The UK government has been rolling out smart meters to all homes and small businesses over the last decade. When the programme completes in 2025, over 50 million smart and advanced meters will be installed in 30 million premises at an estimated cost of £18 billion. Data privacy and security requirements underpin the programme with a modern, sophisticated public-key infrastructure architecture protecting smart meters and users. However, with more than 55% of the national portfolio being smart, how can we assure this new generation of technology is cyber secure?
Smart meters are a crucial element of the UK’s net zero policy goals by empowering consumers to control their own energy use, save money and reduce emissions. Consumers benefit from near real-time energy consumption information which will eradicate estimated bills and enable quicker and more efficient switching of energy supplier.
The UK’s smart meters are connected to a national data communications network managed by the Smart Data Communications Company (DCC). The infrastructure is complex with multiple communications technologies deployed in the national Wide Area Network and the consumer’s in-premise Home Area Network. With smart meters providing information to more and more third party connected products and services, the risk of new problems and vulnerabilities increases as more access routes are opened to potential cyber-attacks.
CyTAL, the innovative cyber security company, has decades of experience in smart metering technology and the security of it. As a respected industry consultant, it has been actively involved in both the design and delivery of the UK Commercial Product Assurance (CPA) scheme, established to help companies demonstrate the security functions of their products.
The CPA scheme provides independent verification for companies developing and supplying smart metering products to ensure they meet the UK National Cyber Security Centre’s (NCSC) standards. As one of only three NCSC accredited test labs, CyTAL has helped numerous vendors certify their products for deployment into the market and leads the way in development of innovative tools to help vendors assure new and existing products maintain compliance with the security standards.
Fuzz testing is a fundamental requirement of the CPA requirements and is increasingly recognised by many sectors to improve the security robustness of IT and operational technology (OT) products. Fuzz testing feeds invalid, malformed and random data into a target system with the aim of causing faults, crashes, unexpected responses or forcing unstable states, revealing serious coding defects and security loopholes that are frequently missed by traditional testing techniques.
CyTAL has developed an extensive fuzzing capability for smart meters, using its market leading automated fuzz testing solution, ProtoCrawler. ProtoCrawler uses advanced fuzzing techniques to discover and identify unknown vulnerabilities in developing and deployed products, continually assessing and validating their cybersecurity compliance over its lifetime.
Fuzz testing is an inherently complex and computationally intensive process, making it impossibly difficult and prohibitively costly to execute manually. Ready-to-fuzz straight out of the box, ProtoCrawler produces real results immediately, significantly and visibly improving product security with minimal knowledge or training.
ProtoCrawler is capable of fuzzing a wide range of metering-related communication systems, including DLMS/COSEM, and is continually expanding its smart grid fuzzing support.
If you’d like to find out more about improving the security and resilience of your smart metering product, register below for our upcoming webinar series or get in touch.