<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=104695316804625&amp;ev=PageView&amp;noscript=1">

Subscribe to our newsletter

5 recommendations for increased Information Security in AMR

Posted by Espen Davidsen Dec 5, 2015 1:00:00 PM

Frontpage from the LysnereportPhoto: From the frontpage of the Lysnereport
This week the Norwegian Government released a new official report on safety for digital systems and critical infrastructure. The report is delivered by “Lysneutvalget” a committee assigned by a royal decree in 2014.
We have studied the topics related to utilities, and with special focus on information security in AMR. The report highlights some of the know vulnerabilities and is suggesting actions to mitigate the risks in a digital society.
What can we learn from this report? Will this report lead to changes in some of the planned AMR projects? Is this report relevant for other countries? What can we learn from this report?
Read this blog article to learn more.

Increased digitalization

The rollout of Automatic Meter Reading systems will require a robust and stable communication infrastructure. The meters will use two-way communication to read the meter value and to configure, control and troubleshoot the meter remotely.
As a consequence, the Distribution System Operators will need more advanced IT solutions to manage the new systems and to leverage the new opportunities that is enabled by more accurate usage statistics. The increased use of new and critical IT solutions requires tight and well managed IT security in order to ensure data is not lost and systems are not being compromised.
The increased digitalization in the utilities and the number of integrations between systems introduces complexity to the systems. The increased complexity can result in higher risks for both technical and human errors.
Increased digitalization in Utilities with SmartGrid and AMRPhoto: Siemens

Known vulnerabilities

In order to access data from the meters and other control systems in the grid it needs to be some kind of connection between the control systems and systems for administrative systems such as data analysis, planning, maintenance and reporting. This report refers to a report from ENISA called Smart Grid Security from 2012.
Access to data from the grid and support systems is very useful and valuable for the DSOs and can be used to lower operation cost and improve the stability of the electrical power. At the same time this access can lead to loss due to direct or indirect system failures if the security mechanisms and processes are not applied appropriately.
With AMR the number of interconnected devices will increase dramatically, this will in the same way give a lot of valuable data but will also introduce new possible attack vectors and entry points for someone who wants to get access to critical systems.
In a worst case scenario, unauthorized access to the AMR system could be used to manipulate the power switches in certain areas or for certain houses.
The DSOs are responsible for implementing appropriate security measures in order to protect the systems, customers and information.
Cyber Security in utilities by International Energy Forum
Photo: ief.org
According to SINTEF more than 70% of the DSOs in Norway host their own servers and systems, this is likely to change. It seems to be a trend that DSOs wants to cooperate or consolidate their solutions in national data centers or by using cloud solutions. The lack of commercial large scale national cloud solutions and little experience with such solutions will most probably slow down the process of hosting operational systems in the cloud.
In order to make sure AMR data is tagged with the right time stamp, the AMR systems are often depending on GPS based services to make sure all clocks in the systems are in sync. Faults in the time sync system might lead to unusable data and can also affect the cryptography algorithms.

Assessments and action points for power distribution and AMR

The committee and the authors of the “Lysne report” recommends the following assessment and action points for the regulators, the DSOs and the AMR system suppliers:

1. Implement tougher security audits and provide more guidance related to cyber security

The regulators need to increase the competency and capacity in order to execute more and deeper audits of the cyber security in the energy sector. The regulator should not only audit and review the security but also provide advice and guidance to the operators.
As many DSOs rely on the systems and services from commercial service providers the security requirements must be passed through from the DSOs. The audits should also include the service providers that operate or deliver systems involved in the operation of the critical infrastructure.

2. Strengthen the competency and awareness about cyber security in the utilities sector

The report suggests that the regulators should motivate the operators to focus on building competence and awareness about cyber security in the market. Preferably through collaboration between operators or through re-thinking the way the DSOs are organized.
The sector should develop new ways to educate and train the operators. The established organizations and the suppliers of courses and training should provide tailored courses aimed at the relevant challenges in the utility sector.
In addition to more education and awareness exercising cyber security related situations are key to build experience and to put people, systems and procedures to the test.

3. Establish and empower Computer Emergency Response Teams (CERT) for the utilities sector

Not all cyber security incidents or outages can be avoided. Extreme weather conditions or system failures might lead to significant outages. When this happens, each operator might not have the competency or capacity to handle large and complex crisis. Therefore, the report suggests to establish a common team of experts that can support the operators in time of crisis.  Computer emergency response teams (CERT) are expert groups that handle computer security incidents and outages.
It is important to clarify the roles and responsibilities in critical situations. The CERT should also provide advice and support in planning and carrying out of exercises.

4. Evaluate the concerns related to storing sensitive infrastructure data in data centers abroad

Some data is critical for the operation of the power supplies. Parts of this is regarded as sensitive and must be handled with care. It is important that the core of the power supply can be operated even if the communication links to other countries are down.
It must be differentiated between sensitive and operation critical data. Given that the security and confidentiality can be verified it might not be a problem to store or backup sensitive data abroad. For operation critical data the access to the data is the most critical factor. Storing this type of data in several locations could reduce the risk of loss and could provide faster recovery after failure.
Meter readings are not considered critical to the operation, but could be considered as customer sensitive data.
 The report advice the regulators to categorize different types of data and to provide clear rules for storing and accessing the different categories. It is emphasized that the regulator need to take into account new technologies and new ways of handling data.

5. Perform risk and vulnerability analysis for extended scope for AMR

It is clear that the meter readings from AMR can be used to learn more about how the power grid can be operated to be more effective and more flexible. This in can be used to automatically regulate and control the grid.
The report strongly advice that the consequences of integrating control with meter readings must be studied and evaluated before connecting or automating processes between the systems.

International relevance

We believe that these recommendations are not only relevant to the Norwegian utility sector. The report is based on a number of international reports and advice from international security organizations such as the European ENISA (enisa.europa.eu) and the US Office of Electricity Delivery & Energy Reliability (energy.gov). Other sources to follow is International Energy Forum (ief.org).
Even if this blog article highlights a number of new vulnerabilities the most significant threat is still weather related. In Norway more than 50% of all power outages are related to bad weather. Even if Norway experience a lot of bad weather the power supply reliability was 99,985% in 2014.
Power outage caused by bad weatherPhoto: dailyrecord.co.uk
If you look at vulnerabillities for other critical infrastructures:
"Forget cyber-espionage, cyber-warfare and cyber-terrorism. The biggest threat to Europe’s infrastructure cybersecurity are power outages and poor communication." Source: The Register
Now it is our job in the utility sector to make sure we continue to deliver reliable power despite introducing new technologies and new processes.
For more information about AMR and smart grids please read the following related articles:

Free ebook: Planning radio networks for Smartgrid

Topics: CARMEN

Espen Davidsen's photo

By: Espen Davidsen

Espen Davidsen is a computer systems professional with more than 15 years of experience with communication systems and distributed information systems. He is currently director of Telecom and Utilities at Teleplan Globe.

Follow on LinkedIn

Follow on Twitter



Related posts

The top 5 pitfalls of AMS roll-outs


From a Distribution System Operators (DSO) perspective, building huge infrastructure projects is core business. Regardless of...

August 8, 2017
7 reasons to choose RF mesh network in AMS

For a distribution system operator (DSO) facing the roll-out of AMS (Advanced Metering System), the choice of platform for...

July 25, 2017
The best way to plan RF mesh networks

What is the best way for distribution system operators (DSOs) to implement automated meter readings (AMR aka. AMS) in their...

July 19, 2017