And smart grids are especially vulnerable as the data they transmit is so sensitive. Cybercriminals understand the strategic importance of energy supply. They can threaten to disrupt the grid in order to extort a ransom. But it gets worse. There’s a real risk that terrorists will target smart grids not for financial gain, but to sabotage a country’s critical infrastructure.
Regrettably, there are many vulnerabilities to exploit. Meters might have factory default passwords. There could be flaws in data-sharing protocols. Edge devices might have limited bandwidth, memory and storage space, which can weaken security protection.
Some of the key vulnerabilities include:
• The vastness of the smart grid network makes it difficult to spot attacks quickly
• Smart meters are physical devices ‘in the field’. Hackers can get access to them fairly easily
• IT systems need to be regularly upgraded. Meters that go ‘out of date’ can be vulnerable to attack
• Hackers can spoof the data sent from one device to another in order to make the network behave erratically
• Using IP standards in smart grids makes them vulnerable to IP-based attacks such as IP spoofing, Denial of Service etc
• The many stakeholders involved in a smart grid increases the risk of insider attacks
• Private consumer data can reveal when a home might be vacant.
Why smart grid protection starts with identity
For all the fears around interception of data, the foundation of smart meter security lies with identity. In plain terms, every device needs to know it can trust every other device on the network. It must be confident that the meter belongs on the network, and has not been hijacked by an attacker.
But securing ‘things’ poses a different set of problems from securing devices owned by people. Humans can answer questions and enter authentication codes to prove their identities. Machines cannot. This makes it difficult to establish the true identity of a remote object.
So what’s the best strategy for making a device trustworthy without human intervention?
Experts say the ‘Identity of Things’ should be an integration of devices, services and data. It should verify across three locations: the device, the cloud servers and the communications channel between them.
This will ensure that the meter can prove it is a legitimate part of the network, that its data is verifiable, that it can only access specified data and data sources, and that it will no longer send or receive data once it is decommissioned.
Best practice for smart meter identity
Everything that’s smart about a smart meter arises from its communications module. This is the entry point for all usage data, tariff information, device management data and security upgrades. So it’s imperative the module has secure credentials and that they can be safely updated at scale and over time.
Crucially, the cybersecurity component in a module must be separate from the application part (the head-end system). But this can be challenging when there are multiple vendors and meter types in the system.
For this reason, modules must by supported by a trusted key manager (TKI) solution with best-in-class public key infrastructure.
Companies such as Thales now offer modules of this type. TKI-based smart meter leverage a cryptographic hardware security module (HSM) – which protects sensitive data. Manufacturers can use such solutions to generate unique credentials and diversified keys. Then, when the device leaves the factory, they can change the keys from ‘factory’ to ‘operational’. Thereafter the system can ensure that every device it connects to is authenticated.
Governments and standards bodies are playing their part too. They are passing legislation to ensure smart grid stakeholders adhere to stringent protection protocols for deployments. For example, the EU is working on a Cyber Resilience Act to mandate more secure hardware and software products. Meanwhile, the National Institute of Standards and Technology (NIST) has recommend a policy whereby encryption keys and certificates stored in connected devices should be renewed every five years or sooner.
The connectivity element: IoT SIMs
When a smart meter uses cellular connectivity its communications module is usually stored in a tamper-resistant Secure Element held on a SIM card.
For obvious reasons, telcos do not use traditional removable plastic SIM cards for smart devices. Instead, they have developed a dedicated eSIM form factor for industrial applications. This is a software-based product that lets providers switch remotely from one connectivity provider to another. This is particularly useful when there is a disruption on the network which prevents meters from sending consumption data to grid managers.
The migration to smart grids is now unstoppable. It will have a profound impact on the way that energy is produced and distributed. There’s no doubt that security is a concern for utility companies. But strong solutions are available. It’s now possible to give every meter a unique identity that is extremely difficult to hijack or spoof. As long as the many stakeholders in the market work together, there is every reason to be optimistic.