Open Search Partner with DCC

Securing energy in a digital world

When people think about getting a smart meter, national infrastructure may not spring to mind – they’re more likely to be thinking about the daily cost of heating their home.

It’s easy to look past these utility meters with their illuminated screens and not consider the complex technology and massive national network which they connect to and which supports them. However, not only do they have to connect reliably every home and small business in Britain, they must also do this all while providing national infrastructure level security – a consideration that’s been brought into sharp focus by the current geopolitical situation.

The DCC built and operates the smart meter network guided and endorsed by the National Cyber Security Centre (NCSC), putting resilience at its heart. This is about more than your traditional ‘smart home’ or Internet of Things (IoT) network – it has taken a fundamentally different, more secure approach. Behind the scenes there is a dedicated team of people protecting the network, all driven by its vital mission to help digitalise and decarbonise the nation’s energy system.


The state of IoT

The IoT is a term used to describe billions of physical devices around the world that can connect to the internet – from a smart speaker to a bin on the street that reports when it’s full. The practical application of this connected technology continues to grow, with some analysts predicting that by 2025 there will be more than 27 billion devices connected globally.

The baseline of security controls provided by manufacturers of IoT devices has been extremely varied and in general quite lacking. Not unfrequently, IoT devices have been found using default passwords or outdated vulnerable software without proper patching policies in place. The lack of basic security features along with their interfaces to the internet makes them the perfect target for malicious actors who can easily find and compromise them on a massive scale – locking people out of their smart coffee-makers or using armies of these devices to compromise other networks via DDoS (distributed denial of service) attacks. 

Several initiatives have been kicked off to bring a common security baseline as a mandatory requirement for any vendor accessing the IoT market with their products and the situation is expected to improve; however, the legacy of unprotected devices plays a fundamental role in keeping IoT risk firmly on the radar of any security professional.

It goes without saying that a network associated with the home’s energy supply needed to include an entirely different tier of security.


A different approach

The smart meter network managed by DCC has been designed with security in mind from the get-go. The whole cryptographic model has been developed under guidance from the National Cyber Security Centre and is based on state-of-the-art cyphers for these sorts of applications (like for example NSA Suite B/CNSA).

For the devices to be allowed to connect to the DCC network, they are required to achieve specific security certifications under the NCSC Commercial Product Assurance scheme, which ensures that application and physical security controls are implemented and effective. For example, integrity and authenticity of firmware is verified before updates are allowed. As another example, the device is able to detect tampering and to send alerts for further action.

The smart meters on the DCC network don’t directly connect to the internet and access to them is strictly limited. The smart meter records energy readings, encrypts them and sends this over a specialised telecommunications network that sits outside the public Internet. The encrypted readings reach the DCC servers, which pass them to dedicated access appliances for our registered users (energy suppliers and network operators). Message encryption ensures that only parties with the right to see the information get access to it, and nobody else.

Combining this tightly controlled access with monitoring, our 24/7 operations centres can detect and respond to any suspect activity on the network.

The data produced by our network every day is more than a human can hope to sift through in a lifetime – every day, over 40 million messages travel across our platform. Our operations centres use state-of-the-art anomaly detection tools to monitor the activity on our system to find issues fast.

DCC keeps a close eye also on security awareness. We work hard to ensure that everyone at the DCC is regularly trained to spot phishing attempts, and that incoming communications are closely monitored.


Resilience is key

We operate under the philosophy that at any time attempts could be made to compromise our network, and so build our systems to be resilient to this.

Utilities work on enormous timelines for technology, with meters on the wall expected to be there for 15 years. To keep our network resilient, we need to continue to evolve our approach with these timelines in mind. For this reason, the DCC network is designed to evolve continuously, and this is a process in which all our users are consulted and heavily involved.

This work is complex and more than meets the eye, but everyone involved understands the importance of our mission. The DCC platform is the digital backbone of Britain’s energy infrastructure, and in my team we are here to protect it. It helps the country avoid releasing hundreds of thousands of tonnes of carbon every year, and supports our distribution networks and grid in making the best possible use of renewable resources – a critical element of the journey to achieve our Net Zero goals.

Meet the author

Mark Hughes

Chief Information Security Officer

Further reading

Discover more