Smart metering devices are those clever gadgets that automatically measure the users’s utility consumption and report it to the relevant operating organization remotely via wired or wireless telecommunication network. These tools provide support, comfort, and peace of mind to those living in the house, while taking the burden of regular personal checks off the shoulders of operators.

Even though they are of great help to modern society by saving time and money for the users, smart meters can become a real threat to households in a way many wouldn’t think of.

What are the issues with smart metering devices?

1. 24/7 online communication

Smart metering systems are used not only for the real-time monitorization of the used commodities, such as electricity, water, and gas from the part of service providers but also to enable users to track their consumption on a separate dashboard, or mobile application.

Smart metering devices are continuously connected to the Internet to gather, store, and transfer data, therefore they also act as a possible entry point to our sensitive data, like our daily schedule, and metering information. As all touchpoints between the internet and our household can be a security vulnerability if they lack proper defenses, smart meters can become Trojan horses that open the door to malevolent hackers without us even noticing it.

2. Lack of centralized regulations

The issue with the relative liberalization of the metering market is that there are only a few strong security and privacy requirements that smart metering manufacturers need to abide by. The lack of a centralized security framework enables manufacturers to keep pushing new innovations without taking into consideration the question of data security. Even though IoT security vulnerabilities destroy customer trust, consumers don’t put enough pressure on manufacturers to make this their priority when designing and updating new tools.

In recent years the European Union has put an emphasis on the battle against cybercrime and published its new Cybersecurity IT regulations in 2020, though it still takes time until all organizations obtain compliance.

While the road ahead until organizations reach full compliance is still foggy, there already are positive examples that show how certain countries and establishments have taken the lead in securing smart meters:

1. Switzerland has taken a huge step forward and created a compulsory certification methodology, called Prüfmethodologie, specifically for the accreditation and security check of smart metering devices made for the Swiss market.

2. Common Criteria PP for Smart Meter devices is an already established, internationally recognized methodology that aims to evaluate the security of such tools, and then provides certification for those passing the tests. However, this process is not yet obligatory for manufacturers to market their products. At the moment, this certification is voluntary, but luckily we are seeing a growing interest towards this approach.

3. Absence of security education

We live in a world where our lives are more and more intertwined with different technologies and devices. Smartwatches, performance and health trackers, smart home devices, smart meters, smartphones, smart vehicles… This abundance of hardware and software solutions around us would ideally come hand in hand with the population’s and the service providers’ growing awareness about personal and corporate security.

Unfortunately, we don’t live in an ideal world. MediaPro’s 2020 research on State of Privacy and Security Awareness revealed “that many employees are unaware of key risk factors relating to data security and privacy. Some employees are misinformed or confused about what risky behaviors are; many don’t understand that cybersecurity is their personal responsibility; and even fewer understand sensitive data privacy best practices.”

The manifestation of cybercrime respecting smart meters

There are so many ways in which hackers can use and alter the data of smart meters that harm the service provider and the consumer alike:

• Disclosing personal information
• Providing false metering data
• Bringing down the system of the service provider
• Getting a list of the used electronics in the household
• Causing the meter to overheat and explode
• Blackmailing users

In 2016, in the Ukrainian capital, Kiev, an energy grid became the target of a cyber-attack that caused a blackout for more than an hour. The power cut had amounted to a loss of about one-fifth of Kiev's power consumption at that time of night, affecting 225.000 people.

How can you make sure about the security of smart meters?

In the world of smart meters, there are at least two examples of applied methodologies that can be used to evaluate the security of devices. One of them is the Swiss example of METAS certification process based on Die Prüfmethodologie issued by Swissmig, the other one is the new Common Criteria Protection Profile for Smart Meter Security Requirements published in 2019. However, at the time of the writing of this article, only one of them is obligatory in Switzerland, which on one hand shows how this country is leading the way in IoT cybersecurity, while on the other hand supports the argument of the lack of international regulation.

With the enforcement of Stromversorgungsverordnung, the Electric Supply Ordinance, Switzerland has revolutionized the smart metering environment which contributes to the protection of personal data, and the building of trust between service providers and consumers.

By going through this evaluation with the help of independent certification laboratories, like CCLab, manufacturers can make sure they completely fulfill the expectations of modern society, while leading the way in a new paradigm shift, towards a more secure cyberspace.

At CCLab, we pre-evaluated and certified a number of Head-End-Systems, Gateways, and Smart Meters, and supported the Swissmig community since the beginning of the smart metering evaluation procedure, so our team has an expansive, professional experience in Swiss smart metering in case of:

• Smart metering devices (iMG)
• Communication Systems (Kommunikationssystem); Data concentrator (Datenkonzentrator), other Gateway (GW)
• Head-End System (HES) through the respective test object (ToE or PG)

Get in touch with us now if you need support with the security evaluation of your smart metering device!