Security testing for Smart Metering Infrastructure presented at BsidesLasVegas 2014

by Robert Hawk, Steve Vandenberg,

Summary : In July 2010, BC Hydro, the electric utility and grid operator of British Columbia began implementation of its Advanced Metering Infrastructure (AMI) program, formally known as the Smart Meter & Infrastructure (SMI) program. The SMI program transformed BC Hydro from a traditional metering utility to a smart metering utility by implementing smart meters on the customer service points. It was the first step in the smart grid transformation.
An AMI program requires the introduction of many new devices and applications into a utility’s infrastructure. Some of these devices and software may have never been deployed before anywhere in the world. Many are field deployed, outside of the utility’s physical and cyber security perimeters.
Security teams within utilities need to take responsibility for the end to end security of an AMI program. Traditional approaches may not be sufficient to deliver this security. A new approach including pen testing specialist and third party labs may form an important part of this security.
A standards based approach will be required to ground the security and penetration testing both in best practice and in a common set of principles that utility and its partners can accept. The Advanced Metering Infrastructure (AMI) Risk Assessment document prepared by the Advanced Metering Infrastructure Security (AMI-SEC) Task Force can form the basis for creation of the test plans. This document has since been passed to the National Institute of Standards and Technology (NIST) Cyber Security Working Group and was integrated into NIST IR 7628. NIST IR 7628 contains a comprehensive list of possible threats to AMI systems.
For successful outcomes it is important to consider emerging new factors. These are discussed in the presentation.