How smart meters can handle personal data - Issues, solutions, regulations

How smart meters can handle personal data? - Issues, solutions, regulations

We’ve already heard a lot about security breaches of IoT devices, when the personal data of end-users was at risk. But what about the security of smart meters that are gaining popularity by utility companies thanks to their ease of use, and automated reporting functions?

Are smart metering devices problematic from a security and privacy point of view?

Due to the rapid expansion of smart metering devices, more and more end-users are getting concerned about the security of their personal data. Are they stored in a safe place? For how long are they stored? What are they used for? Can they be stolen?

These questions emerged in the mind of one Swiss individual, who found out that their radio water meter emitted radio transmission signals of the measured water data every 30 seconds that was logged for 252 days by the utility organization. On one hand, these transmissions enable the water engineer to read the water level of the individual residential units as they pass by (walk-by or drive-by), without having to knock on the door of the end-users.

On the other hand, the issue with this approach was that the metering data was collected only once a month by the utility organization that was used for billing, which made the frequent signal emission, and the length of data storage highly questionable. According to the Swiss Supreme Court, there is only a legal basis for the billing, but not for the storage of water consumption data. As a result, the filing individual received ~4000 EUR compensation, and the case was sent back to the original region’s court for further evaluation.

Why is this case so important?

This case is significant because this is the first decision of the Swiss Federal Supreme Court regarding the right of informational self-determination. As a result, this case has a great impact on the future of the methodology, way of use, and security requirements of smart metering devices.

Secondly, even though this court case hasn’t brought any headline-worthy results, like defining how we should approach security and privacy concerns in the smart meter industry, it created the ground for deeper, and critical discussions about this topic.

How can the security of smart metering devices be supervised and controlled?

As end-users and utility organizations are getting more and more aware of the cybersecurity threats lurking around any electric device handling confidential data, evaluating and testing the security of smart metering devices is becoming quintessential.

1. “Privacy by Design” by ESMIG

ESMIG represents European companies providing products, information technology and services for multi-commodity metering, display and management of energy consumption and production at consumer premises.

One major step towards the IT security of smart metering devices has been done by ESMIG, who proposed the “Privacy by Design” principle. This technological approach would enable end-users to decide the type of information that is generated by the meter, while also deciding where it goes, and who can access it. For instance, one type of information flow could be used for monthly consumption readings and power quality data sent to or measured by the utility organization. Or another information flow could be a more detailed insight about the household’s energy consumption and/or production profile, with restricted access.

Source: https://esmig.eu/page/privacy-and-security

2. “Die Prüfmethodologie” by SWISSMIG, the Association of Smart Grid in Switzerland.

“Die Prüfmethodologie” is a test methodology framework, which helps smart meter manufacturers to evaluate, test, and verify their products from a security point of view. The process can be initiated and conducted by certified test laboratories, such as CCLab, who help manufacturers get their products certified by the Swiss Federal Institute of Metrology, aka METAS.
During a smart meter evaluation project test labs can help manufacturers with:  

• Initial document/functionality review
• Readiness assessment
• Pre-evaluation for documentation
• Market specified vulnerability assessment
• Official Evaluation and a successful METAS certification

3. Draft of Protection Profile for Smart Meter minimum requirements issued by  CEN/CENELEC/ETSI Coordination Group on Smart Meters

Besides “Die Prüfmethodologie” by SWISSMIG dedicated for the Swiss market specifically, Manufacturers can also choose theProtection Profile for Smart Meter minimum requirements, developed by the members of the ad hoc SCG-SM Task Force on Privacy and Security when evaluating their smart metering devices. This PP introduces a framework describing a set of security requirements for smart meters, based on the ‘minimum security requirements’ philosophy. The Protection Profile is based on Common Criteria for Information Technology Security Evaluation methodology and framework, which means this could provide an internationally accepted CC certificate for Manufacturers. Evaluation done in accordance with the Protection Profile offers an EAL.3+ equivalent level of certification, that CCLAB is able to perform and provide to manufacturers in less than 4 months.

The key components of both the Prüfmethodologie and the abovementioned Common Criteria Protection Profile
Both the Swiss Prüfmethodologie and the CC Protection Profile became the ideal go-to solution for smart metering manufacturers who want to fulfill the growing demands of consumers, and assure them about data security when entering the chosen market be that only Switzerland specific as with the Prüfmethodologie or EU wide via the CC PP.
Both evaluation frameworks are all-encompassing testing methodologies, that takes into consideration the following factors when evaluating the security of a smart device:

• Access control: Monitors who is authorized to view and monitor smart meter generated data.
• Identification and authentication: Authorized users must be acknowledged and logged by the system when accessing smart meter data.
• Communication: Smart meters are only allowed to communicate with the provider and the end user.
• Encryption: All data leaving the smart meter must be encrypted at all times.
• Logging: All interactions with smart meters must be tracked and logged for security purposes.
• Interface: Smart meter data displayed on any interface is strictly read only to minimize unauthorized disclosure and prevent data manipulation.
• Alerting: Smart meters automatically issue an alert when it is tampered with in an illegal manner.
• Penetration testing: Smart meters must withstand attacks like denial-of-service, replay, Buffer overflow & man-in-the-middle. This ensures that smart meters are resistant to cyberattacks.

How CCLab helps?
Being a certified test laboratory, CCLab helps organizations obtain their METAS certification, while also providing support with pre-evaluation, consultation, and vulnerability assessment services.

Conclusion
As we could see from the legal case mentioned in the article, the right of informational self-determination is not yet clearly defined, while requirements and solutions can vary in each industry or country.
One thing is certain, that the end-users are more concerned about their online security and privacy than ever before, which presses manufacturers to ensure encrypted, and bulletproof communication with their smart metering devices. Fortunately, the above mentioned good examples such as the Prüfmethodologie and the Protection Profile offer a trustworthy and reliable verification process, which is able to increase the feeling of trust and security of the consumer of certified manufacturers.
Naturally, hacker-proof systems on their own won’t be able to ensure security without strict guidelines and regulations that need to be in place to supervise vendors and providers how they manage personal data. Although, security evaluations are a fantastic start on the way to cybersecurity and building customer trust, as they cover all key privacy policy components to ensure compliance with regulations, like GDPR.

‍