Trust by Design

EY teams are acting as trusted advisors in the design of the smart metering solution and the delivery of several large procurements including communication and data services, security tools, and smart meters.

As this was critical national infrastructure, stability and security was paramount. Yet smart meters introduce two significant and very specific new cyber risks: the highly granular data about people’s energy usage that potentially opened a window into individual people’s lives; and on the meters themselves, a switch that could, if hacked, cut off the electricity supply to millions of homes.

The first task that EY teams got to work on, was cyber threat modeling that explored potential avenues of attack that could compromise both the personal data and the meter switch – from sophisticated threat actors exploiting the communications network to initiate mass commands, to lone hackers attempting to access individual meters over local wireless networks.

This exercise meant that EY teams and the client could understand the cyber risks, but not overestimate them, and design and embed the appropriate level of protection across the smart metering system.

The next step was to define the security architecture – what to protect against – which ranged from security monitoring systems to detect suspicious activity across the entire network, to the security of individual meters. One of the key activities was to specify technical controls that the smart meters would need to have embedded in them, to authorize commands and protect data.

The supplier had to demonstrate:

• Adequate encryption for the meter as well as the communications system and database
• How much data is stored on the meter before it is sent back to the utility company
• How the meter physically protects data

However, technology is only one part of the story. “The human element is very important in cybersecurity because it can be the weakest link,” says Alex Campbell, Associate Partner, Cybersecurity Services at Ernst & Young LLP. The security architecture had to be backed up with new processes, policies, vetting and staff training and awareness.

This is because, regardless of how intrinsically secure the new systems are, humans will be using them. Those users could include malicious insiders with sufficient privileges to access sensitive data, and more often accidental non-malicious insiders who are not aware of their responsibilities.

Smart meters usher in the digitalization of power distribution networks, which open up entirely new abilities and possibilities.

For the electricity company, all the aggregated data could be combined with generation data to better manage the anticipated load, by modelling how different parts of the country are using electricity and predicting where to transmit it. Smart meters also enable huge savings in human hours, as engineers will no longer need to visit a home every time troubleshooting and disconnections or reconnections of supply are needed– as many functions can be done virtually.

For consumers, smart meters provide much greater and more immediate information on their energy use, and faster, more accurate billing too. Greater insight enables greater control, so it is expected that many consumers will reduce their energy consumption – and their bills.

In the future, there will be many other parties that energy companies could share consumption data with, so they can offer different tariffs, better advice on how to use energy, or explore other opportunities and business models that are still to be created.

None of this would be possible without a high-level of cybersecurity, designed to build in the appropriate cyber risk management and mitigation from the outset, so that the organization could operate with confidence.

For this electricity company, EY teams were able to offer something truly different: an awareness of the specific unique challenges that smart meters introduce. This rollout touches every single citizen of a country in a way other systems do not, and there is a bond of trust that must not be broken.

EY consultants understand the complications of that, and particularly the implications beyond technology. By anticipating all potential cyber-attack routes, and the human risks and ramifications, EY teams helped the electricity company look at the wider risks that could impact the benefits of smart meters. The company is now in the process of implementing new people policies, security processes and technical controls to make certain that smart meters not only protect, but power a data-centric future that consumers and organizations alike can trust.

EY Cybersecurity enables trust in systems, design and data, so organizations can take more risk, make transformational change and enable innovation with confidence.