Sedona AZ (June 8, 2015) – The following is a letter to the SedonaEye.com editor:
Other potential security threats include tampering with meter data in order to manipulate the outcome of billing, or the leakage of personal information and utility-related data that could provide attackers with insight into a householder’s behavior. Known as a `consumption signature’, this type of information can be used to work out the times of day the householder is absent from a property, as well as the types of electronic appliances they own.
- Myth: APS will use automated meters to monitor the actions of its customers.
- Fact: Automated meters do not have this capability. Like the old mechanical meters, automated meters measure how much energy customers use, not how they use energy. The automated meter does not store or transmit any personal identification information. The automated meters give APS no indication of who our customers are, what they are doing, nor can they determine what appliances customers are using.
Here is the full article Woodall emailed, highlighted exactly as it appeared in Woodall’s email. In her email, two sentences were also put in bold and underlined in addition to being highlighted:
http://www.energycentral.com/gridtandd/metering/articles/2694/Securing-the-smart-meter-supply-chain
Securing the smart meter supply chain
Topic: Metering
Security issues have attracted more attention as smart meter rollouts have progressed. Consumers have expressed concerns about the privacy of their data which has led to delays in smart metering programs in the US and the Netherlands. As this was not an area of focus before and therefore without specifications, there have in Europe been instances of smart metering implementations where the necessary features have not been enabled or older forms of encryption are used.
The industry is currently working closely with governments and consumer groups to address the issue of security. Technical specifications continue to evolve, while new or revised security and data privacy mandates may still be introduced. The European Commission’s Smart Grids Task Force now requires that security and privacy be addressed even at the pilot stage of a smart metering program. There are also more governments taking the lead on smart metering programs, which often means more involvement from the regulator or national ministry.
This is why information security has to be a core part of smart metering rollouts from the start. Utilities can avoid scenarios where infrastructure must be upgraded or replaced to meet new requirements if end-to-end security is embedded within system design. With several utilities in Europe nearing an installed base of a million smart meters or more, it is important they recognize that security is not just about enabling the technical features on the smart meter, but ensuring the underlying processes are managed in a secure and trusted way across the supply chain.
Smart metering lifecycle
The lifecycle of the smart meter begins at the design and engineering phase. It is then manufactured and delivered to the party responsible for installing it at the premises of the consumer, at which point, it moves into the operational phase and becomes part of the smart metering network. Finally, at end-of-life, the smart meter must be decommissioned to ensure remaining sensitive data such as security credentials and personal information is disposed of securely.
At each phase of the smart meter lifecycle, an unauthorized third party might attempt to gain access to sensitive data and use it to launch a malicious attack on either a consumer or an organization. For example, if architecture design is not robust, an attacker could potentially manipulate the smart meter, data concentrator, or gateways in order to disconnect the supply of electricity. A large scale disconnect across multiple households would not only cause inconvenience to the residents in those locations, but may also lead to issues with the grid itself – such as a power outage.
Other potential security threats include tampering with meter data in order to manipulate the outcome of billing, or the leakage of personal information and utility-related data that could provide attackers with insight into a householder’s behavior. Known as a ` consumption signature’, this type of information can be used to work out the times of day the householder is absent from a property, as well as the types of electronic appliances they own. The attacker would need to be highly sophisticated and have significant resources at their disposal. However, given that data concentrators might not be located within secure premises, there is the potential for unauthorized parties to gain access to the sensitive data they hold by physically breaking into them.
Security by design
From the outset, the smart meter engineering process must be suitably robust. If a meter crashes (or is made to crash), attackers could potentially exploit this possibility either by injecting code or executing existing code that would allow them to manipulate the meter. Likewise, the engineering of firmware – i.e. software closely tied to the hardware components of the device – must be robust. Here, functional testing is necessary to ensure it is resistant to malware disguised as standardized communications protocols.
Secure firmware engineering will be essential for meter manufacturers moving forward. As recent history has shown, attackers are more likely to target the means of production, and there have been several cases of USB sticks shipping direct from offshore factories that contained malware. As such, even if a product is certified as being functionally compliant to the relevant standards, it doesn’t necessarily mean it is secure, or indeed that there is authentic firmware on it.
This is why a `security and data protection by design’ approach is recommended whereby data protection and security features are built into smart metering systems before they are rolled out. In the world of IT, robust security design is based on end-to-end communications where the receiver can prove the identity of the sender and knows that the message has not been tampered with in transit.
Building a Trust Provisioning model
Manufacturers for example, are trusted for engineering and producing secure and reliable products. To assure all stakeholders (utilities, meter network operators, consumers) that engineering and production processes of manufacturers are secure, manufacturers can express conformity by obtaining a dedicated certification, for example ISO 27001, the international standard for information security management.
In Europe, Elster, who was recently awarded ISO 27001 certification, has created what is effectively a secured cell within its factory. As shown in Figure 1, the meter enters one end of the cell as an un-trusted and unsecured device and emerges at the other end fully sealed and provisioned with unique key material and its `trust anchors’. The smart meter is therefore supplied to the utility as a `trusted’ device – i.e. loaded and pre-configured with the correct, authentic firmware and credentials. Elster has also developed a secure process for exchanging the provisioned information with its customers.
Figure 1: A secured cell for the factory environment
Source: Elster
A key benefit of the trust provisioning approach is that it is agnostic of market design and the smart metering infrastructure, given that every Member State chooses its own model of smart metering implementation and will be at a different stage of liberalization.
Once the meter is installed, ownership transfers to the utility or the party responsible for operating the meter. At this point, it is critical that the appropriate data security protocols and privacy protection are already enabled. Further down the line, the decommissioning is just as important, as there may still be security relevant data stored on the meter that, if obtained, could allow unauthorized parties to observe or decrypt previous communication or any personally identifiable information left on the meter.
Similarly, a secure process is required for re-provisioning devices. Utilities will need to ensure they have unique keys for all of their smart meters, and have a management process to update them, and to alter access controls should a smart meter be re-provisioned for a new tenant.
Roadmap and ramp-up plan
Although there are no standards designed to address the smart metering and smart grid supply chain specifically, there are existing standards that provide a baseline and others that are being enhanced to meet the requirements of smart metering and smart grid programs.
In the UK, the central data and communications company (DCC), the function established to manage the data that travels to and from gas and electricity smart meters in households over the wide area network (WAN), will rely on external assurance and certification. This will be achieved via the CESG – the UK Government’s National Technical Authority for Information Assurance (IA).
CESG is developing Commercial Product Assurance (CPA-Foundation) security characteristics for smart metering equipment. Once approved by DECC and CESG, they will be published to enable equipment manufacturers to have their equipment tested against the characteristics.
Meanwhile, in Germany the Federal Office of Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) has specified the smart meter protection profile (PP for the Gateway of a Smart Metering System). It is based on the international Common Criteria (CC) and secures the communication between the smart meter in each household and the smart grid, as well as addressing German privacy laws. In meeting these rigorous requirements and being focused around a `single device’ however, there is the possibility for further delays to roll-out.
Certainly, it is clear that all stakeholders must have confidence in the standardization and specification process, that the markets be better educated about the tools and technologies available to them, and that government and industry agree a sufficient rather than minimum set of security design requirements. Otherwise, the commercial introduction of certified devices can prove challenging.
With a current understanding of threats, and a current understanding of the required architecture, it is possible to agree on a roadmap that gets rollouts underway and a ramp-up plan to assure manufacturers achieve volume. Utilities that have yet to commence commercial smart meter rollouts now have the opportunity to address security from the outset, specify options that are well aligned with the recommendations made by the EC and relevant industry bodies, and avoid the complexity and expense of implementing security in retrospect.
Warren Woodward
Sedona AZ
“Everything the CPUC has Done Should be Re-Opened”
Very important video that exposes what is going on in California. No doubt about it, similar things are happening with the State of Arizona’s Corporation Commission.
https://www.youtube.com/watch?feature=player_embedded&v=i8k4CS54aHs
Read links; bad oversight understatement. Corruption likely. Case by case. Where are state’s attorneys? Investigation must.
The news isn’t good for our future health and safety. Follow the money.