skip to Main Content
Smart Meter Security Testing

Smart Meter Security Testing

Smart Meter Security Testing is necessary because they are critical components of national critical infrastructures (Smart Grid, Water Distribution Networks, Gas Distribution Networks, and so on). Smart Meter can be impacted by security vulnerabilities that can be exploited by threats and attackers, potentially resulting in serious social consequences as well as financial, legal, and reputational consequences for Utilities. Unfortunately, many utilities place too much trust in smart meter vendors, assume that smart meters are secure, or would rather not get involved in this matter. This article discusses some of the potential threats to smart meters, their consequences, and the security programs and controls that utilities should implement.

Keywords: Smart Meter, Security, Privacy, Security Testing, Firmware Analysis.

This article is also available on my LinkedIn profile, which you can find here.

 

Smart Meter Overview

A smart meter is a small general-purpose computer that is low-powered and low-capacity, is bidirectionally connected to the Utility and is designed to perform a specific set of operations related to the power provided resources (power, water, gas, cooling, and so on):

  • Measure the consumption and quality of the provided resource (e.g. active/reactive power).
  • Control the distribution of resources (e.g. connect, disconnect, control the load).
  • Detect events and notify the Utility (e.g. tampering).
  • Auto-update its software (firmware) to correct discovered flaws or add new features.

A smart meter is a key component of the Smart Grid in the power industry, where control systems, computers, automation systems, and new technologies and equipment collaborate with the electrical grid to respond digitally to rapidly changing electric demand. The Smart Grid can then be considered part of any country’s critical infrastructure.

Smart Meter Security Threats and Impacts

Because of the various and available interfaces and communication links, a smart meter, like any other computer (embedded systems), can be threatened by cybersecurity issues [3]. Smart meters inherit their threats because they may share communication media with third parties and rely on telecommunication networks that are not exclusively dedicated to smart meter communication.

Smart meters (and the overall Smart Grid) can be threatened by a dishonest customer, a utility insider, a nation-state hacker, or a terrorist, resulting in financial, social, and legal consequences (with severity proportional to how widespread the attack becomes) for the Utility, the Consumers (private, public agencies, industries, hospitals, and so on), and the nation as a whole (the Smart Grid is a national critical infrastructure). Here are some examples of potential consequences:

  • Increase the price of the resource as a result of increased peak usage.
  • Incorrect resource planning as a result of under-reporting or over-reporting of usage.
  • Poor Customer Service as a result of the possible loss of outage information.
  • Instability of the bulk grid and widespread outages.
  • Additional costs for repairing smart meter damage, tampering, and theft.
  • Not billed revenues due to thefts and frauds.
  • Compromising bulk grid security as a result of data corruption or modification.
  • Violation of Customer’s privacy.Fi
Smart Meter Security Testing

Why Smart Meters Security Testing

Because smart meters are critical key assets for Utilities, are part of critical infrastructures in any country (Smart Grid), and can be threatened by information security issues, the specifications and implementations of smart meters must adhere to the core principles of cybersecurity.

According to that principle, Utilities should define specific security requirements for the smart meters they intend to introduce into the Smart Grid, and those security requirements should cover all phases of the smart meter’s life cycle, including production, acquisition, roll-out, and decommissioning.

Utilities should ensure that meter vendors respect those security requirements at the contract level, and they should conduct security tests on acquired smart meters to verify compliance with those security requirements. Smart Meters Security Tests should be performed prior to roll-out, before updating the smart meters’ firmware, and on a regular basis.

What Smart Meter Security Testing Should Includes

Smart Meters Security Testing should include:

  • Black-box testing (penetration testing) and white-box testing exploiting all the available communication ports (e.g. GPRS, PLC, RS485, Optical, Ethernet, etc.).
  • Firmware Security Testing (binary analysis, static analysis, software composition analysis, and integrity check).
  • Compliance check with specific international security standards as ISO 27019 [1] and NISTIR 7628 [2].

Conclusions

Smart Meters are key components of national critical infrastructures (Smart Grid, Water Distribution Networks, Gas Distribution Networks, and so on). They can be impacted by security vulnerabilities that can be exploited by threats and attackers, potentially resulting in serious social consequences as well as financial, legal, and reputational consequences for Utilities. Unfortunately, many utilities place too much trust in smart meter vendors, assume that smart meters are secure, or would rather not get involved in this matter. Utilities should define and ensure that meter vendors respect security requirements and they should conduct security tests on acquired smart meters to verify compliance with those security requirements. Smart Meters Security Tests should be performed prior to roll-out, before updating the smart meters’ firmware, and on a regular basis.

References

[1] ISO/IEC 27019:2017 – Information technology — Security techniques — Information security controls for the energy utility industry.
[2] NISTIR 7628 Rev. 1 – Guidelines for Smart Grid Cybersecurity.
[3] Embedded Systems Security, Andrea Desantis, 2020.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published.

Search