There are many components to an industrial control system network, including smart devices (e.g., smart meters) that collect and store critical confidential data, such as login credentials, encryption keys, consumer privacy data, and business proprietary information.
A smart meter is a utility meter that records consumption in intervals and communicates the information via a communication network to a utility company. By way of example, smart meters can include smart electricity meters, gas meters, and water meters. This information can be used, among other things, for monitoring and billing purposes. In some cases, smart meters are used in an advanced metering infrastructure (AMI) system. AMI systems provide a two-way Internet protocol (IP) communications path between a smart meter and a service provider (e.g., an electric, gas, or water utility company).
More specifically, AMI systems include full measurement and collection subsystems including meters at the customer site, along with communication networks between the customer and the utility company. These AMI systems can also include data reception and management subsystems that make the information available to the utility company. The goal of an AMI system is to provide utility companies real-time data regarding power consumption. This process enables customers to make informed choices about energy usage based on the price at the time of use.
By way of background, FIG. 1 depicts an exemplary configuration of an AMI system 100. In FIG. 1, a customer site 101 (e.g., home or a business) collects time-based data via an electronic meter. Such meters can monitor one or more of three types of utilities: electricity 102, gas 104 and water 106. These meters have the ability to transmit the collected data through commonly available communication networks 108, such as public networks and broadband. The meter data are received by an AMI host system 110 and transmitted to a meter data management system (MDMS) 112. The MDMS 112 manages data storage and analysis to provide the information in a useful form to the utility company.
The collected data can include the accumulated energy and demand consumptions of a customer and are critical data to the utility company, being used for customer billing purposes. Any unauthorized access and/or tampering with this critical data can seriously affect, for example, the company's revenue and profits. Furthermore, the smart meter manufacturer's software stores the security codes that provide complete access to the meters and the meter data. The root of the security of the smart meter system resides in the software application, which can configure the critical data (e.g., access credentials/access codes) as it is stored. The unauthorized disclosure of such data can compromise system wide security. Hence, the protection and security of smart meter data is paramount.
Many conventional systems provide software security using techniques such as encrypting the user credentials directly with randomly generated keys, storing the salted hash of the users' passwords, and using homegrown encryption algorithms for password protection. Other techniques include protecting the application database file using a user provided password and encrypting the software database file upon exit of an application, and decrypting when the software is running. However, all these conventional techniques are inadequate for protecting against current security vulnerabilities.
A successful breach of one or more smart meters could catastrophically impact operations of a utility company. A security breach would permit the theft and misuse of access credentials, customer privacy data, and company proprietary information which can lead to power theft or broader penetrations of AMI networks.