ENCS, the European Network for Cyber Security, and E.DSO, the European Distribution System Operators’ Association have launched cyber-security baseline requirements for smart meters (SMs) and data concentrators (DCs). As the second in a series of security guidelines for smart grid components, the two groups seek to harmonise the security of smart grid devices across Europe, towards a more resilient “grid of grids”.
The requirements provide European distribution network operators (DNOs) and distribution system operators (DSOs) with a set of considerations that can be used totally or partially when procuring and testing SMs and DCs. ENCS has worked on smart meter security since it was set up in 2012. Having started by analysing vulnerabilities in the smart metering protocols and effectiveness of certification approaches, ENCS publicly launched its first set of SM security requirements for Oesterreichs Energy, guiding Austria towards a secure smart meter roll-out.
Building on this approach for various countries, ENCS developed its requirements-based security testing method. Unlike traditional testing based on attempted tampering, the ENCS says its testing approach evaluates the actual security level of components against the requirements, and provides feedback to the manufacturers, helping them to improve the security of devices. Over four years of testing and improvement, ENCS says it has seen a considerable increase of the security level of the current generation of SMs and DCs.
Nuno Medeiros, Chair of E.DSO Cyber-Security Task Force, stated: “Utilities can use the requirements as a baseline tool for risk mitigation, supporting their risk management strategies.”
Integrating the expertise of key industry stakeholders, the new guidelines are already being applied by Austrian, Bulgarian, Czech, Dutch, Estonian, Portuguese and Swedish DSOs for procurement and security testing purposes.
Anjos Nijk, Managing Director of ENCS, stated: “With harmonisation of smart meter requirements we have moved away from the scattered approach that saw disparate security requirements spring up across Europe. As more grid operators across Europe use this same requirements set, it incentivises manufacturers to improve security. This then helps raise security standards across the industry. We aim to replicate this approach in other areas where the industry needs to structurally increase and harmonise security levels, such as in electric vehicle charging and distribution automation.”
And on the development of security measures for smart grid devices, Joachim Schneider, Chairman of the Technology Committee of E.DSO said: “Traditionally, grid operators have looked to manufacturers to implement security measures in components, but manufacturers have waited for the operators to tell them what they needed rather than invest in the wrong technology. With these requirements, ENCS and E.DSO break the impasse, and we can all move forward as a more secure industry.”
The new requirements build on ENCS and E.DSO’s recent leadership pledge on smart grid cyber security, and on their memorandum of understanding signed in 2016.
