"Transitioning from our current energy infrastructure to a smart grid will be essential to meeting future challenges. One key component of the smart grid is advanced metering infrastructure (AMI). AMI allows for the grid to be run more effectively and efficiently by making granular near real-time data about customers’ energy usage available. Coupled with the input and innovation of third-party companies and researchers, the potential benefits of this technology are immense. But given the granularity of AMI data, some academics and consumer advocates are concerned that the technology could place customer privacy at risk. It is therefore essential that regulators appropriately tailor privacy protections to strike the proper balance between the innovative potential of AMI data and consumers’ privacy concerns. When possible, regulators should opt for regimes allowing for the protected sharing of granular AMI data with third parties."
"The electric grid is the target of numerous and daily cyber-attacks. More than a dozen utilities reported ‘daily,’ ‘constant,’ or ‘frequent’ attempted cyber-attacks ranging from phishing to malware infection to unfriendly probes. One utility reported that it was the target of approximately 10,000 attempted cyber-attacks each month. More than one public power provider reported being under a ‘constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.’"
From ‘Recommendations on Countermeasures’ in the summary report:
"Self-assessment methodology for Smart Grid cyber security: Cyber security is – for a few electrical grid domains - a completely new and often not sufficiently covered topic in EU. Other electrical grid domains have paid attention and are more developed. A well-defined selfassessment guide for the ICT security experts in SCADA and Smart Grid enables each Smart Grid stakeholder to identify potential risk and to assess vulnerabilities. The results can be used as health check to define countermeasures and to reapprove security specifications. Also in long term it would be desirable that the stakeholder would agree on minimum standards. Promote application and adaption to Smart Grid of well-established ICT Security good practices: Information security and ICT-security is a well elaborated field in research and in practical solutions. This is especially true for corporate information systems. For Industrial Automation and Control Systems (IACS) there are the real time and 24/7 operation requirements, which need extra measures. Until recently IACS were not internetworked with the Internet and interconnected widely. For maintenance, efficiency, and monitoring purposes, IACS are connected to the corporate networks which often have several interconnections – either open declared or hidden – to public networks.”
"Ik zal […] een review doen om te bekijken of het kostenefficiënter is om in geval van bezwaar alleen nog slimme meters op te hangen die administratief zijn uitgezet en daarbij ook de warmtemeters betrekken. De resultaten hiervan voeg ik toe aan de rapportage die ik eind dit jaar aan uw Kamers zal sturen.Ten aanzien van keuzevrijheid zou het een inperking betekenen van de opties die de consument heeft. Daarentegen lijken privacyaspecten ondervangen door de mogelijkheid om de meter administratief uit te zetten. De Raad van State heeft in zijn advies over het wetsvoorstel waarmee de keuzevrijheid rondom slimme meters werd geborgd ook erop gewezen dat vanuit privacyoptiek de optie om administratief uit te zetten voldoende waarborgen biedt. Deze suggestie is destijds niet overgenomen, omdat uitgebreide keuzevrijheid op uitdrukkelijk verzoek van de Eerste Kamer in wetgeving werd geborgd zodat de consument in alle gevallen aan het roer zou kunnen staan."
"This paper is not meant to apply to a particular jurisdiction, nor is it meant to be prescriptive. In this paper the [Information and Privacy Commissioner of Ontario] and the Future of Privacy Forum (FPF) explore at a high level the issue of third party access to [customer energy usage data (CEUD)], the benefits of such access, as well as the potential privacy risks. [Privacy by design] will be described and examples of proactive approaches to privacy already underway, in the context of third party access to CEUD, will be detailed."
"The European Network and Information Security Agency (ENISA) has decided to further investigate the challenges of ensuring an adequate smart grid protection in Europe, in order to help smart grid providers to improve the security and the resilience of their infrastructures and services. Defining a common approach to addressing smart grid cyber security measures will help achieve this. This technical document provides guidance to smart grid stakeholders by providing a set of minimum security measures which might help in improving the minimum level of their cyber security services."
"Guide for Assessing the High-Level Security Requirements in NISTIR 7628 provides a set of guidelines for building effective security assessment plans and a baseline set of procedures for assessing the effectiveness of security requirements employed in Smart Grid information systems."
"We often hear reports of cyber attacks in the news, but how serious are the threats to our country’s essential utility infrastructure, such as electricity, gas, water and telecommunications? Many State utility regulators have begun asking how to best protect the services, information and data that are valuable to customers, companies, as well as the country. […] This primer addresses cybersecurity – particularly for the electric grid – for State utility regulators, though we hope that it will be useful for a wide audience of policymakers in this field."
"This document describes the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The goal of this model is to support ongoing development and measurement of cybersecurity capabilities within the electricity subsector […]"
"The electricity subsector cybersecurity Risk Management Process (RMP) guideline has been developed by a team of government and industry representatives to provide a consistent and repeatable approach to managing cybersecurity risk across the electricity subsector. It is intended to be used by the electricity subsector, to include organizations responsible for the generation, transmission, distribution, and marketing of electric power, as well as supporting organizations such as vendors."
"Research on smart meters has shown that fine-grained energy usage data poses privacy risks since it allows inferences about activities inside homes. While smart meter deployments are very limited, more than 40 million meters in the United States have been equipped with Automatic Meter Reading (AMR) technology over the past decades. AMR utilizes wireless communication for remotely collecting usage data from electricity, gas, and water meters. Yet to the best of our knowledge, AMR has so far received no attention from the security research community. In this paper, we conduct a security and privacy analysis of this technology. Based on our reverse engineering and experimentation, we find that the technology lacks basic security measures to ensure privacy, integrity, and authenticity of the data. Moreover, the AMR meters we examined continuously broadcast their energy usage data over insecure wireless links every 30s, even though these broadcasts can only be received when a truck from the utility company passes by. We show how this design allows any individual to monitor energy usage from hundreds of homes in a neighborhood with modest technical effort and how this data allows identifying unoccupied residences or people’s routines. To cope with the issues, we recommend security remedies, including a solution based on defensive jamming that may be easier to deploy than upgrading the meters themselves."
"The problem is that the very thing that makes the grid smart—the ability of myriad embedded systems to communicate with each other, often using a combination of legacy and proprietary equipment alongside more modern solutions—has created a duality where communications over serial, wired and wireless Ethernet, cellular, and dial-up modems being used with a combination of common TCP/IP and proprietary protocols. This has expanded the attack surface, making it vulnerable to cyberthreats. Open systems invite hacking. More malware was detected on computer networks in 2011 than in all previous years combined, with critical infrastructure being a prime target."
"This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing. This guidance is based on the results of a thorough analysis of the opinions of the experts who participated in the study. Furthermore, important information coming from in-depth desktop research is also taken into consideration. All this data has been analysed and has provided almost 100 Key Findings."
"In April 2012, the Government explained that it was minded to place a specific obligation on suppliers in relation to the security of their end-to-end smart metering systems, through a new licence condition. […] This condition would require suppliers to be responsible for the end-to-end security of their smart metering systems. In fulfilling this obligation, the Government stated that suppliers might also be required to conduct a risk assessment of their end-to-end systems and to have an annual security risk audit conducted by suitably qualified, independent, external specialists."
"The Europe-wide rollout of ‘smart metering systems’ enables massive collection of personal information from European households, thus far unprecedented in the energy sector. The potential intrusiveness of collection is increased by the fact that data are collected, which may infer information about domestic activities: data may track what members of a household do within the privacy of their own homes. […] unless adequate safeguards are established to ensure that only authorized third parties may access and process data for clearly specified purposes and in compliance with applicable data protection law, deployment of smart metering may lead to tracking the everyday lives of people in their own homes and building detailed profiles of all individuals based on their domestic activities. With the sheer amount of information that is being amassed by these smart meters, ubiquitous availability of data from other sources, and advances in data mining technology, the potential for extensive data mining is very significant. Patterns can be tracked at the level of individual households but also for many households, taken together, aggregated, and sorted by area, demographics, and so on. Profiles can thus be developed, and then applied back to individual households and individual members of those households."