The attack that switched off the lights in Ukraine at the end of 2015 pushed energy sector cyber security into the spotlight. In the everyday routine of utilities, attacks have been common for a long time, but today hackers are getting more systematic and professional.As the systems and processes of energy utilities become more intelligent and increasingly integrated, they also become more attractive targets for attacks. The threat of unanticipated security breaches is not only about loss of income or reduced customer satisfaction, but finally about consumer privacy and stability of the electricity network.
‘As we work with utility customers in AMI projects all over EMEA, we have noticed that the level of security awareness and requirements vary from country to country. But independent of the market, the importance of security is increasing’, says Peter-Georg Koller, VP Product Management, Landis+Gyr. ‘Countries like Estonia, the UK, Germany and Austria rank among the top nations in the Global Cyber Security Index, which measures the commitment of countries to cybersecurity. It’s no surprise that the most stringent requirements for AMI security are found in these markets.’
For years, Landis+Gyr has worked with its utility customers to improve AMI cyber security. “It’s not simply about one-off investment and implementation,” said Koller. “Security is effectively an on-going process that requires continuous technical development, as well as the education and awareness of all stakeholders and the long-term commitment of senior management”, he said.
The most important step
Cyber security in AMI involves more than the technical security of the solution, that is, the physical security of devices, secured communication, software systems and data storing. It demands a holistic approach that embraces the planning of the entire IT infrastructure from a security perspective as well as the people, practices and processes that enable it.
“The first and most important step in cyber security is awareness. All stakeholders need to be conscious of the risks and the utility needs to define what steps can be taken to mitigate those risks as far as possible in a realistic and cost efficient manner,” said Peter-Georg Koller.
Cyber security risk management is about determining and understanding potential threats, evaluating the impact on operations and creating processes to manage them. The investment required needs to be balanced against potential risks. An absolutely secure solution may not be financially realistic, so it’s important to identify the best possible solution within the confines of practical business realities.
EU regulation in preparation
A further push for cyber security awareness is coming from the regulatory side. The first EU-wide legislation on cybersecurity was agreed upon in December 2015. Before the ‘Network Information and Security’ directive officially enters into force, it has to be formally approved by the European Parliament and the Council. The directive is expected to enter into force in August 2016. Thereafter the Member States will have 21 months to transpose the directive into national law. In their role as ‘operators of essential services’, certain players in the energy sector will have to take appropriate security measures and give notification of serious incidents to the relevant national authority. These operators will be identified by Member States.
Working towards a common AMI security approach
While the Network Information and Security directive is progressing on its own path in the EU organization, several associations and working groups are setting up guidelines to transform the directive into products. One of these groups, the ESMIG Security and Privacy Group, developed a list of minimum security requirements for AMI components. This work was performed in cooperation with the Smart Metering Coordination Group (SM-CG) of the European Standards Organizations (CEN, CENELEC and ETSI).The resulting list of generic minimum security requirements - covering all AMI components from Smart Meters to the Head End System - is to be published by SM-CG.
The work of ESMIG focuses on the technical aspects concerning the components and communication links of the AMI. It is based on a collection of all relevant European AMI security requirements, in particular from the Netherlands, the UK, Germany and Austria. In addition, the specifications of NIST (National Institute of Standards and Technology in the US) were considered. The collection consists of more than 300 requirements, which were then divided into 7 clusters that are uniquely linked to functional requirements. The result comprises eleven high-level requirements, covering functions like “the logging of security events”, “upgradeability of AMI components with new security features” and “compliance of crypto mechanisms and key management with approved standards”.
Landis+Gyr has been actively engaged in the ESMIG working group developing the Europe-wide minimum requirements with industry partners and cyber security specialists. Consequently, we continuously strengthen our end-to-end smart metering solution Gridstream® with new security functionality to meet and exceed these requirements.
Make a start
“The best thing utilities can do to improve the security of their AMI systems is to make a start by increasing awareness and by putting an overall IT security policy in place,” said Koller.
In utilities, the AMI cyber security development process begins by evaluating the current security status, identifying weaknesses and creating an improvement plan. In most cases, external support and consultancy can enhance the process.
Overall AMI security consists of both technical and organizational aspects. Improvements can be made in various categories that include:People and processes
- This is the most vulnerable category and the weakest link in cyber security. It needs continuous attention and is also the easiest area to improve by implementing common security practices and providing guidance around themes like roles and responsibilities, classification of data, and password practices. AMI backup and recovery practices as well as system update procedures also play an important role here.
- A properly secured IT environment lies at the very core of cyber security. IT security can be immediately improved to better protect sensitive information and critical services by network segmentation. As a common practical example, the AMI environment and office network should always be located in separate segments.
- As an end-to-end solution provider, Landis+Gyr takes a comprehensive approach to security. Security is designed into all Gridstream components, from the physical security of the devices (e.g. tamper detection) to the support of secure device installation and maintenance processes. Communication is secured between all components of the solution. Access to data and functions is securely managed based on the user’s role and supervised by extensive audit trails.