By Pascal Sitbon, Ludovic Pietre-Cambacedes and Gaizka Alberdi
A metering system is a central part of an electric grid. In addition to measuring the electricity consumption, its role is to deliver electricity to end users, including critical ones like hospitals or emergency services. It handles and processes sensitive commercial and technical data, such as nominative information and consumption data, or remote control meter commands such as electric power modification.
EDF (Electricité de France) Distribution Operator is currently identifying requirements for its pilot of 300,000 smart metering points for its domestic users in order to prepare a potential general deployment in France. The system would enable a wide range of new services for the consumer and new capabilities for power utilities.
Relying more and more on information technologies, the metering world is changing dramatically, implying a clear need for a global approach to cyber security. The challenge is to balance the cost/benefit ratio, taking into account the specifics of metering and the whole spectrum of the associated risks. In this equation, the sheer number of meters, distributed on a wide national scale, has to be underlined: each euro spent is multiplied by dozens of millions. The long lifespan of such systems, typically 20 years, is another consideration, especially for risk characterisation and security level continuity.
The metering system is very complex and consists of a lot of different players (solution providers, integrators, public regulators, meter builders, etc.). Complexity is an anathema for security: it usually takes too long and costs too much money to protect complex systems. The cost/benefit ratio is consequently harder to balance and achieve. Last but not least, potential attackers can easily access metering systems because these systems are widely distributed across the country, creating many targets.
THE RISK MANAGEMENT
The security process aims at managing risks in accordance with the company’s objectives. Critical assets and operations need to be protected with proportional, coherent, and verifiable measures, thus preserving the cost/benefit ratio. Security could (and should) add a real value, like trust or assurance, to the stakeholders.
Of course, security is not a “yes” or “no” state. Security levels are continuous and rarely stable in time. Without a proactive approach, the security level will decrease rapidly during the lifetime of the system.
Products and technologies alone cannot solve security problems. They can only provide security when used efficiently, through consistent and thoroughly defined processes. Two of these processes are:
- Business continuity planning process, which defines how to recover after a disruption or disaster and restore the critical functions in order to keep the business going on, and
- Incident management process, which describes how to log, record, and resolve security incidents, including legal aspects and evidence management. It is certain that there will be security incidents, but we just don’t know when they will appear. How such incidents will be handled must be anticipated.
System design phases should cover technical and functional aspects, but also non-technical ones from the start, including people (e.g. responsibilities or organisational issues) and process dimensions.
New technologies come with new risks. Attackers are creative people; they are constantly finding new ways to abuse the system. Moreover, as already stated, because of the generally easy access to the meters, part of the system to provide security is located in the potential attackers’ hands, making the global hardening more complicated.
The threat spectrum is broad, from fraud and competitors to cyber terrorism. Malicious actions, like remote shutdown of numerous meters, could lead to an economic disturbance, distrust within the society, and even safety issues. The risks can be roughly classified as:
- Classical cheaters, who are more concerned with lowering the bill and stealing money (modify consumption indexes, tariffs). There are no damages to the system apart from financial ones (easy physical access)
- Organised crime, targeting consumption data to alter or sell. These kinds of threat agents could also try to distribute or sell “cheat boxes” on the Internet in order to automate fraud. The automatic collection of consumption profiles of many users or particular users (e.g. VIPs) could be interesting for organised crime
- Cyber terrorism that could lead to major impacts on the electric distribution network and disrupt electrical power to strategic areas – impacting the economy and compromising safety.
These threats cannot be avoided, but the risks can be reduced to an acceptable level. The approach used in EDF is based on well-known best practices, like Common Criteria (ISO 15408) and EBIOS (a method for risk management developed by DCSSI). These include:
- Statement of security needs (according to the context), metering processes, and stakes
- Threat and risk analysis
- Security objective definitions, according to the threats and assumptions. These objectives form the security policy of the automated metering system.
To reduce these risks, a three-step approach is adopted (Figure 1):
- First step: Start by focusing on critical assets that would need protection, considering the whole context: business, regulation rules, and solutions providers.
- Second step: Threats to the identified assets are characterised before performing a risk analysis: the probability (likelihood of the risk) and impact (consequence if the risk occurs) of attacks are evaluated to define risk levels. The acceptable level of risk is stated.
- Third step: State the security objectives without specifying the technical solutions. These objectives form the long term security policy.
EXAMPLES OF HIGH LEVEL SECURITY OBJECTIVES
In order to illustrate the methodology, two macroscopic security objectives have been identified for EDF future smart meters:
- Protection of critical orders (authenticity, integrity and nonrepudiability). Critical orders, such as changing the electrical power subscription or targeted curtailment, should definitely be secured using strong security mechanisms (with regard to the identified threats and attack scenarios):
- to authenticate the sender,
- to verify that there is no unwanted modification, and
- to make the sender take responsibility for his actions.
- “Evolutivity”. Keeping in mind that the metering system components will need to be upgraded during their long life, the ability to upgrade these components’ firmware, software, or application has to be an essential and inherent feature of the system. Besides, new security functionalities could also become useful in the future, so the upgrade could be used to integrate those new functionalities. This upgrade process itself should be secured.
The security objectives must not depend on technology. For example, if classical telecoms lines are used instead of mobile phone communications or any other wide area network technologies for technical reasons, security objectives should stay the same. If the data is confidential when transmitted through lines, it is still the case when transmitted over other media.
Those objectives have to be stated clearly, even if there is no good technological answer to fulfil them today. Long term objectives have to be addressed: a new technology or product could appear in a short time and be the answer to our needs. Only the security objectives and acceptable level of risks are stated. The technical requirements and solutions to achieve EDF’s security policy are handled by the solution providers. In the fulfilment of security objectives, one should never forget that the security chain is only as secure as the weakest link.
Each link has to be taken into account, including operators performing actions on the information system, local and wide area networks, meters, etc. (Figure 2). Hardening measures can play on different levels, including technical, human (education, training, and awareness), and procedural levels. In fact, none of these dimensions should be forgotten.
All components are included, from smart meters to the metering information system, including the network communications. All players, from constructors to public regulators, have an important role to play for the supply chain involvement in metering systems’ cyber security.
Security objectives should be clearly stated, without specifying any technical solutions, in order to protect critical assets against thoroughly identified risks. Options should be kept open to leave room for future potential evolutions. Management support is essential through the whole process. All this work has to be done before the metering system design. More generally, all metering players, utilities, regulators, solution providers, manufacturers, and integrators, will have to be involved in a global security approach, allowing experience and knowledge sharing. The earlier this is done, the better.