How to address the cybersecurity risks posed by smart meters

Despite the critical role of smart meters in the smart grid, the tech has shown to be a favourite target for bad actors. Jose Sanchez, senior director of product management, IoT connectivity & services at Telit Cinterion, writes on their vulnerabilities, consequences and best practices for smart meter security.

Every aspect of society continues to become more connected thanks to the proliferation of Internet of Things (IoT)-powered devices, sensors and cameras – and utilities are no exception. A report from Berg Insights reveals that toward the end of 2023, there were over 186 million smart electricity meters across Europe.

These smart meters play an important role in the smart grid, enabling utilities and smart grid managers to provide consumers with real-time energy consumption data and transparent billing while delivering instantaneous meter readings to energy providers.

Unfortunately, smart grids – specifically smart meters – have shown to be the favorite targets for cybercriminals and hacker groups. Today, bad actors go after critical infrastructure, with recent examples being the hacker group KillNet taking down Lithuania’s power grid via DDoS strikes. Other notable incidents include the Colonial Oil Pipeline attack, the Israeli water system attack and the Triton malware attack.

According to researchers from Oregon State University College of Engineering, smart meters are ideal targets for hackers because they provide a means for these malicious actors to gain access and destabilize the power transmission grid. Indeed, cyberattacks against critical infrastructure, in general, are on the rise globally. Research from the International Energy Agency (IEA) indicates a rapid growth in cyberattacks against the energy sector since 2018, including gas, water and especially power utilities.

Smart meter vulnerabilities and the consequences

The attack vectors of smart meters are varied but usually involve physical or remote access to the device through a remote or local interface. Vulnerabilities exist in the software components of the smart meter, including the firmware, network interfaces, Application Programming Interfaces (APIs) or utility applications.

There can also be weak spots in the hardware architecture that hackers can exploit. Another weakness that cybercriminals target is the communication link between the meter and the Head-End System (HES). In many cases, the hacker will use a network interface to remotely access metrology data stored in the smart meter and then steal that data or modify it on its path to the HES.

The damage done by these attacks against smart meters can be particularly devastating, mainly because critical infrastructure is being affected. For starters, meter-related functions, such as metrology data, tariff management and remote enablement, can stop working. Hackers can also steal personal user data from smart meters to sell on the dark web.

Moreover, these attacks can snowball, having a chain reaction that brings down critical utility system components or even causes physical damage to people and properties. For example, cybercriminals can hack advanced metering infrastructure to attempt to control smart meter switches by altering the data or inserting false control data to cause load oscillations.

If demand gets too high, power grid components will automatically shut off, causing the load to get passed to other parts of the grid network, culminating in a blackout. Such cases would jeopardize civilian safety, spoil food, damage IT systems, disrupt business productivity and endanger hospitalized individuals.

Have you read?
New smart EV charging algorithm to optimise meter data transfer
Utilities saw cyberattacks spike this year. Can they stay safe?

Best practices smart meter security practices

In light of these evolving and intensifying threats, all actors in the smart grid ecosystem, from the utilities to the smart meter manufacturers, must implement processes and follow best security practices to ensure continuous monitoring of security threats and the safety of smart metering operations.

In particular, the actors in this ecosystem must leverage a strategy that considers technology, processes and people, as well as their roles throughout the lifetime of a product or service. Of course, there is no such thing as 100% security; in fact, the proper mindset is understanding that a security breach is not a matter of it but when.

Actors in the ecosystem should also habitually conduct security assessments and audits to identify problematic areas. Likewise, utilities must ensure the data from smart meters within their domain is secure.

Smart meter manufacturers, specifically, should incorporate security-by-design principles to reduce cybersecurity risks. They also need to recognize that because a smart meter deployment can last between 10 to 15 years, security should not stagnate but adapt throughout the device’s entire lifecycle.

Manufacturers can ensure their modules are secure throughout this time by delivering firmware updates that address performance, stability and network configuration. These updates should likewise address the latest security threats.

However, managing devices at scale is nearly impossible when deployments reach the tens of thousands. Thankfully, with embedded SIM cards or eSIM, manufacturers can leverage remote SIM provisioning to keep their devices’ firmware and security up-to-date.

Additionally, it is pivotal that smart meter manufacturers determine who can activate or deactivate connectivity configurations.

Another key element in the fight for security is artificial intelligence (AI). While it is unclear how exactly AI will affect smart meters, the one thing for certain is that both bad actors and utilities have access to AI to improve schemes and countermeasures alike.

For example, utilities can leverage AI to continuously analyze supply chain processes for vulnerabilities in a way that humans could not emulate. Likewise, utilities can use AI to spot patterns indicating a cybersecurity breach in smart meter infrastructure much faster than most humans.  

Emerging regulations to be aware of  

As the cybersecurity landscape evolves and hackers become more sophisticated, regulators continue to roll out new standards to keep pace. Because smart meters are considered critical infrastructure, regulators are keen to enforce these new standards through fines and penalties for those failing to comply. Utilities and smart meter manufacturers and vendors are responsible for complying with these evolving regulations.

In the EU, players in the smart meter ecosystem should be familiar with the Common Criteria standard ISO15408 adopted by the EU in the European Cybersecurity Certification Scheme or EUCC scheme on Common Criteria, along with the IEC 62443, which is essential to comply with the NIS directive in Europe.

Another notable development is the imminent Cyber Resilience Act (CRA), which will be fully phased in by 2026. The CRA will apply to various software and connected IoT devices sold within the EU. The ESMIG, the European Association of Smart Energy Solution Providers, is also relevant as it is an organization that represents and advocates for companies that develop and provide smart energy solutions.

The regulations by the EU’s Radio Equipment Directive, such as enhanced network protection, personal data privacy measures and anti-fraud strategies, will also be pertinent to those manufacturers of wireless devices.

Although there is a movement toward a harmonized set of standards (in the EU, at least) that clarify the responsibilities of the different actors within the smart grid ecosystem, navigating these standards can be challenging. To ensure compliance, utilities and smart meter manufacturers should consider working with a trusted IoT partner.

How a trusted IoT partner can help

When looking for an IoT partner, search for one that is more than just a module supplier. The module is crucial but isn’t the only part of the smart meter targeted by hackers. Ideally, a partner should be an end-to-end IoT system enabler providing services, solutions and connectivity in addition to hardware that abides by secure-by-design principles.

Furthermore, a quality partner will be committed to lifecycle support, helping ensure smart meters remain protected against changing threats and compliant with emerging regulations.

Unfortunately, many often forget how vital lifecycle management is for smart meters, applying a flawed set-it-and-forget-it approach to these devices. An experienced supplier should understand that the threat landscape (and, by extension, the regulatory landscape) is always changing and will deliver services and support throughout a deployment’s lifetime.