Quelle: ECOS, Gesamtes Dokument als PDF: 2015.03.12 – ECOS – Assessment of the remote ON-OFF functionality (BAT)
Our mission | ECOS (European Environmental Citizens Organisation for Standardisation)
With the implementation of the common minimum functionality ‘g’ (remote on/off switch), smart meters are no longer just meters but now an active participant of the electric grid. The Smart Meter now has potential characteristics of a power generator or a power demand (depending on the actual power flow at each point in time). As such, in ECOS’ view, the smart meter must obey the same grid code rules as any other active device on the electric grid and not risk security of supply.
As soon as the smart meter is an active device on the electric grid, or as soon as it becomes a communications hub in the smart grid infrastructure, it must meet the same cyber security standards as all other active devices of the smart grid, such as generators or substations.
From recent geopolitical events and reports regarding the state of global cyber-security, it is clear that the electric grid of the European Union is a highly critical infrastructure, which needs to be protected against highly skilled organised criminals and foreign state actors. Therefore: Cyber security decisions must be made on the basis of the principles of forward looking caution and unbiased risk assessments. This includes a systemic analysis of the security by design principle.
Therefore, as an organization representing environmental and social concerns, ECOS insists that the highest level of security by design, when it comes to technology which has the potential to disrupt the critical European infrastructure. Counter-arguments suggestion that those threats are unlikely, because – attackers would have to break the law – attackers would have to be highly skilled are not acceptable for us as a ‘solution’ to the risks posed by the ‘remote ON/OFF switch’ functionality.
Smart metering is implemented, for cost-benefit reasons, in bulk with typically one product per roll out. So systemic „features“ (bugs) are available at a large scale after the roll out. Smart metering roll-outs will be, in some countries, specifically targeted at distributed generation and at the goal of managing (cutting off) that distributed generation when needed. One example would be Germany, where already today 1.4 million PV installations, with a combined peak power of 22 GW, are connected to the low voltage grid. In the following decade(s) this number could rise beyond 50 GW.
Any national incident of 10 GW, or more, must be considered to be highly critical to the stability of the European grid.
So, for example, switching 50% of all German low voltage level PV would be enough to trigger such a cross border incident on the production side of the balance equation. With the European grid reaching a typical power consumption of ca. 300 GW, and assuming that ca. 100 GW would be under the control of smart meters with „ON-OFF“ functionality at the low voltage level, then a coordinated cyber-attack on 10% of that demand side of the system could also result in a critical incident.
In that context it must also be stressed that shutting down 10 GW of consumption or production offline via a smart meter has a far more dramatic impact than switching off 10 GW of traditional power plants via a cyber-attack. Shutting down 10 GW of large power plants would most likely reduce the power in a gradual fashion over a couple of minutes, due to the high generator inertia created by its rotating masses. Moreover, the number of affected devices would be limited in number and have trained technicians on site.
Shutting down 10 GW via smart meters in a mass coordinated way can happen in less than one second, or even as quickly as 100 milliseconds. There is no inertia involved and each disconnection relay can easily handle the disconnection of its entire load. There would be no gradual reduction in energy but instead a hard cut-of, which could trigger secondary reactions (e.g. from protection devices at higher grid levels) that are difficult to predict. Due to the distributed nature and the large number of affected devices, applying a ‘fix’ to the smart metering system (region) that was attacked in such a way would most likely represent a huge challenge. Only ‘synchronized bulk switching’ events pose a real danger. A bulk event requires synchronization of individual events. In the context of smart meters this, however, is almost trivial, as smart metering system typically support information broadcasting at the communication level and secondly, and perhaps more importantly, by design they must maintain a very precise time information (for tariff switching etc.).
Recent reports on numerous and sophisticated attacks on communication and computer systems, which have previously been considered ‘secure’, lead us to the conclusion that there remains a considerable risk that current secure communication could become unsecure during the long life time of a smart metering system (10 to 20 years).
Examples of high security computer networks which have been penetrated at central places in the recent past are plentiful, such as ‘Stuxnet’, ‘Flame’ and, ‘Shamoon’, among others.
Not including the remote ON/OFF switch is the best approach to solving the cyber security implications that arise from that functionality; however, this obviously would remove that feature from the list of the ten minimum functionalities.
If there is no disconnection relay, then it is possible to technically guarantee that the smart meter will never have a negative impact on grid stability.
Common minimum functionality ‘g’, the „remote ON/OFF switch“, is the only metering functionality which poses a substantial risk to the security of supply.
Gesamtes Dokument als PDF: 2015.03.12 – ECOS – Assessment of the remote ON-OFF functionality (BAT)
Nach dem derzeitigen Informationsstand ist Österreich das letzte Land in Europa, dass noch fix den „Breaker“ – die ON-OFF Funktionalität vorschreibt. Dies weiterhin trotz zahlreicher negativer Erfahrungen auf europäischer Ebene und insbesondere trotz der Erkenntnisse, dass Cyber-Angriffe weiter zunehmen und noch professioneller und aggressiver werden. Siehe hierzu auch Das Smart Grid im Zeitalter des Cyberwar oder Europol: Cyber-Kriminelle werden immer aggressiver.
Zusätzlich siehe Studie Beyond data breaches: global interconnections of cyber risk
The way in which the complexity of interconnected risks is assessed is painfully similar to how financial risks were assessed prior to the 2008 crash … in the end, it was this very complexity which helped bring the system down.