Smart meters have evolved from passive measurement tools to active nodes driving the energy transition. They collect, store, and transmit critical usage data that informs demand management, customer analytics, and predictive maintenance, underpinning modern energy grids.
As these devices become more advanced, cybersecurity discussions often focus on network and communication security. Yet the local data stored within meters, from billing records to firmware logs and user data, often remains overlooked. This embedded data layer can become a critical vulnerability, carrying high risks for utilities, manufacturers, and consumers if it is compromised or corrupted.
Product Manager at Tuxera.
Why stored data is a hidden vulnerability
Smart meters typically operate for up to 20 years in the field, collecting and processing sensitive data under harsh conditions and constrained resources. If this data is accessed, altered, or deleted, whether through physical tampering or software exploits, the consequences can range from billing inaccuracies to compliance failures and operational disruptions.
The risk is often invisible. Data corruption or loss may build up quietly until systemic problems, like forecasting errors or customer disputes, reveal the underlying issue. As energy systems become more reliant on accurate data for operational and ESG objectives, securing data at rest becomes a business-critical priority.
Counting the true cost of cybersecurity shortfalls
Securing smart meters is not simply a technical task; it carries financial and operational implications. For many manufacturers, maintaining effective vulnerability management requires dedicated teams, often three to five full-time specialists handling threat detection, incident response, and patching throughout the year.
Regulatory frameworks often require hardware enhancements to handle encryption and secure configurations, impacting Bill of Materials (BOM) costs and extending design timelines. Existing software stacks frequently require optimization to support modern security protocols without overloading resource-constrained devices.
These investments are critical, considering the potential impact of an undetected cyberattack, which can cost companies upwards of $8,800 (≈£6,900) per minute. Beyond direct financial losses, organizations face reputational damage, regulatory fines, and operational disruptions that can erode customer trust and market confidence.
The CRA: Raising the security standard across Europe
The European Union’s Cyber Resilience Act (CRA), due to take effect by 2027, will redefine expectations for digital products, including smart meters. Compliance with CRA will be tied to CE marking, making it a requirement for market access in the EU.
Key CRA obligations include:
● No known vulnerabilities at launch: Devices must be tested and verified before release.
● Secure-by-default configurations: Devices should avoid insecure settings upon deployment.
● Ongoing patch management: Vendors are required to provide updates and vulnerability remediation across the device’s lifespan.
● Transparent documentation: Vendors must maintain clear documentation for lifecycle support.
For smart meters with operational lifespans exceeding two decades, this means manufacturers must ensure security from deployment to decommissioning, embedding resilience into both hardware and software layers.
Engineering Trust: Confidentiality, Integrity, and Authenticity
Effective smart meter security is not an add-on feature; it must be engineered from the ground up. This requires focusing on three critical pillars:
● Confidentiality: Protecting stored data against unauthorized access using encryption, secure key management, and robust communication protocols.
● Integrity: Ensuring data remains accurate and unaltered, even during power outages or unexpected failures, using secure boot processes, flash-aware file systems, and validation checks.
● Authenticity: Verifying that updates and communications come from trusted sources, leveraging digital signatures and secure update processes to block malicious code injection.
Together, these principles ensure smart meters can withstand evolving threats while maintaining compliance and operational reliability.
Organizational readiness for secure smart metering
Complying with the CRA, NIS2, and IEC 62443 frameworks requires more than producing secure devices. It demands a holistic approach that aligns people, processes, and documentation to foster a security-first culture across the organization.
To prepare effectively, companies need to maintain accurate Software Bills of Materials (SBOMs) to track and manage all software components used within their devices. Conducting thorough supply chain and risk assessments is essential to identify and mitigate potential vulnerabilities, while retaining comprehensive test reports ensures transparency and readiness for regulatory scrutiny.
Developing clear incident response plans allows organizations to act swiftly in the event of a security breach, minimizing disruption and risk. Internally, teams must receive training on cybersecurity best practices to build the knowledge required to maintain secure operations.
Establishing clear data retention and minimization policies helps reduce unnecessary exposure of sensitive information, while defining and enforcing role-based access controls ensures that only authorized personnel have access to critical systems and data.
With the anticipated rise of quantum computing posing a threat to current encryption standards within the operational lifespan of smart meters, manufacturers must also prioritize cryptographic agility. By designing devices today with the capability to support future algorithm upgrades, they can ensure that smart meters remain secure and compliant as new standards emerge and threats evolve.
Lessons from real-world deployments
Flash memory, which stores meter data, is prone to wear over time due to repeated write/erase cycles, leading to early failures and data integrity issues if not managed effectively.
Utilities that have implemented flash-aware file systems and controllers have seen significant improvements in resilience. In some cases, meters have extended operational lifespans by over 50%, maintaining data integrity even after enduring 15,000+ unplanned power interruptions.
These solutions not only support CRA compliance but also reduce operational costs, minimize warranty claims, and lower environmental impacts by reducing the need for premature replacements.
Security as a market differentiator
As the smart energy market matures, secure and resilient meters are becoming a competitive advantage. Embedding robust storage security protects utilities from financial losses and reputational damage while meeting customer expectations for reliability and trust. Manufacturers who prioritize security now will be best positioned as forward-thinking partners to utilities navigating the energy transition and digital transformation.
Building a secure future today
Smart infrastructure is rapidly advancing, and with it, the need for secure, reliable devices grows. For smart meter manufacturers and utility providers, protecting data at rest is no longer a secondary concern; it is essential for financial stability, regulatory compliance, and customer trust.
By addressing cybersecurity at the design stage and aligning with emerging regulations like the CRA, the industry can deliver smart meters that are not only connected and intelligent but also secure and resilient by default. In an energy landscape where data drives progress, securing that data is foundational to a connected, low-carbon, and reliable future.
We've listed the best patch management software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.