The NERC standard for Critical Infrastructure Protection will extend to smart metering implementations that connect back to SCADA systems. Smart metering systems pose potentially grave security threats as:
- They may connect directly to SCADA networks, with no security filtering between SCADA and the newly extended networks.
- The technology vendors of AMI or advanced metering infrastructure may not include sufficient security for a specific SCADA network.
- There may not be a security policy or plan in place for a new AMI deployment
- There may not be any or sufficient security monitoring in place for a new AMI deployment.
There are several major drives for deploying smart metering across North America. Two such examples are:
- The Ontario Energy Board (OEB) establishing targets for the installation of 800,000 smart electricity meters by December 31, 2007 and installation of smart meters for all Ontario customers by December 31, 2010, (called the Smart Metering Initiative or SMI).
- FERC's interest in the reductions of the cost of electricity in the USA. The Federal Energy Regulatory Commission, FERC, identifies in a September 7, 2007 press release: "Demand
response is playing a more important role in U.S. electricity markets," Chairman Joseph T.
Kelliher said. "Last year, demand response played a key role during a summer when we set
record electricity demand levels in eight regions of the country. But we need to make more
ERE has recognized very early that smart metering will become a fact of life all of our electrical utility clients and has such has increased the scope of our NERC CIP compliance audits to include smart metering.
ERE audits smart metering with the same audit methodology for examining other extensions of a SCADA network, such as remote substations, pole equipment, transformer stations, and remote computers.
An ERE audit report of a smart meter deployment includes identifying all the security vulnerabilities and potential exploits and recommendations of how to mitigate or fix all of them. The scope of the audit always includes: security policy, training, and a score for the CIP audit.
Contact ERE for a copy of the document, which was previously posted at www.nerc.com