Cybersecurity Risks in Power Metering
As cybersecurity for energy management concerns rise worldwide, the potential risk for utilities and commercial/industrial energy metering increases significantly. The need for robust cybersecurity measures to protect energy management systems of all sizes cannot be ignored. One access point to energy management data is through metering communication. To address this risk, among others, the North American Electric Reliability Corporation (NERC) designed the Critical Infrastructure Protection (CIP) standards. The standards are aimed at regulating, enforcing, monitoring, and managing the security of the bulk electric system (BES) in North America. These standards apply specifically to the cybersecurity aspects of BES.
EIG’s Line of Cyber Secure Meters
Electro Industries/GaugeTech (EIG) has a proven track record of producing meters with AES encryption-based advanced cybersecurity. AES encryption is one of the NIST approved algorithms for cybersecurity, specified in FIPS 197. One example of this is the Nexus® 1500+ Power Quality meter. The Nexus® 1500+ meter has EIG’s latest Resilient Cyber Security™, which complies fully with utility security requirements. The Nexus® 1500+ meter’s cybersecurity includes:
- AES 128-bit encrypted communication – It is estimated that it would take a supercomputer billions of years to crack a 128-bit encryption key1. The Nexus® 1500+ meter protects passwords, usernames, roles, and rights using AES 128-bit encryption.
- Role-based authorization – The Nexus® 1500+ meter offers multiple roles to restrict access to meter data and configuration. It has an admin level with full rights and up to ten configurable user levels.
- Only the admin level can create user profiles and permissions, usernames, or passwords.
- Only the admin level can enable or disable security for the meter.
- The admin can program expiration dates for passwords to further secure data by periodically setting up new passwords.
- Password fail timeouts – To prevent brute force hacking, in which a system is inundated with multiple password entries in an attempt to identify the correct password, the meter has password fail timeouts. The timeouts will block password entry for a designated period (from one minute to 24 hours) after three consecutive incorrect passwords are entered. This breaks the chain of password hacking.
- The admin level can view any authorized users that are in lockout due to failed password attempts.
- 512-bit digitally signed firmware – A digital signature is an encrypted value, or “key,” attached to a file. Before the firmware can be uploaded to the meter, the file‘s key is decrypted by the public key in the Nexus® 1500+ meter. This ensures that the firmware file is authentic and valid, so that the meter cannot be hacked or infected with malware files.
- Security lock – For applications with the most stringent security needs, the admin level user can implement a security lock. This will prevent the security from being disabled, even by the admin. The security lock is implemented in the meter’s firmware and enabled via the meter’s display.
- Sealing switch – The Nexus® 1500+ meter’s sealing switch acts as a physical barrier, requiring a meter button to be pressed in addition to software password entry. This is an added level of security, since the button is located under an area that can be secured with a physical seal and which would indicate tampering if removed.
- Physical seals – The meter’s seals prevent unauthorized access and indicate if tampering has been attempted.
- Anti-tampering System Events log – The System Events log records any actions in the meter, such as password entry, meter resets, log downloads, etc.
In addition to the Nexus® 1500+ meter and the CommunicatorPQA® software, EIG offers the following meters and applications with advanced cybersecurity:
- Nexus® 1450 cyber secure power quality meter with multiport communication.
- Shark® 250 cyber secure power and energy meter.
- Shark® 270 socket and switchboard form revenue meter with cybersecurity.
1 What Is AES Encryption? [The Definitive Q&A Guide], Brett Daniel, March 31, 2021; website link https://www.trentonsystems.com/blog/aesencryption-your-faqs-answered