Grid lock: cybersecurity for smart meters
Smart meters will revolutionize the way we use and pay for our energy, but they can also be a back door for malicious hackers.
Willem Strabbing, Managing Director of ESMIG (the European smart energy solution providers) - the body representing European metering companies - shares his views on the steps being taken to secure the smart grid.
Let's start.
What is ESMIG doing to encourage cybersecurity best practices among its members?
"The Security and Privacy Group of ESMIG has defined a common set of security requirements for smart meters, based on the requirements found in EU member states. The meters produced by ESMIG members comply with these requirements. Currently, we are defining a security certification approach using common requirements as a starting point.
The next step will be for pilots to certify meters produced by ESMIG. This process will not only lead to more security-focused development and operation but also more trust in the product."
Can you tell us about any new standards or legislation introduced to boost security in the smart grid?
"ESMIG is reviewing and commenting on new regulations for data protection and cybersecurity. The Cyber Security Act is explicitly demanding the development and implementation of European certification approaches to prevent further fragmentation.
At this moment, there are already four different certification processes in place for smart meters.
The meter data collectors are obliged to perform a data protection impact assessment to clarify what data they are collecting, for what purpose, and how they protect this data against risks such as loss, modification, and illegal access.
There are always risks when introducing new technology. Why are smart meters so much better than what we already have?
"The reasons for introducing smart meters are multiple. In the first place, the digitalization of technology leads to new meters when they are replaced.
The replacement of meters has been accelerated because the energy systems' transition requires more functionalities in meters. For example, the introduction of multiple and dynamic energy tariffs in meters enables demand response: the price of energy consumption can increase when there is a lack of energy generation.
This lack can occur because we shift to natural, sustainable resources such as solar and wind power. Furthermore, smart meters provide near real-time data to consumers, so display functions (in-home display or smartphone apps, for example) can give consumers detailed insight into their energy consumption and generation."
What would you say to consumers who are concerned about the potential privacy issues that smart meters raise? For instance, those who have concerns about their data being sold/exposed to the external world can build up individual profiles of their behavior.
"In general, the digitalization of consumer products introduces new risks regarding access to personal data. That is why the European Commission introduced the new legislation (mentioned above) to protect consumers' privacy.
Since smart metering is a regulated business, there is much stronger government supervision of this process than commercial infrastructure-related services such as phone, TV, and internet. Meter data cannot be exchanged with third parties (beyond the consumer and meter data collector) without explicit and documented consent from the consumer."
Are smart grid managers aware of cybersecurity best practices to fight against hacking threats or private data theft?
"Cybersecurity is a new topic for the traditional utility business, introduced because of the digitalization of the grid. We see that these utilities are aware of the new risks and exchange best practices to mitigate those risks.
New organizations have been created for sharing information regarding security breaches and the possible countermeasures to be taken, so it is a process under development.
Either way, when awareness and best practices to deal with vulnerabilities are in place, there is still no guarantee that the system cannot be compromised. So, ensuring that infrastructure is continuously monitored for potential security breaches is a critical, new process that needs to be put in place."
Related content: Are smart meters helping or invading our homes?