Why is cybersecurity important in smart metering?

The global market for Smart Meters, estimated at US$10.5 billion in 2020, is predicted to grow at a CAGR of 6.7 percent, reaching US$15.2 billion by 2026.  Based on the latest available data, U.S. electric utilities have about 102.9 million smart meter device (AMI) installations while 26.4 million homes and small businesses are equipped with smart and advanced meters in Great Britain. 

Smart metering solutions are developing and growing drastically, which brings many advantages to both the utility company and the consumer. However, parallel to this trend, the exposure of devices and systems to cybercrime is also increasing. A potential hacker attack on a smart metering device not only endangers the user's personal data but can even harm the critical infrastructure of a city or region. 

In our article below 

• You can understand the importance of cybersecurity for smart meters.
• Learn more about one of the already existing data security certification model as a benchmark, the example of Switzerland.
• We will guide you through the process of how CCLab can help to get your smart metering solution METAS-certified.

Why is cybersecurity essential in smart metering?

Smart meters (also known as Advanced Metering Infrastructure (AMI) or Intelligent Measurement System/Device (IMS/IMD)), are essential components of smart grid infrastructure systems. The functional design allows an automatic two-way communication between a smart meter and a utility provider. Smart metering solutions strive to provide an advanced way of monitoring power consumption as well as a more transparent and effective invoicing mechanism.

Smart meters provide numerous advantages for both the utility provider and the user side but their downside must also be considered: each connected device to a network or the Internet is another possible target for cybercriminals searching for vulnerabilities to enter, manipulate or attack the systems to which the devices are connected. 

Learn more about smart metering devices in our previous article.

Vulnerabilities in smart metering solutions

Due to the complexity of the smart metering solution system, the sources of vulnerabilities can vary in the firmware, hardware architecture, system applications, as well as network interface.  Although professionals do their best to ensure safety while developing and designing a smart metering system, security gaps can occur at any level in the process. 

These security concerns must be addressed to boost customer confidence and enable the widest possible adoption and success of smart metering solutions. One of the most effective ways to prevent cybercrime in smart metering currently is to get the devices comply with recent cybersecurity measures.

Smart Meters: the importance of cybersecurity measures 

There are several international cybersecurity measures in place for different markets and smart metering solutions, but their general goals are the same:

• Higher protection of consumers’ privacy
• Improve network resilience - the protection of household smart metering devices is of utmost importance, since cybercriminals can carry out a DoS (Denial of Service) attack from a hacked device through the network, and can even reach critical infrastructure (power plants) this way.
• Reduce the risk of monetary fraud

‍

The Swiss model - METAS Data Security for Smart Metering

As mentioned above, there are several international standards in place for the cybersecurity of smart meters. In this article, we provide a deeper insight into the Swiss METAS Data Security for Smart Metering and its certification process. 

Switzerland is at the forefront of making smart meters safer. Based on the regulations introduced in 2019 all smart metering systems in Switzerland must be METAS certified (METAS Zertifizierung) based on the so-called “Prüfmetodologie zur Durchführung der Datensicherheitsprüfung für Smart Metering Komponenten in der Schweiz” published by SWISSMIG (Smart Grid Industrie Schweiz). 

METAS-Cert is a Swiss-designated and EU-recognized organization for smart metering device conformity evaluation. METAS-Cert performs conformity evaluations on behalf of the smart meters’ manufacturers to place goods on the market. Manufacturers, on the other hand, have to contract an independent and Common Criteria (ISO/IEC 15408) accredited Testing Laboratory , to conduct a security evaluation and penetration testing of the complete IMS (intelligent measurement system) using a defined test methodology.

CCLab - an expert service in the smart metering certification process

Since 2019 CCLab has become one of the leading accredited Laboratories in cybersecurity evaluations of smart metering solutions for the Energy Industry. Our agile evaluation methodology in international project is based on Common Criteria and in Switzerland it it strictly adheres to the most recent version of the above-mentioned Test Methodology for Execution of Data Security Evaluation of Swiss Smart Metering Components issued by SWISSMIG for METAS DS certification.

We are proud that the majority of the METAS-certified smart metering products have been tested by our experts at CCLab.‍

Since the beginning CCLab has been active in developing procedures and security functions while assisting the SWISSMIG community, thus we gained a deep experience in delivering smart meter security evaluations and METAS certifications quickly and professionally. 

How can CCLab help you to get your product METAS-certified?

CCLab can provide you with a number of services to conform and comply with the desired standards and security levels. We have pre-evaluated and certified numerous Head-End-Systems, Gateways, Data Concentrators and Smart Meters (IMDs). Our experienced professionals will guide you through the entire smart metering certification process:

• Initial document/ functionality review
• Readiness assessment
• Pre-evaluation for documentation
• Market specified vulnerability pre-assessment
• Official evaluation of documents and vulnerability assessment to get METAS certification

‍

What is the process of the smart meter evaluation in Switzerland?

The evaluation process of a smart meter device is quite complex, here we can provide only a small insight into the most important steps: 

1. Communication with METAS

Communication with METAS before starting the evaluation project: In this step, you have to fill out the application form for METAS, obtain a case number for each component, and fill out all relevant documents and send them to METAS.

‍Communication with the Test Laboratory during the evaluation: The process starts with a kickoff meeting and continues with regular status meetings. At CCLab we separate the process into 2 phases: first comes the document evaluation (Prüfmethodologie [PM] sec. 5.1-5.5.) and then the vulnerability analysis  ([PM] sec. 5.6). 

2. Document Evaluation 

During this step, the following documents get evaluated: 

• Manufacturer’s documentation
• TOE (Target of Evaluation) overview
• IT security concept (OT matrix, according to PM 5.1)
• Checklist to fill (architecture, functionality based on PM 5.2)
• Product documentation (according to PM 5.3)
• Product lifecycle (according to PM 5.4)
• Optional verification tests (according to PM 5.5)

The outcome of the document evaluation process is the first part of the so called, ETR (Evaluation Technical Report).

3. Vulnerability Analysis 

Once the Document Evaluation process is completed successfully, the vulnerability analysis takes place. The tested devices must be set by the Manufacturer in accordance with Prüfmethodologie/Anhang 1 and the requirements of the document(s) mentioned in sections 2.1 and 3.1. At the end of this process, the complete ETR with its Annexeswill be issued.

4. Sending reports to METAS at the end of the evaluation process

At this step, the Confidential Manufacturer documents and the ETR (Evaluation Technical Report with its Annexes) issued by the Test Laboratory must be sent to METAS via a secure channel. After that, if necessary, based on METAS feedback, the Manufacturer and the Test Laboratory complete the modifications. 

Finally, as the last step of the project, first a draft and then a final certification will be issued by METAS.

Summary

At CCLab we provide simple solutions to solve complex security challenges. Our agile approach and comprehensive experience make us different. If you are looking for a reliable companion to get your smart metering device safer and certified, ask for a free consultation. Our experts will be happy to answer all your questions.