– Electricity meters are currently being widely replaced by remote reading (VOC) devices in Poland. By 2028, approximately 16 million meters equipped with a communications unit will be installed in the electricity network – we read In a new expert opinion prepared by experts from ComCERT and Apator. The authors state that of the approximately 4 million smart meters installed so far in Poland, more than half come from outside the European Economic Area (EEA), from entities that have not been verified in terms of digital security of the entire value chain. An extreme case is tenders, where at the bidding stage, even meter samples for testing are not required.
Today, there are no regulations or specifications in Poland that would oblige network operators to evaluate the credibility of the supplier and the technology it offers with regard to cybersecurity. However, you should be aware that remote or planned disruption of smart meter operation may cause significant power outages in distribution networks, negatively impacting large groups of consumers and organizations.
– The coming months will be crucial for the future and security of smart grids in Poland. The lack of regulation in the field of cybersecurity for VOC measuring devices used in the energy sector poses a serious threat to the stability and security of the entire system – according to ComCERT and Apator experts.
The first of these companies is part of the Asseco group and has been providing cybersecurity services for more than twelve years. Apator, in turn, is a large Polish manufacturer of metering devices and systems, including smart electricity meters. The company is listed on the Warsaw Stock Exchange, and half of its sales are exported.
Maciej Wičesanyi, president of Abatur, has a similar opinion. – In the current geopolitical and economic situation, the issue of digital security of power networks is the basis for the security of the entire country. In conditions where there are no specific standards related to the digital security of smart meters in Poland, the influx of unverified technology regarding digital security poses a major threat – our interlocutor says and emphasizes that we are dealing here with the critical infrastructure of the state, of which smart meters are an integral part. Indivisible from it.
– The market is currently filled with Chinese suppliers whose products operate in Polish power grids. He stresses that the mass installation of non-EU products in the energy grid, without technical verification regarding digital security and the potential negative impact on the functioning of the country’s critical energy infrastructure, is extremely risky.
In Poland, electricity meters are currently being widely replaced by remote reading (VOC) devices.
Real threat
The threat to power grid security is very real.
The energy sector is one of the sectors of the economy that is particularly vulnerable to cyber attacks because it is strategic to the functioning of government and local structures and even individuals. In recent years, both conventional and renewable energy have significantly increased the degree of digitalization and, consequently, the fragmentation of their structures – as we read in the opinion of ComCERT and Apator experts.
Therefore, companies operating in the energy sector are among the most vulnerable to attack. According to the study’s authors, these attacks are often carried out by actors with organizational and financial support from unfriendly countries that seek to disrupt or even destroy infrastructure related to the process of distributing or transmitting electricity.
There is no shortage of examples. One of the first major attacks on power grids occurred more than 20 years ago. In 2001, attackers gained access to one of the internal networks of electric provider California Independent System Operator, resulting in power outages for nearly 400,000 people. Recipients.
In 2008, cybercriminals were able to insert malware into files used to update the software that runs the Hatch Nuclear Power Plant in the United States, causing a fault in the reactor’s control system, which in turn led to a two-day blackout.
In 2015, more than 50 electricity substations belonging to three distribution network operators (DSOs) in Ukraine were disconnected from the grid. The power outage affected approximately 225,000 people. Recipients. The industrial automation system has been physically damaged. The substations had to be operated manually for several weeks after the accident.
Last year, Delta-Montrose Electric Company (DMEA), a US electricity supplier, was targeted by cybercriminals – and as a result of the attack, the supplier was forced to shut down 90 percent of its capacity. IT infrastructure due to irretrievable data loss. The attackers deleted databases containing information dating back 25 years of the company’s operation.
Likewise, last year there were a series of attacks on wind turbines belonging to various operators in Europe – and as a result of the attacks, one operator lost contact with 6,000 operators. Wind turbines, another fell victim to a ransomware attack, and another had to shut down all remotely managed devices for 24 hours.
Unfortunately, more could easily be added to the above examples. Electricity producers and distributors are a tempting target for cybercriminals sponsored by hostile states, and their use of remotely read meters for this purpose seems a very likely solution.
Our neighbors are defending themselves
The awareness that smart meters constitute a critical element affecting the security of energy networks and, more broadly, the security of the entire country, is already common in Europe. In relation to the above, relevant state administration bodies are taking various measures.
In the Czech Republic, the Cybersecurity Office made a recommendation prohibiting energy operators from installing meters from outside the European Economic Area. It is similar in other countries, for example Greece assumes that for safety reasons, all meters to be installed in the country must be produced locally.
In Poland, electricity distribution network operators are installing smart meters on a large scale. The devices must be checked and come from a reliable source, otherwise someone may cut off the electricity.
Latvia, in turn, introduced a clause stating that source codes and encryption keys must be stored in an EU or NATO member state.
Solutions for additional local certification of critical infrastructure elements (such as meter communication gateways) are also being offered – followed by, for example, Germany.
what should we do?
According to experts, there is a need for strict verification of hardware suppliers and security practices used in the production process, regular firmware security audits and device security tests, and implementation of mechanisms to protect the firmware and detect and respond to its unauthorized modifications. All this in order to have complete confidence in the supplier.
The authors of the expert opinion from ComCERT and Apator call for action to improve cybersecurity in the energy sector. They offer a number of possible solutions. The targeted solution to ensure cybersecurity of the energy grid will be the development and introduction of so-called lightweight certification schemes for smart meters. They will define technical requirements and formal activities in the field of device testing and certification.
In the near term, experts recommend the adoption of appropriate legal regulations as part of the implementation process of the EU NIS2 directive on measures to achieve a common high level of cybersecurity on the territory of the Union. Poland must implement it by October 2024. The NIS2 Directive requires that all entities belong to a so-called master entity group, which includes distribution network operators.
– The replacement of smart meters in Polish homes is gaining momentum, so urgent action is necessary. Given the long time to prepare and implement the relevant regulations, it is justified to adopt non-regulatory mechanisms during the transition period (similar to other European markets). These may be recommendations from the State Commissioner for Cybersecurity, which serve to draw attention to and address specific real threats to the country’s key infrastructure – which are additionally written in the expert opinion of ComCERT and Apator.
It’s time to act fast. The threat that someone might decide to destabilize Poland’s power grid is unfortunately real.
Echo Richards embodies a personality that is a delightful contradiction: a humble musicaholic who never brags about her expansive knowledge of both classic and contemporary tunes. Infuriatingly modest, one would never know from a mere conversation how deeply entrenched she is in the world of music. This passion seamlessly translates into her problem-solving skills, with Echo often drawing inspiration from melodies and rhythms. A voracious reader, she dives deep into literature, using stories to influence her own hardcore writing. Her spirited advocacy for alcohol isn’t about mere indulgence, but about celebrating life’s poignant moments.
