In the seventh episode of Smart Talks with Jovan, we were joined by Mr. Rene Boringer, Vice President of ESMIG’s Executive Committee and CEO of Cuculus; Mr. Maximilian Urban, Vice-Chair of the Eurelectric Working Group and Information Security Officer at Niederösterreich Netz; and Mr. Brecht Wyseur, Director of Cybersecurity Standardization at Kudelski IoT and Board Member of the DLMS User Association.
Our conversation focused on securing smart metering infrastructure, navigating regulatory compliance, and balancing cybersecurity needs with implementation costs.
What do you see as the biggest challenge in securing smart metering infrastructure, and how can the industry address it?
Boringer: It’s a tricky question. First, I would say it’s not just about infrastructure. Infrastructure is only one component. We need to look at the bigger picture of what we want to achieve. In the European Union, where ESMIG focuses, utilities have three major goals: affordability, sustainability, and security. Security is now seen as closely connected to the security of supply, not just infrastructure.
The biggest challenge is moving away from siloed thinking toward a collaborative mode, where all parts of the value chain—meter manufacturers, software developers, infrastructure providers, backend systems, and operations teams—work together. That integration is where the real challenge lies.
Urban: As a DSO, we manage about one million smart meters in Lower Austria. Each smart meter is a communication device installed on the customer side. We don’t always know who is accessing the device via the customer interface, which is open to external communication.
We encrypt communications with the smart meter and monitor regular traffic to detect anomalies. The Zero Trust approach helps: we learn what is normal behavior for the smart meter and the customer interface, and we monitor for deviations. It’s a significant operational task.
Wyseur: Managing complexity is the biggest challenge. Some utilities handle millions of devices. To address this, we need to move beyond silos and adopt a collaborative approach.
There are three key ingredients: First, embrace standardization. I work heavily in this space, and standards like those from DLMS are essential for proper authentication and data handling. Second, apply security-by-design principles, such as Zero Trust. Third, ensure alignment with regulations. Clear, consistent rules help guide implementation across the supply chain and make managing complexity feasible.
How can organizations balance the need for regulatory compliance with practical business considerations and resource constraints?
Urban: We operate in a regulated world, so practical business considerations are closely tied to regulatory requirements. The real challenge comes afterward: getting the costs for smart meter security approved in our tariff proposals. Regulators want us to implement security measures but are cautious about approving cost increases that would affect residential customers.
We do what we’re asked to do, but then we have to fight to get those costs accepted in our grid tariffs.
Wyseur: From a cybersecurity standpoint, regulators have two key responsibilities. First, they should create frameworks that incentivize the market to implement correct measures cost-effectively. If done at scale, costs can be reduced. Second, regulators must enforce a minimum threshold for cybersecurity—as we’re seeing in Europe with NIS2 and the Cybersecurity Act. This creates a level playing field and can ultimately bring costs down while improving security.
Boringer: There’s another layer of complexity: interpretation. EU directives are interpreted by national regulators, then further by DSOs, who may add their own criteria. Regulators should intervene where markets don’t function properly—for example, when users are forced to adopt smart meters and need protection.
Regulation, despite good intentions, is slow. Technology threats evolve quickly, especially in areas like crypto, while meters may be deployed for 10-15 years. We need to define what “normal” behavior is across the whole system and monitor for deviations.
Best practices must be considered. In Germany, for example, strict security requirements have hindered adoption. The balance between affordability and security must be carefully managed.
How can utilities balance the need for strong cybersecurity with the complexity and cost of implementation?
Wyseur: Cybersecurity gets more expensive the later it is implemented. A clear example is firmware updates: if secure remote updates aren’t built in from the start, you have to send someone to the field, which is costly.
Think about cybersecurity from the beginning. Also, leverage existing knowledge. Organizations like the World Economic Forum and companies like Kudelski have frameworks and best practices available. Utilities are not alone—many others have already figured out how to balance complexity and cost.
Boringer: I completely agree on security by design. Too often, essential features like firmware upgrades or key exchange are treated as secondary. They should be prioritized before go-live. Systems must remain operational even during attacks or needed changes.
Security is not a one-time investment. It’s a continuous process requiring resources throughout the system’s lifetime. As usage evolves, so does the definition of “normal,” and systems must detect anomalies automatically. The initial investment may seem high, but it saves significant costs in the long run.
Urban: From the utility perspective, cost transparency is critical because customers will see it in their tariffs. Everything we do must be justifiable to the regulator.
We follow a risk-based approach: starting with ISO 27001 certification in 2022, we conduct annual surveillance audits and risk analyses. We begin with high-risk issues and move step by step. Prioritization is key—address the most critical areas first, then refine over time. This structured evolution helps balance cost and effectiveness.
Conclusion:
Standardization, the implementation of security principles from the design phase, and alignment with regulatory frameworks form the foundation for managing complex infrastructure requirements. When these three aspects are harmonized, it becomes possible to achieve a balance between efficiency, security, and long-term costs.
The greatest challenge in achieving overall system security is overcoming siloed approaches and establishing collaboration among all actors in the value chain. Only through coordinated efforts of manufacturers, software teams, infrastructure providers, and operators can a resilient and secure energy system be built.
The key is to plan security measures from the outset and to clearly communicate their financial justification to regulators and end users. Late implementation of security functions drastically increases costs and risks, while early adoption enables system resilience with lower operational pressure.