Times have changed.
When I was young, I don’t remember locking the house when we went out. At many utilities, the same was true for our early computer systems. Today, digital security is a topic that we should all be paying attention to—in both our personal life and at work.
As computer systems become a more significant part of our lives, security should too. We lock our houses and car doors when we leave them; similarly, we need to secure our digital systems as well. In the case of utilities, who are managing vital infrastructure, it’s even more crucial. For example, the data and control provided by Advanced Metering Infrastructure (AMI) systems offer tremendous operational value to gas, water, and electric utilities. As you can imagine, it could also be seen as a prime target for hackers.
Keeping AMI systems secure is critical.
Being secure is a team sport. Everyone needs to pitch in to maintain the security of our computer systems. This includes office and field personnel across the utility—not just the IT department. There are often steps and processes for increasing our security vigilance that aren’t too difficult. One is simply changing passwords periodically. It’s worth the trouble to do our part to maintain the security of our systems.
At home, we load anti-virus software onto our computers. There are many offerings out there. Today, I did a quick internet search for “anti-virus software” and was overwhelmed with over 942 million results. Of these, many were available to purchase. There is a reason for the many choices. It just makes sense to protect our computers from hacking and viruses.
At work, I deal with AMI systems every day. These systems – both large and small, should be secured too. As your utility looks at upgrading its existing AMR drive-by or walk-by, PLC, or ERT system to a more robust two-way AMI network, I encourage you to select a system that has strong security capabilities as a standard function. This choice is important for all types of utilities.
It just makes sense.
But, what are we securing? Digital security is about protecting our digital systems and data from hackers.
What does a secure AMI system help you protect?
- Privacy of customer data
- Meter data
- Access to AMI system
- Command and control of field equipment
- Access to other utility systems
What are the most important security factors found in an AMI system?
We’ve developed a very basic AMI security checklist to get you started:
- Good security reputation
- Strong in-house security expertise
- Security is a standard function of all product development
- Security support for endpoint tamper features and alarms
- AMI head end system support for Role Based Access Control (RBAC)
- AMI head end system support for security auditing and logging
- Strong encryption – look for AES-256 encryption support – for communication from endpoints in the field to the head end software
- The ability for the AMI system to perform encryption key rotations (updating the endpoint passwords) over-the-air from the AMI head end system
- For combination utilities, a common security approach for all product lines — water, gas, and electric
- Secure two-way control to field endpoints
- AMI system security certifications from a reputable third-party security company (ex. GE Digital)
- For Software-as-a-Service (SaaS) systems – SAS70/SSASE16 certification and Tier IV data centers
- Multiple communication paths to provide redundant support to endpoints in the field
Final thoughts when performing AMI security due diligence:
- Ask to see the AMI vendor’s security roadmap. You’ll want to partner with a vendor that is continually improving their system’s security implementation.
- Ask if the AMI vendor has a user group where like-minded utility security experts discuss security topics together. This is a great place for users to influence and support future product security updates.
As you know, security is an ongoing journey of continuous improvements built on a culture of pervasive security. Going forward, security is a way of life for all of us.
At home. At work. It just makes sense.
For more information, read Balu Ambady’s paper on “Six Steps for Implementing a Secure AMI Infrastructure”.