This document contains security requirements for smart meters. They are intended as a common baseline that in line with more strict requirements or more detailed specifications used in different European countries.
Grid operators throughout Europe are deploying Smart Meters to enable the smart grid, in which security is a major success factor. Security is needed to protect the private data of citizens and to protect against cyber-attacks aimed to disrupt the electricity grid, for instance by sending mass switch-off commands.
Secure devices are now available on the market and smart meter communication standards all have various security features. Several manufacturers have implemented these features and are offering secure and well-tested devices.
Yet, procuring secure devices remains a challenge for grid operators. Cost is a major concern when deploying hundreds of thousands or even millions of smart meters. Even a price increase of a few euros due to new security features can turn the business case negative.
Moreover, public tendering rules require security requirements to be defined up front. Mistakes in them can be costly: incomplete, unclear or too strict requirements may lead to insecure or expensive meters, which can delay the rollout.
This document aims to help grid operators to set procurement requirements. It includes requirements that ENCS has developed for members throughout Europe. The security requirements for smart meters have been used in many different tenders. They are set up to allow independent testing, and more than thirty smart meters have already been successfully tested against them. By using these requirements in their tender process, grid operators can start from a mature requirements set.
Harmonizing requirements between grid operators can moreover lead to major cost saving for all. Vendors get a common baseline to aim at. They only need to implement the security requirements once to qualify for all grid operators that use them.
The security requirements for smart meters are formulated in a technology-independent manner. They describe the security measures that need to be taken functionally, and do not make assumptions on communication protocols or technologies. The requirements cover both technical security measures, and process measures that Vendors should take to ensure secure development, production, and delivery of the devices.
ENCS members can review the newest version of the requirements documents here (SM-301-2022 coming soon).