Smart Meters Security Testing

Smart Meter Overview

A Smart Meter is a small general-purpose computer, low-powered, low-capacity, bidirectionally connected to the Utility and designed to carry out a specific set of operations related to the power provided resources (power, water, gas, cooling, etc.):

measure the provided resource’s consumption and quality (e.g. active/reactive power),
control the resource provisioning (e.g. connect, disconnect, control the load),
detect events and send alarms to the Utility (e.g. tampering),
auto-update its software (firmware) to fix discovered defects or to add new functionality.

In the Power Industry, a Smart Meter is a key component of the Smart Grid (controls, computers, automation, and new technologies and equipment working together with the electrical grid to respond digitally to quickly changing electric demand). The Smart Grid can be considered part of the critical infrastructure of any Country.

Smart Meter Security Threats and Impacts

Like any other computer, a Smart Meter can be threatened by information security issues due to the various available interfaces and communication links. Since they may share the communication media with third parties and may rely on telecommunication networks that are not exclusively bound to smart meter communication, Smart Meters inherit also their threats.

Smart Meters (and the overall Smart Grid) can be threatened by cheating customer, utility insider, nation-state hackers or terrorists, generating financial, social and legal impacts (with severity proportional on how widespread the attack becomes) to the Utility, to the Consumers (private, public agencies, industries, hospitals, etc.) and to the overall nation (the Smart Grid is a national critical infrastructure). Examples of possible impacts are:

increase the resource’s price due to higher peak usage,
wrong resource planning due under-reporting or over-reporting of usage,
poor customer services due to potential loss of outage information,
instability of the bulk grid and widespread outages,
extra costs to fix the Smart Meters’ damage, manipulation, theft,
not billed revenues due to thefts and frauds,
compromising the bulk grid security due to data corruption or modification,
violation of Consumer’s privacy.

Why Smart Meters Security Testing

Since the Smart Meters are crucial key assets for the Utilities, are part of critical infrastructures of any Country (Smart Grid), and can be threatened by information security issues, the Smart Meters specifications and implementations shall follow the core principles of the Information Security.

Accordingly to that principle, the Utilities should define specific security requirements for the Smart Meters they intend to introduce into the Smart Grid and those security requirements should cover all the Smart Meters life-cycle phases including the production, the acquisition, the roll-out and the decommissioning.

Utilities should assure at the contract level that Meter Vendors respect those security requirements and should execute security tests of acquired Smart Meters in order to verify the compliance with those security requirements. Smart Meters Security Test should be executed before the roll-out, before update the Smart Meters firmware and periodically.

What Our Smart Meter Security Testing Services Includes

Our Smart Meters Security Testing Services includes:

black-box testing (penetration testing) and white-box testing using all the available communication ports (e.g. GPRS, PLC, RS485, Optical, Ethernet, etc.)
firmware integrity check
static analysis (firmware code inspection)
compliance with specific international security standards as ISO 27019 and NISTIR 7628

Author

Andrea Desantis, 30+ years of experience in Systems Engineering and Information Security management and consulting, especially in the Energy&Utility and Telecommunications industries. Expert in AI (Machine Learning and Deep Learning) algorithms and systems applied to the Energy&Utility industry ( e.g. Predictive Maintenance), Information Security Governance, and Application Security.