The power grid, one of the most crucial pieces of critical infrastructure, is on top of the list of interest to various APTs (Advanced Persistent Threat – stealthy threat actor, typically nation or state-sponsored) and other threat actors. Hence the security testing of such solutions as Advanced Metering Infrastructure (AMI) and Smart Meters as well as their security solutions must be of the highest standards.

In this series of articles, SEQRED presents the topic of Smart Meter security in the wider context of the Smart Grid and the AMI architecture.

Last week, we covered a controlled attack on a Smart Meter and a summary of some other quite common vulnerabilities in AMI / smart metering solutions. In the last entry to this topic today, we will share cybersecurity best practice for AMI infrastructure.

Part 4 – Cybersecurity best practice for AMI infrastructure

To minimize the risk of potential cyber-attack and compromise one should apply the following AMI cybersecurity best practices: 

For overall AMI solution:

• Design for and implement a comprehensive and fit-for-purpose security management system, including passwords, keys, and configuration management
• Introduce security architecture design from the start of the project development – security should be considered as soon as the functionality of the AMI / Smart metering solution is conceived
• Ensure smart meters configuration and Key management practice are implemented according to DLMS standards and ensure key uniqueness and protection of their storage in devices’ non-volatile memory.

For communication infrastructure:

• Use dedicated APN for cellular communication
• Don’t leave devices visible/ discoverable on the network
• Apply correct internal network segmentation
• Obvious but always relevant: do not use the same passwords for many devices, and do not use default ones

For Smart Meters:

• Be aware that the measurement certification and DLMS compliance certification are not related to security – they only assert the accuracy of the measurements and the correctness of the implemented protocol – the fact that the device can communicate according to standard, hence independent cybersecurity verifications i.e., audits and tests are required
• Request the AMI / Smart meters vendors and integrators to present proof of the security of solutions, along with reports on suitable types and scope of tests that have been carried out, and whether there is any changelog (with a list of changes introduced in the firmware)

For mobile and web applications:

• Security of the product must be considered from the beginning of the development
• A final security audit must be always carried out

The approach to verifying cybersecurity of Advanced Metering Infrastructure as well as best practices presented above are also applicable (after tailoring) to ensuring the cybersecurity of other types of ICS/ OT solutions operating in critical infrastructure. Hope that you’ll find our insights presented above inspiring and useful in your efforts of building resilient and safe infrastructure!

Next week, we will present cybersecurity best practices for AMI infrastructure.

Related posts

Add a comment