With large scale deployments being planned and implemented around the world, the smart grid is swiftly taking the much-hyped IoT into the heart of millions of homes. For consumers, the most visible evidence of this revolution comes in the form of the smart meter. But the implications go far deeper than mere replacement of outdated, manually-read energy counters. Completely new ecosystems are being created, encompassing not just a multitude of devices, but also a host of different stakeholders.
Crucially, success will depend on their ability to communicate effectively; sharing vital, valuable and sensitive data in real-time, over an array of wireless networks. However, the highly integrated communities of the smart grid bring with them a new set of risks. Specifically, they offer cyber-criminals a vast attack area, along with the enticing prospect of accessing private information and disrupting critical national infrastructures. In reaping the benefits of the IoT, it is therefore vital that all stakeholders recognize their responsibilities in implementing genuinely end-to-end security solutions, which can evolve and adapt over lifecycles that will extend many years into the future.
New platforms for a carbon-free future
Traditional energy markets are being transformed. Consumers are evolving into ‘prosumers’, investing in renewable micro-generation technologies not just to meet their own needs, but also to sell back into the grid. Moreover, the real-time exchange of accurate consumption and generation data enabled by the smart grid is providing distributors with unprecedented levels of responsiveness and dynamism. As a result, they are at last equipped to balance our ever-growing need for energy with the clean, green but less predictable sources such as solar and wind that will ultimately end our reliance on fossil fuels.
Every device creates a new vulnerability
But every device deployed within these vast networks creates a new vulnerability. What’s more, the incentives for hackers are clear. Any large database of personal information represents an attractive target for ID theft; other potential threats include those seeking to manipulate consumption data to reduce bills, or even plan burglaries by using the information to identify when householders are away. At the other end of the scale, cyber-crime is effectively becoming an extension of some countries’ foreign policy, underlining the need to protect power infrastructures from the most sophisticated forms of attack.
A vast and complex security challenge
The sheer size of the security challenge should not be underestimated. With roll-out underway across Europe, the Americas, Asia and Africa, by 2022 an estimated 872 million smart meters will have been installed. Furthermore, the supply chain is becoming far more complex. Effectively, this new Advanced Metering Infrastructure (AMI) represents a three-layer network. At one end is an increasingly diverse array of energy generators, at the other the fast-growing population of smart meters that provide householder identification and accurate real time consumption data. Between the two lie the DSOs (Distribution Systems Operators), receiving information from meters via data concentrators and converting this into actionable business intelligence through their backend systems, or HES (Head End Systems).
The buck stops with the DSO
In terms of achieving comprehensive security, all stakeholders bear important responsibilities. But there’s no doubt that the buck ultimately stops with the DSOs. In simple terms, they have four critical issues to address. To start with, every single device within a smart grid must be able to prove its identity to the recipient of the data being transmitted; this strong authentication is critical to establish trust throughout the network. In addition, confidentiality of any data exchanged between devices must be guaranteed. Whilst in transit, the data must be encrypted, so that it is of no value in the event of unauthorized interception. Finally, any security strategy must reflect the fact that, over the network’s lifetime, numerous changes will need to be accommodated.
Compelling answers can be found in other sectors
It’s a challenge very similar to those faced by sectors such as eCommerce and mobile comms, and the DSOs need to adopt solutions based on the same, proven principles and technologies employed in these ecosystems. Specifically, that means PKI (Public Key Infrastructure) – based systems, with digital ‘keys’ and certificates issued and exchanged between authorized devices. In the context of the smart grid, DSOs must ensure that digital keys are embedded in all smart meters during the manufacturing process. As well as providing a basis to identify genuine devices throughout the network, the presence of these keys facilitates secure data transmission between trusted elements within the network; only devices equipped with the appropriate key sets can encrypt/decrypt information.
Leveraging the benefits of proven solutions
It’s an approach supported by solutions such as Gemalto’s dedicated end-to-end security for utilities. Winner of a 2018 IoT Global Award, this leading-edge offer has already been employed in large scale smart grid applications by industry leaders including Sagemcom. Integrated within a DSO’s HSM, the system seamlessly provisions keys at the time of smart meter manufacture, remotely authenticates and activates credentials in the field, and supports over-the-air management, enabling secure updates and revocation of keys, as and when required. The latter is a particularly significant consideration for smart grid deployments. Assets will be in the field for an extended period; new players will join, and security protocols and regulatory demands will inevitably evolve.
A vital investment in the nation’s energy infrastructure
Addressing the question of regulation is another important priority. In both North America and Europe, authorities have been quick to recognize the potential vulnerabilities of the smart grid. In the US, for example, National Institute of Standards and Technology (NIST) insists that keys are renewed at least every five years. In the EU, stakeholders must be mindful of similar initiatives by the Federal Office for Information Security in Germany (BSI), as well as the requirements of the General Data Protection Regulation (GDPR) and European Programme for Critical Infrastructure Protection (EPCIP). Fortunately, in terms of the wider IoT revolution, the utility sector is one of the most advanced about security awareness. The main challenge therefore lies in translating this appreciation of the risks into effective strategies. Above all else, in the race to market, DSOs must resist any temptation to cut corners. Security needs to be built into every link in the chain, from the outset and throughout the lifecycle. Far from being a luxury, such measures can and should be treated as essential insurance against the profound – and potentially catastrophic – implications of any successful cyber-attack on a nation’s energy infrastructure.
By Sherry Zameer – Senior Vice President Internet of Things Solutions, CIS, Middle East and Africa region, Gemalto