Security audits and protecting AMI systems and smart meters from cyber attacks
In the last couple of years, energy providers have been expanding their infrastructure, whether by replacing previously used meters with Smart Meters or integrating newer models equipped with integrated remote metering systems. The EU 2009/72/WE Directive enforces a requirement for at least 80 percent of energy receivers to be supplied with smart meters by 2026, creating several new responsibilities for energy distributors, namely subjects such as meter and router management, ensuring sufficient communication standards, storage of passwords and DLMS authentication keys as well as software updates.
As we know, a successfully finalised process of implementation of smart energy monitors can be hard to achieve, which is why we would like to highlight the importance of implementing sufficient security measures to protect AMI systems from cyber attacks.
HOW WE CAN HELP YOU
Smart meter security analysis
Smart meters are built-in devices equipped with displayed communication interfaces and just like other electronic devices, they can be vulnerable to local and remote attacks. Conducting audits of the equipment before finalising the purchase is the most efficient way to make sure we choose the most secure devices available. Additionally, while the auditing processes are ongoing, we can ensure all the necessary changes to firmware have been implemented and are sufficiently secure.
Security audits of routers, PLC modules, and concentrators
A security assessment and configuration hardening are the best way to prevent remote attacks and potential data leaks.
Security audits of network devices
Smart meters, although crucial for the functioning of AMI systems, are not the only important element. Each AMI system consists first and foremost of vast infrastructure in which each element’s security needs to be ensured.
Correct firewall rule and network configuration
Using proprietary tools we will analyse Your AMI network traffic and restrict the firewall rules to the minimum required for operational efficiency of the network, leaving no security gaps which could potentially be exploited.
Head End System hardening
Head-End Systems consist of a large number of independent components, which we will update along with conducting hardening processes focused on HES security.
Implementation of Public Key Infrastructure (PKI)
To ensure operational continuity, the communication channels between network devices and HES must maintain their confidentiality and integrity. A correctly implemented PKI system can provide secure, encrypted means of communication as well as ways to authenticate terminal equipment on HES.
General controls audit
After finalising the implementation process, we will conduct a comprehensive audit of system security using Red Team tactics (an analysis of system security from an attacker’s perspective).
BENEFITS
Secure meters and concentrators
Thanks to our services, you can be confident that all of your terminal devices meet all necessary security standards and use secure firmware components, encrypted communication channels, proven DLMS/COSEM protocols resistant to local and remote attacks.
Secure communication
We conduct verifications of communication encryptions and authentications of devices.
Secure HES
To ensure HES security, we use server and software configuration hardening to eliminate potential attack vectors from database servers and offer balancing and utility management services.
Secure infrastructure
Through infrastructure audits conducted alongside hardening processes and restricting traffic to a minimum required for operational efficiency of the network, we efficiently limit potential attack vectors on AMI systems.
WHEN TO CONSIDER SECURITY?
Before purchasing equipment
Purchasing an AMI system is a huge investment, often costing millions of PLN. To avoid any purchases of smart meters, concentrators, or hardware you might regret, we recommend conducting a few security and safety tests of the devices you might be interested in buying before you finalise the purchasing processes.
During the implementation process
If the purchasing process has already been finalised but the AMI implementation process has not yet been completed, it is your last chance to conduct a safety audit of the equipment without it negatively affecting the system. The remaining time before you start up the system can be used to carry out an audit of the equipment and improve the security of the meters’ and concentrators’ software, including hardening processes of the infrastructure.
Testing systems in operation
If the AMI system is already operating during production, but you have doubts about the status of its security, you can conduct a security analysis of the measuring infrastructure equipment. If the infrastructure supplier is unable to provide security patches for the equipment’s software, we can recommend other corrective measures and carry out hardening processes of the infrastructure to reduce the number of potential attack vectors.