A KPMG cyber security expert has warned that the UK’s Smart Meter Implementation Programme must address important security risks before being deployed.
With the Westminster Energy, Environment and Transport Forum discussing the Smart Meter Implementation Programme in the UK on 30 October 2014, KPMG’s Alejandro Rivas-Vásquez argues that there are still important security risks that need to be addressed before any benefits of this new technology are truly realised.
His comments also come after flaws were uncovered in smart metering devices used in the equivalent Spanish programme. Rivas-Vásquez, a principal adviser in KPMG’s Cyber Security practice, said:“Spanish researchers recently found fundamental security flaws in the design of smart metering devices deployed across the Channel.
“Arguably, these flaws should have been identified by the Spanish deployment team, long before the meters were fitted in households. In the UK, whilst CESG has issued security specifications for smart metering vendors to prevent this type of issue, a need for overseeing compliance should not be underestimated by Ofgem and DECC.
“Not long ago, we saw similar technologies being hacked for fraudulent activities here in the UK, when prepaid metering top-up keys with false credit information were cloned and sold to customers. The lessons learned from that incident demonstrate security controls are needed in and around the individual devices, and also all the way up to the suppliers.”
Rivas-Vásquez continued: “A smart meter implementation programme is a complex matter at the heart of our critical infrastructure, involving many interconnected parties, but the programme is only as secure as its weakest link. That’s why in the UK, the Smart Energy Code makes specific arrangements for independent security and privacy assurance activities to take place, within each of the parties of the programme.
“The Spanish research shows smart meters could be hacked to under-report consumption and this should act as warning to the GB programme. If the technology could be hacked for fraud, hackers with more nefarious intent may use these flaws for other purposes.
“The pace at which research data is analysed and then corrective action is taken also needs to improve. Industry and regulators need to be swift in the consultation process, so that we move away from point-in-time security solutions. Cyber criminals and cyber terrorists are improving their capabilities very quickly,” concluded Rivas-Vásquez.