Big changes are happening in the “energy” arena? What’s the news?

Nicolas Viot shares the smart revolution in the energy segment and the changes in terms of security challenges.

What is new in the energy arena?

In the past decade the energy field has undergone momentous changes, the traditional utility business model is evolving. Increased energy demand, unpredictable generation from renewable sources, volatile energy costs, distributed generation, electric vehicles and environmental concerns are coming together to change the nature of the grid.

This is requiring the energy architecture or the structure to be modernized. Many utilities are looking to smart metering and smart grid solutions to help address these challenges We have been using systems that are no longer in sync with today’s demands, the introduction of the internet of things and the cloud, is having an impact on how energy companies wish to monitor and also manage energy demand and supply. The energy industry is getting “connected.

Within this context, we are seeing smart metering infrastructures being deployed on a much larger scale. “The 10 largest national deployments worldwide are expected to add 500 million new smart meters by 2020, approximately tripling the 2012 global installed base, and the locus of growth shifting from North America to Europe, then Latin America and Asia”*

The growing connectivity of these developments in “smart grids/smart metering” poses an interesting challenge for the security and evaluation of such systems and devices.

The smart grid is significantly broader than smart metering. Smart meters are a single application within the smart grid. A true smart grid goes beyond the meter to provide a broader set of services that increase reliability, survivability and responsiveness of the grid. With a smart grid, utilities can meet next generation demand response challenges, optimize local grid efficiency, predict power outages before they occur and rapidly restore service, and implement other services. Unlike smart meters, a smart grid infrastructure goes beyond billing and metering applications, and provides essential information about the health and status of the grid necessary to implement many diverse smart grid applications.

What do you mean by “smart” grids or metering?

The introduction of “smartness” in energy distribution infrastructures mainly consists in providing a control loop based on monitoring digital distant assets.

This smartness or sometimes referred to as “advanced smart metering” is intended to:

  • improve energy efficiency by continuously adapting production and consumption, improving the traditional functions of demand/response.
  • optimize costs and improve service by enabling a better system of maintenance; assets are monitored more thoroughly and the infrastructure is also upgradable. Depending on the features set, the meter may also notify the utility of a power outage or allow the utility to remotely switch energy services on or off. The end-user can monitor their consumption more precisely.

What are the security concerns in these contexts?

The energy industry has already been increasingly victim of cyber-attacks. Zero-day vulnerabilities and malware platforms, typically targets SCADA (Supervisory Control and Data Acquisition) systems used in smart grids.  The hackers are skilled and incentivized to perform complex attacks, so the risk in this sector has moved from simple viruses to Advanced Persistent Threats.

The energy industry has a legacy of low-security protocols, software architectures and has the obligation of being “always on”. These constraints may lead many actors to bypass elementary security measures.

Energy grids connectivity implies two categories of risks:

  1. Threats to the critical infrastructures, with safety implications for the public;
  2. Privacy concerns for end-users.

It is important to integrate security from the start, to understand the software and hardware attacks and to integrate security to the systems in place as well as properly test the all functionalities

What can you do to mitigate security risks of your systems?
(Transmission System operator (TSO), Distribution System operator (DSO), Programmable Logic Controller (PLC) or meter manufacturer…)

In order to mitigate these risk, it is important to integrate security from the beginning of a development or project, in order to integrate security functionalities that counter software/hardware attacks.  The system should be secure by design, rather than added as an afterthought. 

It is also critical to monitor on a regular basis security risks and new vulnerabilities that systems over time become exposed to and adapt security accordingly.

At the early development stage, Trusted Labs helps customers understand what the main software and hardware attacks they are exposed to, in addition to the security requirements of the ecosystem. In light of those risks, we deliver recommendations for designing secure systems.

If a solution is already implemented by the customer, we can evaluate the security risk the solution or architecture is exposed to. Trusted Labs has been working with different customer profiles such as (Transmission System operators (TSO), Distribution System operators (DSO), Programmable Logic Controller (PLC) or meter manufacturer).

We can perform security evaluations to address many of the aspects of smart grid security: from site security audits to code review, including hands-on penetration testing of components such as PLCs or smart meters.

Trusted Labs has a long experience in accompanying national agencies or industry groups to create certification schemes. As a TSO, you may need to define requirements for your suppliers, and we can help you ensure that your requirements are pragmatic, attainable, and consistent with the state-of-the-art security.

 

* Accenture

Nicolas Viot, Senior Security Consultant

Nicolas has 9 years of experience in the security domain, specialized in software security. In the last few years, he has conducted security risk assessments and evaluations of smart metering projects.  He started his career as a Security Consultant in 2007 and set-up a security consulting company in 2016.