German-based Compass Security, an ethical hacking and penetration testing company, has released a white paper that includes a checklist of concerns for smart meter security:
Government requirements, new business cases and consumer behavioral changes drive energy
market players to improve the overall management of energy infrastructure.
While the energy infrastructure is steadily maintained and improved, some significant changes have been introduced to the power grids of late. Actually, the significance of the changes could be compared to the early days of the Internet where computers started to become largely interconnected. Naturally, questions arise whether a grid composed of so many interacting components can still meet today's requirements for reliability, availability and privacy.
Nations absolutely recognize the criticality of the energy infrastructure for their economic and political stability. Therefore, various initiatives to ensure reliability and availability of the energy infrastructures are being driven at nation as well as at nation union levels. In order to contribute to the evaluation of national cyber security risks, the author decided to conduct a security analysis in the fields of smart energy.
Utilities have started to introduce new field device technology - smart meters. As the name implies, smart meters do support many more use cases than any old conventional electricity meter did. Not only does the new generation of meters support fine granular remote data reading, but it also facilitates remote load control or remote software updates. Hence, to build a secure advanced metering infrastructure (AMI), communication protocols must support bidirectional data transmission and protect meter data and control commands in transit.
To justify the scope of this whitepaper, a brief introduction into smart metering is provided. Moreover, relevant security standards and guidance are being referenced. The paper aims to identify assets, threats and mitigating controls for smart metering using the OCTAVE Allegro risk assessment method. The result is a collection of 43 controls that apply to any smart meter environment. Although the analysis is tailored to the analysis of the wireless M-Bus, the listed controls provide a good basis for metering companies, utilities or meter manufacturers to verify their meters protection level. During this analysis it has been recognized that legal aspects need to be clarified. Not only does the frequency of meter readings affect the consumer privacy, but also the records management at the metering company. Besides, it is not always clear who the owner of the consumption data is. This largely depends on local culture and law. (Read more...)