Keeping the Lights On: The Hidden Risks of IP-Based Power Distribution
In our latest blog, Tim Pearson explores an interview held with colleague Brecht Wyseur that examined how changes in power generation and distribution are demanding greater adoption of device security both during the initial product design and throughout the device’s lifecycle.
In the last 12 months, not a day has passed without a debate or discussion about renewable or green energy. While some of the focus has been on global geo-political developments, the recurring theme is about pushing for ‘net-zero’ where consensus is sought to drastically reduce carbon emissions associated with power generation. Against increased energy demands in areas such as new data centers and electric vehicles, the need for new, greener sources of electricity that can meet this demand has never been greater. In the UK, this is evidenced by the number of homes turning their roofs into mini-solar farms and the swathes of British countryside being covered by solar panels - and not to mention the many wind farms that occupy large areas of our coastal waters.
In the U.S., similar pressures are mounting. States like California and Texas have experienced rolling brownouts due to a combination of extreme heat, surging demand, and aging grid infrastructure. As more homes and businesses adopt rooftop solar panels, electric vehicle chargers, and home battery systems, the grid is becoming more decentralized, creating new challenges for balancing supply and demand.
These trends aren’t new, but they are accelerating, and the industry is adapting with new equipment, processes and commercial models. However, with rapid growth comes increased risk. In recent months, we’ve seen the press feature a major outage in Iberia and raise concerns about remote connectivity to solar inverters which could result in them being taken offline by a rogue actor. If a robust security framework, such as those offered by Kudelski Labs, built on advanced security and cryptographic capabilities for semiconductors and end devices is implemented, such risk scenarios can be mitigated.
The Evolution of Power Distribution
The way utility infrastructure is evolving is key. Traditionally, the energy market operated with a limited number of integrators. A utility would either handle integration itself or work with a single integrator to manage connections between the transmission network, distribution grid, and end consumers like industries and households. It was a manageable, centralized system.
But that’s changing. Now, utilities are integrating with Electric Vehicle (EV) charging point operators, smart home systems, heat pumps, and more. Instead of one integrator, there may be many or sometimes none. For instance, an individual might install a battery or EV charging point at home using a local electrician or a retail product. Suddenly, you're dealing with a fragmented and distributed device landscape.
This creates complexity – but also opportunity. For utilities, it opens the door to new use cases. For manufacturers, it means building devices that are plug-and-play and can easily be integrated. For regulators, it’s about creating frameworks to ensure everything works together smoothly and securely.
Security and interoperability must go hand in hand. One of the foundational elements in securing complex infrastructures is having standards that support both. And not just on paper – these standards need to enable rigorous development, testing, and validation of devices. Compliance alone isn’t enough. You need to ensure that devices interoperate securely at all levels.
Securing Credentials Through Device Lifecycle Management
In any connected ecosystem, each actor needs to be clearly identified and authorized. That means implementing robust identity frameworks. It’s not just about encrypting data – it’s about verifying who’s communicating with what, and whether they’re authorized to do so, and trust the data.
This becomes especially important when you're dealing with data exchanges between systems. In smart metering, for example, the head-end system might send commands to shut down a device like a heat pump or EV charging point. That command must remain authentic even when traveling through different devices or networks such as from the head-end system over a smart meter to the end device. International standards such as Device Language Message Specification (DLMS), provide end-to-end data protection, and as such provides a means to authenticate commands from head-end system to end devices.
Even when communication bypasses the smart meter - such as in direct exchanges between utilities and third-party devices, the security model must hold. Any compromised point in the network should not undermine trust. This is the essence of a resilient system design.
As for smart meters themselves, the industry is making significant progress. Chipset manufacturers are embedding core security functions. Meter vendors are implementing features such as secure boot mechanisms and ensuring firmware integrity. We're moving in the right direction.
Utilities today have the responsibility, and the tools, to rigorously test equipment before deploying it. They also have authority over what meters are connected to their network and can perform extensive testing. But with other devices which aren't always utility-installed, the situation is more complex. In such cases, broader frameworks and guidelines are needed to govern what devices can be connected.
Creating a Layered Approach to Security
The key is a layered approach that combines secure devices, robust standards, interoperability, and strong identity management. Only then can we secure the utility networks whose future is forecast to be both complex and decentralized.
This is required in the far more open environments that we’re now operating in. Connected households, third-party devices, decentralized generation, and an increasingly blurred boundary between operational and consumer domains. The old perimeter-based model simply doesn’t hold up anymore. That’s why the utility industry is now shifting toward a zero-trust model.
Zero trust starts from the assumption that your network is already compromised. You assume the attacker is in the system and build your defenses accordingly. That changes everything. Instead of relying on isolation, security is built on unique device identities, secure authentication, encrypted communication, and verifiable data integrity. Each device must be secure, capable of proving it and able to ensure the data it sends is reliable—even in a hostile environment.
To enable that, we need to move beyond simple authentication mechanisms. What’s emerging instead is a focus at the chipset level otherwise known as hardware-based security. Chipset manufacturers play a key role here. They’re embedding features like secure storage, unforgeable device identities, secure boot processes, and attestation mechanisms. These hardware-level capabilities are then leveraged by device manufacturers to build secure products.
While utilities won’t interact directly with chipset manufacturers, they do set the requirements that device manufacturers must follow. Utilities can demand that equipment proves it can do only what it’s meant to do, that it hasn’t been tampered with, and that it supports secure communication. The utility should be able to verify that those requirements are met, either through direct validation or certification.
Kudelski Labs: Securing Devices from Chip to Cloud
Built on decades of innovation and experience in delivering key management at scale to the media and entertainment industry, Kudelski Labs’ focus is on embedded chip security.
Together with our Advisory Services, Secure IP series (Kudelski Secure Enclave) and keySTREAM Device Lifecycle Management solutions, we equip chipset vendors, device manufacturers, solution providers and end-user customers with the essential security primitives necessary for the effective development and protection of end-to-end IoT solutions. This approach ensures a robust security framework, built on advanced security and cryptographic capabilities, that supports the entire IoT ecosystem throughout its lifecycle.
Through technologies such as these, coupled with secure product design, the open, multi-integrator ecosystems of today’s IP-focused industries such as utilities, can be confident that they are both secure and resilient against bad actors.
To learn more, discuss how our solutions can secure your ambition or help with a specific project or activity, please contact us or visit our website for more information. We’d love to continue the conversation.
