In an increasingly connected world, smart meters are revolutionizing energy management but also face growing cybersecurity threats.
In this interview, Jose Sanchez, Senior Director PM, IoT Connectivity & Services at Telit Cinterion, discusses the evolving risks and how the industry is adapting with advanced security measures and IoT solutions to protect critical infrastructure.
IoT Business News: Like so many connected devices today, smart meters offer an array of benefits but also pose serious cybersecurity risks. What are some of those risks?
Jose Sanchez (Telit Cinterion): Smart meters are essential to the smart grid, allowing utilities and smart grid managers to improve service and efficiency. However, smart grids (smart meters specifically) are universally recognized as critical infrastructure, and thus prime targets for malicious actors. Cyberattacks, in general, are growing worldwide, with attacks against critical infrastructure growing the fastest. Since 2018, the International Energy Agency (IEA) has warned of rapid growth in cyberattacks in the energy sector, with critical infrastructure, including gas, water and especially power utilities, being favorite targets for malicious cyber activity.
Sources of cyber-attacks are diverse and evolving, and the impact of these attacks against critical infrastructure can be particularly damaging due to the ripple effect on society, ranging from the theft of personal user data to bringing down utilities’ critical distribution/utilization system components or even causing physical damage to people and properties. Various cyber incidents have been made public in the past few years, such as the Colonial Oil Pipeline attack, the Israeli water system attack and the Triton malware attack, each causing millions in damages. North American Electric Reliability Corporation estimates that the grid’s virtual and physical “weak spots” (points in software or hardware susceptible to cyber criminals) grew from 21-22k in 2022 to 23-24k in 2024.
The attack vectors of smart meters are varied but typically involve physical or remote access to the device through a remote or local interface. Vulnerabilities can be present in the firmware, network interfaces, Application Programming Interfaces (APIs), utility applications or the hardware architecture itself. The communication link between the meter and the Head-End System (HES) is another potential weak spot. For example, an attacker might use a network interface to remotely access metrology data stored in the smart meter, modify the metrology data on its path to the HES, or even control devices in the network. These attacks can affect meter-related functions such as metrology data, tariff management, remote enablement or disablement of supply and home appliances, etc.
How can smart meter manufacturers best address these security risks?
As attacks evolve and refine, all actors involved in the smart grid ecosystem must implement processes to ensure continuous monitoring of security threats and the safety of smart metering operations. An ideal security strategy combines technology, processes and people to minimize evolving security risks throughout the lifetime of a product or service. While there is no such thing as 100% security, following “security-by-design” principles and the CIA model (a well-designed system that protects the confidentiality and integrity of data and ensures system availability) will help reduce cyber-security risks.
Smart meter manufacturers are responsible for securing their products and complying with evolving regulations. Performing a security assessment or audit is usually the first step toward designing a secure end-to-end metering system. Likewise, smart meter manufacturers must analyze supply chain processes to determine if devices are secure and do not expose data. Manufacturers must also identify who manages connectivity configuration – specifically, who can activate or deactivate a device’s SIM card.
What role do IoT module suppliers like Telit Cinterion play in ensuring smart meter security?
As a trusted partner for many organizations over the last 23 years, Telit Cinterion continues to make smart meters smarter, successfully connecting millions of meters worldwide and enabling the evolution from automatic meter reading (AMR) to advanced metering infrastructure (AMI). We are more than an IoT module supplier but an end-to-end IoT system enabler, providing components and services embedded into smart meter systems that contribute to overall system security, promoting a safer smart grid.
There are four key areas Telit Cinterion contributes to smart meter security:
Communication protection: secure cellular modules, pen-tested, with an extensive security feature set (secure boot, firmware protection, secure interfaces / AT commands, etc.)
Application protection: secure identity and data protection. Trusted, diversified and immutable identities that help secure the communications link between the smart meter and device management/meter data management systems.
Network protection: a global geo-redundant cellular core network with advanced security features for reliable communications (VPN, APN, network QoS monitoring and alerting, etc.)
Lifecycle protection: secure device management. Meter vendors can use it to monitor the cellular link’s quality and keep the cellular modem firmware up to date with the latest security patches (FOTA). eSIM or embedded SIM is also critical to secure device management as it enables remote SIM provisioning, which helps keep the device’s security and firmware up to date.
As cyber threats grow more advanced, the metering industry is working to keep pace by continuing to establish new security standards. How can manufacturers and IoT suppliers ensure that they stay current with these evolving regulations?
Because smart metering falls within critical infrastructure, regulators look at smart meter manufacturers and vendors with critical eyes. As such, the industry must acknowledge that cybersecurity is a continuous activity that doesn’t stop after a smart meter gets deployed. To the contrary, one must remain vigilant, implementing processes that ensure its system security keeps up with the ever-growing sophistication of malicious cyber actors. Luckily, the ecosystem, at least in the EU, is evolving towards a harmonized set of standards that should help bring clarity to the different actors involved about the required compliance.
Some of the industry standards smart meter vendors should be familiar with include the Common Criteria standard ISO15408 adopted by the EU in the EUCC scheme, as well as the IEC 62443, which in Europe is essential to comply with the NIS directive. Although specific to the EU, these standards will be relevant for smart meter vendors and utilities worldwide. The smart meter industry should also prepare for the upcoming Cyber Resilience Act in the EU, which will address IoT devices and systems. Likewise, ESMIG, the European Association of Smart Energy Solution Providers, plays a key role in representing the meter industry as it addresses regulatory barriers to accelerate practical and realizable green energy transition.
Navigating these different standards and evolving regulations can be challenging, underscoring the need for a partner, like Telit Cinterion, on top of these changes and adjusting their security policy and practices accordingly.
Looking ahead, how will AI affect IoT and edge device security?
It’s hard to predict how AI will affect IoT and edge device security. However, it is clear that AI will provide both malicious cyber actors and utilities/smart meter vendors with more powerful technology for ill or good purposes. Attacks will become more sophisticated, but so too will countermeasures and defenses. If done right, edge and cloud AI technologies have the potential to detect patterns that could indicate a cybersecurity breach more efficiently than ever before.
Considering the complexities around metering regulations and the evolving landscape of cyber threats, how can smart meter vendors engage with an IoT partner?
As mentioned earlier, it does not make sense to start implementing security measures before assessing the situation via a security audit. Such an assessment is a mandatory step for every smart meter vendor who takes smart meter security seriously. After establishing what issues are present and where security is lacking, can smart meter vendors reach out to an IoT partner to see which services and products would be most suitable. Ideally, smart meter vendors should look for trusted partners, like Telit Cinterion, that design their cellular modules and connectivity services to be secure by design.
About: Jose Sanchez is the Senior Director of Product Management for IoT Connectivity & Services at Telit Cinterion, where he leads global initiatives in IoT connectivity, security, and device management. With over a decade of experience at Thales in IoT and security, he also co-founded a tech startup and holds a master’s degree in telecommunications engineering, along with completing an executive program at ESMT Berlin.