cyber risks
Image credit: Stock

With large scale smart grid deployments around the world, newly created ecosystems encompass a multitude of vulnerable connected devices, stakeholders and services.

Their success will depend on their ability to communicate effectively; sharing valuable, sensitive data in real-time to better manage the way we consume, produce and exchange
electricity. However, the smart grid highly integrated communities bring with them a vast attack surface for cyber criminals.

This article was originally published in Smart Energy International 5-2018.  You have access to our digital magazine here. 

Their success will depend on their ability to communicate effectively; sharing valuable, sensitive data in real-time to better manage the way we consume, produce and exchange electricity. However, the smart grid highly integrated communities bring with them a vast attack surface for cyber criminals.

In reaping the benefits of the IoT, it is therefore vital that all stakeholders recognise their responsibilities in implementing end-to-end security solutions, which can evolve and adapt over long lifecycles.

Every connected device creates a new vulnerability As consumers are evolving into ‘prosumers’, the real-time exchange of consumption and generation data into the smart grid is providing distributors with unprecedented levels of responsiveness to balance our ever-growing need for electricity.

But every device deployed within these networks creates a new vulnerability and incentives for hackers are clear. Threats include those seeking to access and manipulate consumption data to reduce bills or even plan burglaries by identifying when householders are away. Large databases of personal information also represent an attractive target for ID theft.

At the other end of the scale, cyber crime can affect critical national infrastructures relying upon uninterrupted power.

A vast and complex security challenge The sheer size of the security challenge should not be underestimated. By 2022 an estimated 872 million smart meters will have been installed. At one end of the ecosystem is an increasingly diverse array of energy generators; at the other the fastgrowing number of meters that provide householder identification and real time consumption data. Between the two lie the DSOs, receiving information from meters via data concentrators and converting this into actionable business intelligence through the HES (Head End Systems).

The buck stops with the DSO In terms of achieving comprehensive security, all stakeholders bear important responsibilities. But there’s no doubt that the buck ultimately stops with the DSOs. In simple terms, they have four critical issues to address. To start with, every single device within a smart grid must be able to prove its identity to the recipient of the data transmitted; this strong authentication is critical to establish trust throughout the network. In addition, confidentiality of any data exchanged between devices and applications must be guaranteed. At rest or in transit, the data must be encrypted, so that it is of no value in the event of unauthorised interception. Finally, any security strategy must reflect the fact that, over the network’s lifetime, numerous updates will need to be accommodated to keep secure infrastructures in place.

Leveraging the benefits of proven solutions DSOs need to adopt solutions based on proven principles and technologies. Specifically, that means Public Key Infrastructure (KPI) based systems, with digital ‘keys’ and authentication certificates exchanged between authorised devices. Digital keys should be embedded in all smart meters during the manufacturing process. As well as providing a basis to identify genuine devices throughout the network, these keys facilitate tamper-proof data transmission between trusted elements within the network; only devices equipped with the appropriate key sets can encrypt/decrypt information.

Integrated within a DSO’s back-end system, expert security solutions seamlessly provision keys at the outset; remotely authenticate and activate credentials in the field; and support over-the-air management, enabling secure updates and revocation of keys, as required.

This is crucial as assets will be in the field for long periods over which new players will join, and security protocols and regulatory demands will inevitably evolve.

The main challenge for the utility sector lies in translating the appreciation of the risks into effective security strategies. In the race to market, DSOs must resist any temptation to cut corners. Security needs to be built into every link in the chain, from the outset and throughout the lifecycle. Such measures should be treated as essential insurance against the profound – and potentially catastrophic – implications of any successful cyber attack on a nation’s energy infrastructure.

ABOUT THE AUTHOR

Francis D’Souza is the vice president for IoT Services at Gemalto, where he is responsible for building out the worldwide IoT services business. His team’s work revolves around enabling a trusted and scalable IoT ecosystem with out-of-the-box, cost effective, yet, secure IoT services. www.gemalto.com/iot/iot-security