In another consultation, the UK's Department for Energy and Climate Change (DECC) is asking for views on the draft licence conditions relating to security risk assessments and audits for the UK's smart meter implementation programme.
The licence conditions will run through to when the planned Data and Communications Company (DCC) becomes responsible for the provision of services. 55 million smart meters will be rolled out to consumers from 2014 through to 2019. The consultation is important in that it sets the precedent for the security of "end-to-end smart metering systems" in the UK. This includes equipment located at consumers' premises, the communications network between the consumers' premises and the energy suppliers, and the the energy suppliers' head end system — and all business procedures associated with the installation, operation and support of the system. The scope is all-encompassing. Additionally the government wants to ensure security is embedded into the design of the systems and that they continue to be for for purpose as risks, technologies and requirements evolve.
The consultation document includes the draft energy supplier licence conditions (in Annex A), and the consultation asks three questions:
- "Do you consider that the draft licence conditions deliver the policy intention outlined in this document? Please provide comments on where the drafting could be amended or clarified.
- Do you have any comments on the proposed approach that suppliers should carry out a number of good practice security disciplines and procedures as is set out in this document?
- Do you have any further comments with regard to the issues raised in this document? We also welcome general comments around the approach to small suppliers, the processes expected of suppliers in general, and any related costs."
The draft conditions include requirements for carrying out a comprehensive risk assessment and for securing the system to an "appropriate standard" which is a "high level of security that is in accordance with industry good practice" and "capable of being verified" independently. Licensees would have to "take all reasonable steps to ensure that it is able to comply" to comply with ISO 27001:2005 and "any equivalent standard of the ISO that updates, replaces or supersedes that standard". I am slightly concerned about the term "good practice" and would prefer "appropriate measures based on the risk assessment". Additionally it is not clear which entities the risks will be assessed for — apart from the energy companies, I would like that to include consumers and society at large, since security incidents may have wider impacts than on the ability for energy suppliers to conduct their business.
Surprisingly, there is no mention of work from other countries such as NIST Interagency Report (IR) 7628 Guidelines for Smart Grid Cyber Security, published in 2010.
The term "supplier end-to-end system" is defined in paragraph Z.5 of the appendix such that "equipment" includes "any associated software and ancillary devices". Paragraph Z.6 then goes on to provide a definition of "secure". The Supplier End-to-End System is secure if "both the System and each individual element of it is designed and operated to ensure, to the Appropriate Standard, that it is not subject to interference or misuse that (whether directly or indirectly):
- causes any loss, theft or corruption of data;
- results in any other unauthorised access to data; or
- gives rise to any loss or interruption of [electricity/gas] supply or to any other interference with the service provided to a Customer at any premises."
So, clearly protection of data and availability of service to customers. But these types of system misuse have not been mentioned:
- Use of the communications network for unauthorised purposes
- Collection or processing of unauthorised data by the software
- Use of the application to undertake unauthorised activity
- The presence of unapproved or malicious code within the authorised software
- Installation of unapproved software on any device
- Use of any part of the system to attack other systems
Surely a system would not be "secure" if any of the above occurred? Remember this includes software on the smart meters and all the business processes for support and operation. And finally, perhaps there ought to be some statement in the definition of "secure" about hardening and patching, although these might be derived from the policy. Similarly monitoring of suspicious and malicious use.
Responses to the consultation have to be sent to firstname.lastname@example.org by 27 July 2012.