Sitting on the kitchen countertops of millions of UK households, the humble smart meter is an important weapon in the fight to reduce this country’s carbon emissions. They also, in the eyes of some commentators, constitute a potentially massive cybersecurity vulnerability – a threat serious enough to warrant the government launching a public consultation on how these energy-saving devices might be breached by your common variety hacker. Others, meanwhile, are concerned that as the smart grid network balloons in scale in the next few years, so too will the innate subsceptibility of the energy sector to predation by cybercriminals.
In the last five years, the number of domestic smart meters installed in the UK has grown from 5.9 million at the start of 2017 to 25.7 million as of this year. This growth is set to accelerate after the imposition of new annual targets for gas and electricity suppliers to install smart meters to households and businesses using non-smart devices over the next three years.
As more smart meters are connected to the national grid, the volume of data sent over the network will naturally increase in scale. One of the organisations spearheading the UK’s national smart metering network, the Data Communications Company (DCC), has predicted a fivefold increase in the amount of data traffic over the next few years. It recently reported that the number of messages sent across its network is now surpassing a billion a month. In the next few years, that network is expected to double in size and traffic increase by 500%, as it begins to adapt to new demands such as half-hour meter readings.
Deryck Mitchelson, field chief information security officer at Check Point, believes these plans for the near real-time transfer of data can make it an attractive target for cyber criminals. “When you start to get real-time information on data through these smart meters, data privacy issues become a huge issue," he says, potentially allowing hackers to work out the number of persons in a household, or even when they're sleeping – all valuable data for a targeted cyber attack further down the line.
There are several ways a smart meter could be compromised, according to Mitchelson. There could be IP address misconfigurations at the smart meter level, for example, or SQL injection vulnerabilities pushed through via code updates. “Although there are degrees of separation built in to safeguard these systems, I suspect that a lot of vulnerabilities in this potential area of compromise would be within domestic smart meters and the user interface of these devices," he says.
A spokesperson from the DCC told Tech Monitor that smart meters in the UK are protected by an air gap and as such, are not actually connected to the internet. However, cybersecurity researchers from Mandiant have previously demonstrated how the air gap between an IT and OT network of a smart grid could be bridged.
Energy readings are also encrypted and only viewable by consumers and their energy provider, according to the spokesperson. They added that the DCC runs an “always on” 24/7 security operations centre from its headquarters in Manchester which proactively monitors for anomalies and cyber threats, and that the organisation has a highly secure test lab facility where smart meter providers can test their hardware.
Why the energy sector is prepared for cyberattacks on smart meters
Whatever the vulnerability of smart meters to breaches, the energy sector represents an increasingly attractive target to cybercriminals. Experts disagree on the scale of that threat. While IBM published a report earlier this year claiming that the energy sector was the top target for cyber attacks in the UK, with almost a quarter of attacks aimed at firms like British Gas and eON, more recent data suggests that the industry fared slightly better than the research and education sectors.
Mitchelson has more confidence in the latter picture. While the CISO agrees that the UK’s critical national infrastructure is always an area for concern, he believes that the energy sector has invested heavily in cybersecurity and is relatively more mature in this area compared to other sectors.
“We’re absolutely seeing utilities and other parts of critical national infrastructure being massively hit by cyber attacks, particularly since the start of the Russian invasion of Ukraine,” he says. “But one thing about energy companies is that they do spend a substantial amount of money on cybersecurity. If you look at the level of spend across industries, they’re spending a lot more compared to other sectors because they’re such complex organisations with the amount of IoT devices.”
Tom Westenberg, senior OT security consultant at Thales, agrees. “We’re seeing that operators within the energy sector are becoming increasingly mature when it comes to detecting, responding and effectively recovering from cybersecurity impacts, whereas they may have gone unnoticed prior,” he says. “In addition to this, we’re also seeing manufacturers of IoT components, such as smart meters, engaging us on Secure-by-Design concepts in an effort to make the components more robust throughout the life-cycle.”
While these efforts are encouraging, the energy industry is by no means immune from cyber attacks, especially as criminals increasingly focus their attention on critical national infrastructure. “As an industry, ” says Westenberg, “we still have a long way to go.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.