In recent years smart meters have soared in popularity, alongside other connected devices such as vehicle charging points. However, this has all happened against a backdrop of an energy and cost of living crisis, and energy generators, distributors and suppliers are struggling to maintain visibility of the threat landscape across sprawling ecosystems.
Indeed, the energy industry is under huge pressure to generate and distribute energy in more agile ways to meet growing consumer demands – but this task has been made incredibly challenging due to increased complexity in generation, distribution, and storage systems and the need to introduce dependencies between them.
As energy companies try to manage future supply and demand, they will be increasingly reliant on interconnectivity and information sharing between several suppliers, operator, and systems – but they need to be sure that data moving between these subsystems is secure and trusted.
Here, we look at how increased connectivity could compromise energy suppliers’ operational technology, and what action that needs to be taken to secure the sector….
The rise of connected technology
Smart meters are changing the way we live, as well as the way companies supply and price energy. The insights they generate are helping end-users to make more informed decisions, which has become vital in the current cost of living crisis. Meanwhile, utilities and smart grid managers are also able to use data from smart meters to make better decisions around energy demand, the best energy mix, and when to scale services.
In 2021 alone, 3.6 million smart meters were installed in domestic properties, as people try to take control over their energy consumption and limit their impact on the environment. By 2030, the European Commission predicts that 266 million smart meters will be installed, reinforcing the scale of the transformation that is underway.
Ultimately, energy companies must embrace this wave of digital transformation (and the associated use of connected technology) to build the future that consumers want and expect.
Tony Burton is Managing Director for Cyber Security & Trust at Thales.
The risk of connected technology
Despite carrying huge benefits, connected technology such as smart meters, smart charging infrastructure and smart grid operational technology components pose significant security risks. Indeed, smart meters are all in constant ‘conversation’ with each other and with network managers, which is an opportunity for threat actors to attempt to gain access to equipment or data.
Much is made of ‘air gapped’ protection of smart meters, for example, but there are many ways to generate impacts with or without bridging the gap. Remote access to infrastructure is essential, but it is a double-edged sword. There are risks of hackers overriding individual smart meters and/or charging infrastructure points which may make it appear as though demand was increasing or decreasing simultaneously. If one were compromised then that may be a minor issue but if this were to scale then this could lead to energy companies making decisions around supply based on false information. And, in the most extreme circumstances, misinformation could lead to large-scale power outages through over or under capacity.
With energy companies going through a period of significant turbulence and digital transformation, cybercriminals will be looking for any potential vulnerabilities, and they could decide to strike smart meters. So, suppliers must ensure sufficient protection and resilience is built in to all of the interconnected and interdependent devices to ensure they are only sharing the trusted and accurate data they should be sharing.
After all, successful attacks don’t have to be destructive to be disruptive. ‘Poisoning the well’ with false data can have a significant effect in the real world and have consequences every bit as damaging as encryption of data for ransoms or the disruption of control systems.
Challenges of securing the smart grid
It’s imperative that the smart grid is secured, however there are several challenges and obstacles in the way. First there is the evolving threat landscape: cyber threats are constantly changing, adapting, and getting more sophisticated, so it’s never safe to assume that anything is secure today, even if it were deemed secure yesterday.
These risks are – of course – heightened when there are multiple attack vectors, for example the connected meter, the source of the data going to grid managers, the transfer of data itself and individual users. There are no boundaries, and no limits to the number of endpoints. The changes are completely dynamic as devices are added and removed from the infrastructure.
Another consideration is regulation. There are currently multiple cybersecurity initiatives in Europe which bring with them a level of confusion. The need for harmonization is important and organizations such as ESMIG are critical to create unity by bringing key players together to discuss and make collective progress.
And finally, it is often the case that there are combinations of legacy and new equipment that have been brought together over many years through an evolutionary process. Unfortunately, the configuration management and understanding of exactly what and how these systems work is not always documented or consistent.
How to protect the smart grid
The first step for energy companies is to understand exactly what they have, how it is configured and how it may be compromised by the entry and propagation of malware or its effects through the system. This also implies a level of understanding of the threat the sector and the organization is facing.
The prioritization of risk mitigation activity is then essential to begin to align the risk profile to the risk appetite of the organization. There is no such thing as a 100% secure system and so this judgement must be made from an informed position that will evolve with the systems and the threat to provide a level of continued assurance.
Over time, organizations must move away from retrofitting and seek to implement a ‘secure by design’ philosophy. If security hasn’t been built in from the start it can be hard (but not impossible) to address vulnerabilities. This is true for all systems but when considering the complex interconnected and interdependent system of systems that already exist in the energy sector, the principles of secure by design are essential. There are no longer clear boundaries to protect and the dynamic reconfiguration of software, firmware and endpoints means that a new security paradigm is required.
This paradigm shift is towards information-based security based on zero trust principles and the need for this has never been clearer. This will take time to implement but ultimately is the only way to realize the potential of all this interconnected technology without introducing a significant cyber security risk.
Energy companies are balancing a difficult equation with multiple pressures, threats and risks but managing the security of all connected devices and securing the trusted information that will underpin the smart grid must remain a top priority.