42
42
CYBER SECURITY
" Some of the larger smart meter rollouts have been slowed or halted for security reasons in both the Netherlands and Germany where the governments have been implementing cyber security rules "
that it thinks , acts and reacts in a more secure way . In order to secure meters , a security infrastructure needs to be in place . This is where a utility should count on its smart meter supplier to provide the necessary infrastructure components , such as certificate policies , security baseline documents , how meters receive keys , how they are changed , and how they are destroyed .
Can regulations help ? Security requirements and regulations are becoming more compulsory worldwide , similar to other aspects of utility operations , helping to drive better security practices . European governments are concerned about privacy and security . They will impose security to a fairly deep level of detail or will demand that the utility industry , vendor or standardisation committee proves to which security standard they adhere . There are many examples of ‘ security rulings ’, such as the specification by the German Federal Office for Information Security , which has a major impact on the utility industry in Germany and throughout Europe . There are other standardisation initiatives to which utilities will refer if a vendor wants to be compliant when tendering . Such as DLMS standardisation with its different ‘ coloured books ’ ( eg . green book on protocol and system architecture , and blue book on the interface classes and object identification ) or G3 PLC , which has detailed and specific sections on security . Lastly , there are supranational initiatives , such as the European Network for Cyber Security ( ENCS ). Founded in 2012 , ENCS is a non-profit organisation that brings together critical infrastructure stakeholders and security experts to deploy secure European critical energy grids and infrastructure . There ’ s also the European Union Agency for Network and Information Security ( ENISA ), which issues recommendations on technical issues such as the validity of algorithms and key sizes .
Measures to prevent incidents Looking at the different potential threats , cyber security needs a holistic approach . Utilities need to look at the complete solution and its processes , the overall system architecture and its system components , and sub-components . There are two aspects of a holistic solution : secrecy and trust . Secrecy is about ensuring that information cannot be retrieved or read by unauthorised parties . Trust is about being sure that the sender and the recipient of information are really the actor that you suppose them to be .
This can be translated back to smart meters ; for example , they need to be sure that when a breaker command is sent to a meter , it ’ s being sent by an authorised sender . Also , they need to be sure that the metering data that ’ s retrieved is not altered to reduce or increase the bill , or in the case of substation monitoring , data alteration to create a system or market imbalance .
At the very core of today ’ s systems for smart meter security are secret keys ( to encrypt and authenticate ). These are used to verify identity and authenticity and protect confidentiality . Keys can be shared or be private / public , and they can have specific purposes such as key generation , authentication , encryption and storage etc . Shared keys are used in symmetric security and its cryptographic algorithms ; private / public keys , with certificates are used in asymmetric security and its algorithms to eg . generate keys , or support digital signing .
Whether it ’ s private / public or shared , keys that are used extensively throughout the whole metering solution can become complex to manage , or difficult to securely store . So utilities do have options to secure their operations . Essentially , you can ’ t talk measures without keys ( shared or private / public ). For more critical processes , like switching a meter on / off , load limiting it , or updating its firmware , most utilities will opt for asymmetric security , allowing digital signing of the commands to execute the critical process . n
www . networkseuropemagazine . com