IoT Smart Meters and Security: What’s in Your Firmware?

Estimated reading time: 7 minutes

Firmware is a critical component of Internet of Things (IoT) devices that you can’t see or control. If a device like a smart meter contains an IoT module, it’s running firmware. When powered on, the firmware code is typically the first to run. It’s the foundation of the chain of trust and security for an IoT device.

However, IoT device manufacturers are not 100% certain what that firmware is doing. Third-party vendors or contractors often supply the firmware or components that include it. Device manufacturers may not have full access to the source code or know who wrote or signed off on it.

Smart Meters: Modernizing Energy Systems with IoT

Governments are launching extensive global rollouts to digitize and modernize energy systems using IoT. One such deployment model is massive IoT.

Massive IoT involves the deployment of many low-power and low-cost connected devices that send small amounts of data. Devices like sensors and meters send this data periodically.

A well-known example in the energy sector is the smart meter. Meters send real-time data over the internet to energy companies as customers consume energy. They report energy use without needing constant or high-speed connectivity. This has increased efficiency and reduced costs by eliminating on-site meter readings and estimated bills.

Smart meters help balance energy generation and consumption. However, the increase in renewable energy sources creates a complex balancing act. Wind power and solar energy are not always reliable, which creates challenges for power grid management. Increases in distributed small private power plants and EV charging stations can cause abrupt shifts in energy flow.

Cellular Modules and Low-Power Connectivity for IoT Smart Meters and Security

Most smart meters utilize cellular technology to collect data and transmit it to the energy company. Smart meters need low-power, reliable connectivity that supports a long battery life and wide coverage. Cellular low-power wide-area (LPWA) technologies, such as Cat M and narrowband IoT (NB-IoT), are crucial for conserving power.

They meet smart meter requirements more effectively than standard cellular options, especially in remote areas. As 5G expands, Cat M and NB-IoT fill the gap for devices that don’t require high bandwidth but need low-cost, long-term support.

Some utility companies implement private networks for enhanced security, specifically for their smart meter deployments. These private networks enable utilities to operate within a secure environment that is separate from commercial networks.

The core chipset of a smart meter’s cellular communication module is an advanced processor. It runs the protocol stacks required for cellular networks and contains hardware components like power and radio. Because this functionality is complex, manufacturers don’t integrate it into smart meters.

Module manufacturers source the components on a massive scale and sell a packaged solution with relevant approvals. For the device manufacturer, the module is just another piece to integrate during manufacturing.

What about the IoT Firmware?

Firmware is software embedded into a device. It controls the device’s operation and communicates with other software. It also establishes protections to secure the device and its operating system. As soon as the device powers on, the firmware begins to run.

Modules often contain substantial amounts of proprietary code, written by the module manufacturer. Attention (AT) commands control the module and behavior of the core chipset. The code interprets these commands and returns a response.

The AT interface provides the only view of what the module is doing. Still, the module manufacturer controls this view.

While hardware components may reach end-of-life, the firmware of modern smart meters can be upgraded remotely. This capability allows for ongoing security updates and feature enhancements throughout the device’s lifespan.

Given firmware’s critical role in IoT device operation, you must have complete trust in your module supplier.

Smart Meter Security Threats

Recent cybersecurity incidents highlight the growing threats to smart grid infrastructure. These include distributed denial-of-service (DDoS) attacks targeting power grids and firmware-related vulnerabilities.

In May 2022, the Czech government issued a warning about potential cybersecurity threats. These high risks were identified through energy-related technology and software used in smart metering tools. The warning raised concerns about the trustworthiness of a supplier’s business practices, legal standing and geopolitical affiliations.

The impact of IoT security breaches can be devastating. Compromised security isn’t just about sending inaccurate data. It also poses significant risks to organizations.

Security breaches can include extensive interruptions like disconnections. Disconnecting thousands of consumption points can lead to blackouts, impacting an entire country and its economy.

Unfortunately, cyberattacks are increasing at alarming rates. To combat these threats, the industry is implementing various security measures, including:

• Secure boot and end-to-end encryption protocols
• Public key cryptography
• AI and machine learning (ML) systems that can recognize patterns and process data from different sources

In October 2024, the European Union (EU) implemented a regulation on cybersecurity requirements. The Cyber Resilience Act applies to products with digital elements and addresses security throughout those products’ life cycles. It introduces rules to ensure that more hardware and software products enter the market with fewer vulnerabilities.

Why Cellular LPWAN Is Essential for IoT Smart Meters and Security

IoT has diverse needs, from high speeds for video applications to low speeds for sensors. These requirements range from low latency for voice communications and control systems to large capacity for dense deployments. Transactional devices require lower power consumption and longer battery life, which cellular LPWAN technology provides.

Smart meters are transactional devices that transmit small amounts of data at regular intervals. They don’t need high speeds or large bandwidth, but they do require:

• Long battery life
• Low power consumption
• Consistent connectivity

Cellular LPWAN technologies meet these needs. Utilities reduce operational costs through long-term deployments that require minimal maintenance and no battery replacement. Wide coverage and affordable modules, along with data plans, make it practical to scale smart meter rollouts globally.

Cellular LPWAN solutions overcame three former obstacles to achieve widespread adoption:

• Cellular connection modules and associated data plans are now more affordable
• Coverage is widely available, even indoors and in remote areas
• With the right design, battery life lasts a decade

Look for a Trusted IoT Provider

Devices like smart meters face serious security risks if the IoT modules do not come from a trusted source. Unverified modules can create entry points for attackers. A breach in critical infrastructure disrupts services and damages systems.

Conduct thorough due diligence before selecting a supplier to mitigate potential risks and threats. Ask questions when searching for a trusted vendor.

Telit Cinterion: Secure Smart Meter Solutions

As a recognized leader in IoT security, Telit Cinterion has over 30 years of experience innovating in cellular IoT module design, development and manufacturing.

We maintain the highest security standards across our product portfolio with our security by design approach, rooted in module system integrity and protection. Utilize our IoT expertise and leadership to develop reliable smart energy IoT solutions.

We can build your ready-to-launch, secure smart meter with our wireless IoT modules, connectivity services, platforms and solutions. Our offerings help optimize distribution and improve customer service.

Speak to our IoT experts to learn about our secure IoT-enablement solutions for smart meters.

Editor’s note: This blog was originally published on 3 February 2023 and has since been updated.