Blog post

Assuring Smart Meters

Created:  25 Nov 2016
Updated:  25 Nov 2016
Author:  Andy B
Part of:  Assurance
Smart Meter Unit

Several years ago, as part of the Smart Meter Implementation Project, we embarked on a joint initiative with the Department of Energy & Climate Change (now Business Energy & Industrial Strategy).

Our goal was to provide a level of security for GB Smart Meter equipment - using proportionate, practical security controls - such that no single compromise could significantly impact the system.

The scale of this challenge was huge. Normally, when assuring commercial products, we’re dealing with a well-established set of security expectations, and a deployment model where customers are likely to replace devices regularly. With Smart Meters, the story is very different. These products are destined to be in every house in Great Britain for many years. How do you go about assuring something with this kind of lifespan?

Before I go on - don’t worry, this post isn’t about Smart Meters. It’s about our approach to assuring them. If you want more detail on the technology and relevant security issues, read Dr Levy's recently published article.
 

A new approach to Commercial Product Assurance (CPA)

Mid 2016 was a key turning point for those of us who cared about a smooth (but still robust) CPA evaluation process for Smart Meter products. Evaluation work was underway on the first few products with everyone involved being mindful of the very tight deadlines, and the severe penalties that our industry partners could face if they failed to meet their contractual obligations.

Then we began a strategic review of our assurance schemes. As part of this we ran several open workshops at which we met representatives from the Smart Meter test labs, and top brass from the DECC Smart Meter project.

 

Faster, faster, faster!

For me, these workshops were really interesting - not just because of their main aim, but due to the number of people who cornered me (and other CPA colleagues) to tell us exactly how they thought the CPA process might affect Smart Meter timelines. In short, it was felt we needed a more streamlined process in order to progress through the expect workload.

For Smart Meter evaluations to succeed we needed to come up with a new approach - overnight. Less emails, less paperwork, less confusion, less pedantry. Closer working, more agile, and faster, faster, faster! We accepted the challenge.

 

Thanks to the labs

It was a bit of a leap of faith for us - and the test labs. But, thankfully, the labs stuck with us. Even when we told them that instead of doing months of email exchanges, they’d need to come and spend a day or two debriefing us face to face. It was this change which made the biggest difference to our timeline.

While ensuring a consistent level of security challenge in the evaluations, we also worked with the labs to place more trust in the work they do. We had a ‘tough and timely’ ethos, meaning that we wanted to spend time discussing the new and tough technical issues, not going over the same old tests that had been done hundreds of times before.

To date we have three Smart Meter Communications Hubs that have been assured through this new improved CPA process. These are from ToshibaEDMI, and WNC. And we’re currently working with our partners on a number of Gas and Electricity Smart Energy Meter evaluations.

 

Roll out the best bits

The new process worked well. So well in fact, that the best bits of this pilot are being rolled out to other CPA evaluations (and beyond), setting a new standard in how the NCSC works with assurance partners.

It cut an estimated four months off each evaluation, bringing it down from an original six months to just two. It also helped us, and the labs, focus on ensuring the products themselves have an acceptable level of security, by design.

This is all feeding into new initiatives and the wider strategic scheme review. But, importantly, it was external input that started us on this journey so we are keen to maintain the conversation with our partners. Things aren’t perfect yet, but this process seems to be moving us in the right direction.

 

Andy B

Technical Lead for Commercial Assurance

Topics

4 comments

Russell Page MInstRE - 12 Jan 2017
From an IT Security perspective, how are these devices made secure? We have all heard about "The Internet of Things", will these be the next device to join them? If they are hacked on a large scale, can 1,000's of people have the Gas or Electricity turned off. In a simular way to Finland "Hackers leave Finnish residents cold after DDoS attack knocks out heating systems". I know the CPNI will already have a plan to combat any attack on our Infra, but we seem to be opening the door to a 'Service' without putting the chain on first.
Andy B - 16 Jan 2017
Good morning Russell.

Many thanks for your comment, and your interest in our work on UK Smart Energy Meters.

Have you read the article written by Dr Levy in April? It goes in to detail on the design considerations of the UK Smart Energy Meter products and what we have done through our partnership with BEIS and industry, and should provide some of the answers that you are seeking.

https://www.ncsc.gov.uk/articles/smart-security-behind-gb-smart-metering-system
Russell Page MInstRE - 17 Jan 2017
Hi Andy,
Thank you. The article gave an excellent explanation of the processes, protocols & failsafes. I was interested to see the requirement for the gas meter to battery powered, but as we all know cryptography can be intensive on the math and subsequent processor load.
Although rare, some locations could be gas only, then as a solution a photovoltaic panel could provide the backup / battery top-up required to maintain functionality. this could be incorporated into the external 'Gas Meter Box' if required.
NCSC Communications Team - 02 Aug 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No