The State of Smart Grid Cybersecurity

Klaus Mochalski

Hello and welcome to a new episode of OT Security Made Simple. I'm Klaus Mochalski, founder of Rhebo. My guest today, again, is Todd Wiedmann. Todd has been with me – I just checked – slightly over a year ago when we spoke for the first time about smart meter and smart grid security. Todd is Chief Security Officer at Landis+Gyr and also CEO at Rhebo.

Over the past year, Landis+Gyr and Rhebo together have spent a significant amount of effort and time to introduce new security products, especially for the US market. And after we spoke about the general state of grid security and smart meter infrastructure security, specifically in US last time, I would [like to] open with a question: Can you paint a picture for our listeners of the current state of things with regard to smart meter security, smart grid security in US, as you have seen specifically with some of the customers we have won over the past 12 to 18 months.

Todd Wiedman

Sure. I'll start by just saying that we see more and more threat actors targeting the critical infrastructure space in the US, just like in the world itself. It seems to be a big focus right now.

Klaus Mochalski

Is this really happening? Because that's interesting. I have had this topic many times before that everybody's talking about OT threats, but we don't see any of them happening. To an extent that some vendors even claim that you shouldn't really protect against OT threats but otherwise make sure that you get your assets in order, but threat detection is not so big of an issue. But what you're saying sounds somewhat different.

Todd Wiedman

Yeah. I would say high level, what we're seeing is more and more threat actors from nation states that seem to be targeting the utility space. Other than a few specific successes in the water space and in some of the pipeline stuff, we have not seen any successful or externalized successful attacks, but we do see a lot of targeting of that space. And from a landscape perspective, because we have a lot of customers in the space, we also see a lot of targeting that's coming from those nation-state type actors in our space as well. Nothing successful, but we definitely see an increase in that targeting.

Klaus Mochalski

Okay, so can you talk a little bit about the threat vectors that these attackers are using? Because last time we spoke about the exploit surface that we have, the vulnerabilities in systems. What are the threat actors trying to exploit?

Todd Wiedman

The threat actors are trying to exploit the vendors that partner with these utilities, first and foremost, the way we've seen, especially ourselves as well. But it seems like they're trying to look at vendors that might not be as secure as the utilities are set up.

Klaus Mochalski

So would this be then supply chain attacks?

Todd Wiedman

A bit supply chain attacks, a bit any vendors that assist in utilities in delivering their services, which more and more utilities are utilizing, like cloud services, for instance, and things like that. We see patterns around that. We partner with Google a lot, and we have these conversations with Google Security as well around these type of attack vectors, and they've seen the same.

Klaus Mochalski

That's interesting. Is there a means to quantify that? Is it a temporary feature that is related to some real-world events like the Ukraine conflict or the Middle East conflict or the US elections? Or is it just a general uptake in occurrence of these events?

Todd Wiedman

Yeah, we haven't been able to target and focus anything around that. We don't know if it's Ukraine or the other things that are going on in the world or any type of specific event in the US that's causing this. But we have seen patterns of increased reconnaissance actions, and it hasn't been tied to any type of thing that we've seen.

Klaus Mochalski

I'm interested, how do regulators in the US government react? Here in Europe, we have seen lots of activities and discussions about the NIS and NIS2. NIS2 was supposed to already be transposed into national law, which all the member states missed. It's supposed to come sometime next year [in 2025], hopefully not too late. But there is pretty tight regulation. Then we also have the Cyber Resilience Act, which came into effect just a few days ago [in November 2024]. There's lots of regulatory stuff coming our way in Europe. How is the situation in the US?

Todd Wiedman

It's similar. We're seeing proposals of regulatory requirements coming in that are focused on the critical infrastructure space. We have seen some programs that have been coming out from the Department of Energy and the CISA group around specific testing of critical infrastructure spaces. There's a project called Project Chariot that we were contacted about that is looking to test vulnerabilities within equipment in the water space and in the transmission space of pipelines, things like that.

We're seeing those kinds of events, types of regulation things that are being proposed and being talked about, but nothing yet that's been published.  

Klaus Mochalski

So, nothing specific that already has a date when it will come into effect?

Todd Wiedman

Yeah. We're seeing the same in Canada, by the way, too. So that's another big location that we work with. It’s the same thing in Canada. There's been proposals for the last year, year and a half, around some directions around cybersecurity in this space, but nothing that's been published or approved.

Klaus Mochalski

And is this coordinated between the two countries?

Todd Wiedman

A little bit, but not really. The Canadian piece is driven by the Canadian government, and then the US stuff is just the US piece coming out of CISA.

Klaus Mochalski

So with all this potential regulation in the discussion or somehow underway, do you believe that the incoming [now active US] administration will change the velocity with which this happens? Will it become faster, sooner, or maybe not?

Todd Wiedman

I don't think it's going to change any type of velocity. I still think there'll be a push for it, but I don't foresee that we'll see any type of focus until we have an event that actually drives the requirements, would be my guess. And that's just my guess. But because I think we saw a couple of attacks on some water treatment plans that raised some awareness. I think that's why this has been getting more focused around that. If we ever see something in the energy space or in the edge space, I think that will push start some more focus around that.

Klaus Mochalski

What we are hearing here is that there is discussion about, of course, government efficiency, famously so. Part of it seems to be to push responsibilities to the state level away from the federal level. There has always been a shift back and forth, and we have the same here in Germany. Do you think that is going to change? You just mentioned that most of the regulation right now is probably driven on a federal level. Will cybersecurity ever be pushed from a federal to a state level, or will it remain with the federal authorities, mostly?

Todd Wiedman

In the US, it's a little bit of both, because in the US, the state authorities have some jurisdiction around the utility space. So, some in the federal space was tried to be done, but a lot of it still needs to be done at the state area as well. What you'll see is some federal directives that come out, but then the states will take that and then actually make mandates based on their state requirements. That's usually what happens in the US. And that's why California has some things that they put in place. Back to where when we did GDPR stuff, then California came out with their own Privacy Act, and then it went to other states. I would say that's probably what we see in the US when it comes to cyber as well.

Klaus Mochalski

What do you believe are the immediate implications for a systems manufacturer, a systems vendor, regarding systems like smart meters, but also for service providers who offer IT and OT security services, managed services.

Todd Wiedman

I think the directives are going to be focused on visibility. That's where it usually starts. So, I think the regulatory requirements that do come out are going to be focused on getting that visibility – like an IDS solution or asset management. Those are the areas it's going to start with to try to get that visibility.  

I don't think you'll see any real regulatory around prevention for a while. I think it will be: first get the visibility. The vendors that are supporting this space, they'll have to make sure that their solutions give that visibility or have ability to get that visibility that's required when it comes to that.

Klaus Mochalski

The European Union have just published their Cyber Resilience Act a few days ago. And what this does is basically it extends the [...] CE sticker that many electronic products have to also include any product that includes digital technology. And you have to prove that the digital technology that you develop is developed in a secure fashion and that you have a standard level of security to make the products more resilient. And from 2027, I believe November, every product in the European Union, also consumer products, that contain digital technology, they need to have this sticker along with fulfilling the requirements.

Is there something similar in the US? I heard about the Cyber Trust Mark certification. Is it something that goes in a similar direction? Or do you believe that there will be something?  

Todd Wiedman

Yeah, the U.S. Cyber Trust Mark is that. I think they're still figuring out what that looks like and what the requirements will be. But it's exactly the same alignment that you would get the Cyber Trust Mark put on any device that passes or that meets a security standard.

I think the big question, both on the US and the European side, is: What is that standard going to look like and how does it pertain to whatever it's being applied to? If you have a consumer-based product versus a industry-based product, how do those standards apply to each? And what's the real impact on those?  

If it's a consumer-based product [and] if you require logging, for instance, from a consumer-based product, who gets the logging? Where does the logging go? What is the logging used for? Versus an industry system where obviously the logging would go to the company that's purchased the product. So it'll be interesting to see how that plays out both in the European space and in the US space.

Klaus Mochalski

Do you know anything about the timeline? And is it going to be a requirement for product vendors or is it voluntary?

Todd Wiedman

I'm not sure. I think it's voluntary right now, but I don't know the time frame. But it just started being discussed and it's being worked on. I don't know if there's anything official that's been submitted either. [Note: At the time of the recording (Dec. 2024), there was no timeline available. The U.S. Cyber Trust Mark has become official in January 2025 and remains voluntary.]

Klaus Mochalski

It's interesting that for once Europe is leading in this area.

Todd Wiedman

Europe has been leading a lot in the past, especially in the space of the privacy stuff – of GDPR. That was a European-led initiative, too. There's a lot of things that we see that we look to Europe first and then figure out, well, how is that going to affect or drive the USA side of that.

peaker 1

If we look back at how we started our discussion today, looking at specific customer projects that you dealt with over the past months. What are the specific and maybe new requirements that some of the customers are looking at and looking into with regard to the solution that [Landis+Gyr and Rhebo are] offering?

Todd Wiedman

A lot of our customers are really interested in our new head-end security solution. We have a solution that we've targeted Landis+Gyr customers first with. But what it does is it gives real-time security visibility and a more in-depth security view of the things that are actually happening on the application that manages the edge devices. In our area, it's all of our meters that we support. The application that specifically controls and monitors all those devices at the edge. We build a solution that gives the security team's real-time visibility to that and more analytics around what's going on with the devices at the edge as well as the application itself.

And this was really driven because we saw a need that when a threat actor starts attacking the [energy sector] environment – which they have done for a long, long time – it's always been focused on attacking the edge, attacking the devices at the edge. And fortunately, we've had good security models in place so that [a successful attack] has been very difficult to do, and we've had very little success of an edge-type of attack. So, it's just a normalization that they're going to pivot to the applications that actually control the devices versus the devices themselves.

So, we see that as a bigger attack vector going into the next few years. And putting something in place that can get that visibility and making sure that we fully understand any time what's going on with those applications and the devices at the edge has resonated with our customers. They said: Yes, this makes sense, and we want to make sure that we have that visibility as well. It's been something that we've had a lot of interest in over the last six months in the US with our customers to increase the security on those applications that control those edge devices. And we're starting to see that in Europe, too, with our European customers.

The second area that we've had a lot of focus on is the edge devices themselves. The devices that we manufacture and put into the utility space are very secure, and we've built security on them for years.  

Klaus Mochalski

The smart meters?  

Todd Wiedman

Yes. But when you start talking about the things at the edge that also control the energy – like batteries, like solar, like inverters, cars, right? – some of those might not be as secure because they're coming from third-party manufacturers that might not have been in the critical infrastructure space. They might be coming from manufacturers that have only focused on one piece or one solution and [were] not really thinking about the big picture.  

So, we're starting to see utilities having concerns about those devices that are getting connected to the grid. But it might not have that security level as well. And we've been having conversations with customers about our solution, how we can help them secure those as well as manufacturers. Sonnen is a great example of what Rhebo has done in Europe with helping a company secure their edge devices.

Klaus Mochalski

In a way, you could say that the smart meter industry as a whole has set a good precedent of how to secure the edge of an IoT network, which is still like an open challenge for most vendors. And quite often this is neglected as a risk. It seems that it actually pays off that you develop products with security in mind, having things like resilience in mind. [Just] hat the Cyber Resilience Act in Europe is trying to achieve, especially in terms of secure product development.

This is something that we have already done for the smart meters all the time, basically. And now we can turn to the more central systems, which are a lot easier and probably also more economical to protect from the customer's perspective. So that's a good thing.

Todd Wiedman

Yes, definitely.

Klaus Mochalski

Okay. The regulation coming up will it also directly affect the systems that are already quite secure today? You mentioned that it's still unclear [...] how the regulation will consider consumer and professional or business products differently. Is there any anticipation of how systems like smart meters will be covered by this regulation?

Todd Wiedman

So I don't think it'll focus on smart meters initially. I think it will focus more on the manufacturing space and the substation type space, from a visibility perspective and those things. Because the other piece that's driving this is NERC under the NERC umbrella has driven cybersecurity when it comes to the transmission side of the house. And that's the other influence. Now they're looking at the distribution side as well to see what makes sense to the requirements of NERC-CIP.

Does it make sense to pull them more on the distribution side of the house, or do we need new regulations for the distribution side of the house? But I think that will also be something that drives the direction of the requirements. And that would be in the AMI space. So it could be that the meters and the space in the meters see some additional requirements because of the influences. The other piece I would say, is typically in the past, where we had smart meters which had the ability to do reads and do connects and disconnects. But now there's a lot more analytic functions and intelligence going into the meter side as well.

And if that intelligence moves to the meter side, then there's obviously more risk there when it comes to vulnerabilities and threats because they have the ability to do [more] things at the meter than they could [do] in the past.

I think the regulations will catch up to that as well. There'll be some requirements that say if you have a device at the edge that can do more than just read or look at some type of energy consumption, then there'll be additional requirements around how you secure that to ensure that there's no impacts.

Klaus Mochalski

That makes sense. If you have a device in your house that can potentially disconnect you from the power grid, then, of course, you want to make sure that nobody who is not eligible can actually do that.

You mentioned a couple of times that visibility is a requirement by many of the customers that you have approached recently. It sounds like in a sense, for me, visibility is one of the earlier steps on a security journey. And does this mean that if customers are asking for visibility, specifically, that we are still looking at a not very mature market with regard to their overall cyber security posture and processes, or is this a wrong assumption?

Todd Wiedman

I think it's a changing market. In the past, the utilities had to worry about people taking down or impacting the way they generate energy, which again was mostly transmission. The big power plants were the things that potentially could take down a grid. But anything in the home space or consumer space or even in the distribution side of the space, would be very, very difficult to have an impact on the grid. You could bring down a lot of meters or bring up and down a lot of meters, electric meters, at one time. And there's been studies that show that could have an impact on the grid based on phasing. But generally speaking, it would be very difficult to do.

But now that when you have all these renewable at the edge that are coming in, solar panels, batteries, et cetera, now there's a lot less attacks that could impact the grid just based on [phasing]. If I have a company that sells solar panels to a third of my utility customers, and that solar panel battery or solar panel company gets compromised and they start manipulating those solar panels, that could have a major impact on the grid.

And that's what I think the utilities are starting to think about. How do I control these edge devices or how do I get visibility to those edge devices to know that they're attached to my grid, that the vendor is doing what they need to do, and that if something does happen to those devices, that I can get information about it so I can do something else to make sure the grid stays up.

Klaus Mochalski

Okay. So, visibility is not just the first step on a customer's or on an infrastructure provider security journey. It's a big value in the changing threat landscape that we see today that needs to be covered. It's an important step towards higher OT security or smart grid security. Very interesting discussion. Thank you, Todd, for being here. I'm looking forward to our next discussion, maybe in one year's time from now.

Todd Wiedman

Thanks. Thanks a lot.

‍