May 2022 – On Monday, May 30, the Czech National Cyber and Information Security Agency (NÚKIB) issued a fresh warning on potential cybersecurity threats stemming from the use of energy-related technical or software smart metering tools (i.e. smart meters) that do not come from countries deemed to have “trustworthy” legal environments (report available in English here).
Assessing the most recent risk to be “High” the NÚKIB’s warning called on so-called obligated entities to “immediately start preparatory work to deploy technology enabling the required level of direct metering,” – meaning types B, C1, C2 or C3, as per the Czech government’s Decree No. 359/2020, on electricity metering. The NÚKIB utilised an existing parameter in its warning, namely “assessing the trustworthiness of suppliers”, already evident in previous statements, such as the recommendation on 5G supplier networks in the Czech Republic.
The NÚKIB also noted that in selecting suppliers, effective cybersecurity protocols do not merely concern assessing the technical aspects of utilised technologies, but also the non-technical aspects. And that means ensuring both confidence in the energy metering technical solution offered by the supplier, and also confidence in the business, legal and political environments in which the supplier operates. To this end, the NÚKIB has determined that the member states of the EU, the EEA, the OECD and of NATO possess “trustworthy” legal environments.
The criteria set forth by the NÚKIB for assessing such trustworthiness include countries with democratically elected governments, independent judicial systems that observe the rule of law, the protection of intellectual property, non-violation of international laws, maintaining partnerships with the Czech Republic and not carrying out activities directed against the fundamental interests of the Czech Republic or its allies, as well as states that do not consider the Czech Republic to be a “hostile” state.
The obligation for member state countries to deploy smart metering technologies is imposed on electricity distribution system operators by EU legislation. This, in turn, is spurring the purchasing of smart meters and the related procurement procedures by countries, including the Czech Republic.
Potential identified risks associated with compromised systems include: sending erroneous data to the central office, disconnection of consumption points, and even energy blackouts. The warning also underscores that ensuring energy security remains a key strategic goal of the Czech Republic.
The Kinstellar cybersecurity team is available to answer any questions with respect to the above.