min reading time
How smart meters can handle personal data? - Issues, solutions, regulations
We’ve already heard a lot about security breaches of IoT devices, when the personal data of end-users was at risk. But what about the security of smart meters that are gaining popularity by utility companies thanks to their ease of use, and automated reporting functions?
Are smart metering devices problematic from a security and privacy point of view?
Due to the rapid expansion of smart metering devices, more and more end-users are getting concerned about the security of their personal data. Are they stored in a safe place? For how long are they stored? What are they used for? Can they be stolen?
These questions emerged in the mind of one Swiss individual, who found out that their radio water meter emitted radio transmission signals of the measured water data every 30 seconds that was logged for 252 days by the utility organization. On one hand, these transmissions enable the water engineer to read the water level of the individual residential units as they pass by (walk-by or drive-by), without having to knock on the door of the end-users.
On the other hand, the issue with this approach was that the metering data was collected only once a month by the utility organization that was used for billing, which made the frequent signal emission, and the length of data storage highly questionable. According to the Swiss Supreme Court, there is only a legal basis for the billing, but not for the storage of water consumption data. As a result, the filing individual received ~4000 EUR compensation, and the case was sent back to the original region’s court for further evaluation.
Why is this case so important?
This case is significant because this is the first decision of the Swiss Federal Supreme Court regarding the right of informational self-determination. As a result, this case has a great impact on the future of the methodology, way of use, and security requirements of smart metering devices.
Secondly, even though this court case hasn’t brought any headline-worthy results, like defining how we should approach security and privacy concerns in the smart meter industry, it created the ground for deeper, and critical discussions about this topic.
How can the security of smart metering devices be supervised and controlled?
As end-users and utility organizations are getting more and more aware of the cybersecurity threats lurking around any electric device handling confidential data, evaluating and testing the security of smart metering devices is becoming quintessential.
ESMIG represents European companies providing products, information technology and services for multi-commodity metering, display and management of energy consumption and production at consumer premises.
One major step towards the IT security of smart metering devices has been done by ESMIG, who proposed the “Privacy by Design” principle. This technological approach would enable end-users to decide the type of information that is generated by the meter, while also deciding where it goes, and who can access it. For instance, one type of information flow could be used for monthly consumption readings and power quality data sent to or measured by the utility organization. Or another information flow could be a more detailed insight about the household’s energy consumption and/or production profile, with restricted access.
“Die Prüfmethodologie” is a test methodology framework, which helps smart meter manufacturers to evaluate, test, and verify their products from a security point of view. The process can be initiated and conducted by certified test laboratories, such as CCLab, who help manufacturers get their products certified by the Swiss Federal Institute of Metrology, aka METAS.
During a smart meter evaluation project test labs can help manufacturers with:
Besides “Die Prüfmethodologie” by SWISSMIG dedicated for the Swiss market specifically, Manufacturers can also choose theProtection Profile for Smart Meter minimum requirements, developed by the members of the ad hoc SCG-SM Task Force on Privacy and Security when evaluating their smart metering devices. This PP introduces a framework describing a set of security requirements for smart meters, based on the ‘minimum security requirements’ philosophy. The Protection Profile is based on Common Criteria for Information Technology Security Evaluation methodology and framework, which means this could provide an internationally accepted CC certificate for Manufacturers. Evaluation done in accordance with the Protection Profile offers an EAL.3+ equivalent level of certification, that CCLAB is able to perform and provide to manufacturers in less than 4 months.
The key components of both the Prüfmethodologie and the abovementioned Common Criteria Protection Profile
Both the Swiss Prüfmethodologie and the CC Protection Profile became the ideal go-to solution for smart metering manufacturers who want to fulfill the growing demands of consumers, and assure them about data security when entering the chosen market be that only Switzerland specific as with the Prüfmethodologie or EU wide via the CC PP.
Both evaluation frameworks are all-encompassing testing methodologies, that takes into consideration the following factors when evaluating the security of a smart device:
How CCLab helps?
Being a certified test laboratory, CCLab helps organizations obtain their METAS certification, while also providing support with pre-evaluation, consultation, and vulnerability assessment services.
As we could see from the legal case mentioned in the article, the right of informational self-determination is not yet clearly defined, while requirements and solutions can vary in each industry or country.
One thing is certain, that the end-users are more concerned about their online security and privacy than ever before, which presses manufacturers to ensure encrypted, and bulletproof communication with their smart metering devices. Fortunately, the above mentioned good examples such as the Prüfmethodologie and the Protection Profile offer a trustworthy and reliable verification process, which is able to increase the feeling of trust and security of the consumer of certified manufacturers.
According to Cynerio, a healthcare IoT cybersecurity company, 53% of connected medical equipment in hospitals has a known critical cybersecurity vulnerability. A third of bedside connected devices used in healthcare settings have an identified critical risk, which is definitely more worrying in terms of patient safety. This is just one of the many reasons why on 5th April 2017, the European Parliament voted to adopt the awaited Medical Device Regulation (MDR) and In vitro Diagnostic Regulation (IVDR). One of the most critical goals of the new Regulations is to strengthen medical device cybersecurity.
min reading time