Welcome to the first part of the interview with René Boringer, Vice President of ESMIG’s Executive Committee and Co-Founder and CEO of Cuculus GmbH.
We explore the evolving role of cybersecurity in the smart metering ecosystem. René shares how modern utility systems require resilience beyond meter-level protection—extending deep into backend systems, key management, and organizational processes. From insights on hardware security modules to lessons from Austria and Germany, this conversation offers a pragmatic view on building smarter, safer grids for the future.
Read on to learn why simplicity, resilience, and collaboration are key to securing Europe’s energy transition.
You are a Vice President of ESMIG’s Executive Committee and Co-Founder and CEO of Cuculus GmbH. Since you are deeply involved in the development of smart metering solutions and industry standards, can you tell us more about your work, especially the role of cybersecurity in your field?
First of all, I’m kind of a special animal within ESMIG, because at Cuculus, we are a company focused solely on software. ESMIG was originally founded by smart meter vendors. It’s a representation of the smart metering world to the European Union.
We joined the group because we believe there should be a broader perspective on the entire topic – especially on security. You can’t just protect the meter; you have to protect the whole solution. That includes meter, communication as well as the backend systems that gather data, store it, and trigger various processes.
This is where we see the value we can bring, and where I personally contribute to the discussion on cybersecurity – by looking at it from the backend systems down to the meters.
Traditionally, security in smart metering has always been approached from the meter upwards, focusing primarily on securing communication. But that’s not enough.
We refer to that as a “nutshell approach” – where you assume that by protecting the outer shell of your system or process, nothing will get in and the problem is solved. That’s not the reality for modern utility systems.
What do you see as the biggest cyber security challenges for utility companies today, and how can the industry address them?
In contrast to many others in the market, I don’t see meters as the most vulnerable part. I think it’s the organization itself. It’s much easier to be hired as an operator in a utility and then do something really harmful to the network than to hack into meters and try to multiply that across thousands to make a significant impact.
One part is how internal processes and systems are protected. The other is the kind of threats that can be introduced on the physical layer of the system. Today, we have a lot of renewable injections and large consumers that can imbalance the grid. That doesn’t necessarily relate to IT systems – except when those IT systems aren’t fast enough to respond to the challenge. An attack can come by disrupting planned renewable injections or manipulating consumption to destabilize grid quality. Reducing or increasing consumption in an unexpected way can compromise grid stability.
The issue isn’t just in the meter or the software – it’s across the entire system: people, processes, and response capabilities. I’m mainly talking about network resilience. We need to react quickly to unforeseen events in the network that could cause major issues. That means the meter, the communication layer, and the backend systems all need to work together to respond instantly. For example, we need to be able to cut off problematic parts of the grid or rebalance loads quickly. If someone tampers with large power production units or drops the load, the system needs to immediately reduce injection or consumption to stabilize again.
This is a completely different utility system than what we had in the past. Previously, everything was slower, and localized issues had localized impacts. Now, with distributed systems, attacks can happen simultaneously across multiple parts of the grid. We need new system designs – what I call resilient systems. Security’s role is to keep the system running long enough to allow mitigation. It’s not just about locking someone out. We assume someone will eventually break into the system, so it must still function when that happens. That’s resilience.
Fully separating software systems from the internet or from people doesn’t work. There have been well-known cases where even isolated smart metering systems were hacked. Hackers once entered through a printer port in a utility’s training center – and they were in. Complete isolation can create a false sense of security, and then no one prepares for what to do if something happens.
Today, systems must be connected. Meters are connected – somehow – to the internet. Even mobile connections rely on internet backbones. Backend systems are always exposed in some way. We’re no longer talking about one connection between two data centers. We’re dealing with thousands of connections – not just from meters, but also from EV chargers, PV inverters, heat pumps. Everything is connected to the grid and backend systems. The way we used to operate – like injecting meter reads from a workforce system into a platform – is no longer enough. Now, there’s constant, fast, and broad interaction between systems, which introduces risks we hadn’t seen before.
Backend systems today are well-secured using specialized protocols with limited functionality. The idea that someone could hack a meter and suddenly steal a utility’s entire database isn’t realistic anymore. That said, there are strong tools to protect meter communication and the meters themselves. One example is using hardware security modules (HSMs) for all communication. With HSMs, encryption and decryption keys are never exposed – not in the cloud or in a processor. Everything happens inside the HSM.
These are the same techniques used to protect financial trading on stock exchanges, and they can be used for smart meters too. It’s expensive, which is why it’s not widely adopted, but the technology is available. These HSMs aren’t inside the meter – they sit in the backend. All the keys used for meter communication are stored and processed there, encapsulated inside the HSM. Communication passes through this secure device, meaning utilities can improve communication security without changing the meters themselves.
Modern meters don’t use a single key anymore. In the past, one key might’ve been used across an entire city or country. Today, meters have multiple keys – usually four to five – for different roles. There’s a key for communication, another for sending commands, another for firmware updates. Some keys wrap others, like when you’re updating keys or firmware remotely. The protection level, if implemented properly, is already quite high.
Of course, managing all those keys is difficult. Utilities need proper key management systems tailored to their operations. Every meter has different keys. Technicians in the field need the right key with the right role to access a meter. If a handheld device with keys is lost, there has to be a system in place to manage that securely. That’s why key lifecycle management is so important.
The next step is using certificates instead of keys. This increases security but also increases complexity. Right now, most utilities work with several meter vendors, each with its own head-end system and key management setup. That leads to huge coordination challenges. If every head-end system has its own lifecycle process for keys, and all of that must work with the same workforce management systems or to the same meter population, the complexity increases exponentially.
Meters are critical infrastructure. Whoever installs them must ensure the vendor is following the right security standards. There should be procedures to check software and identify vulnerabilities – regardless of whether the vendor is from China, the U.S., Europe, or elsewhere. That’s why certification processes for software testing are important.
Depending on the communication technology, there are several ways to test and confirm where data is going. But this shouldn’t be a one-time check. It should involve continuous network monitoring for any suspicious behavior, and the system should be able to respond if something goes wrong.
If data does start going somewhere it shouldn’t, what would be the action in that case? Switching off the meter is not possible. Even greater danger is if someone can actually control the meter – switch it off or change something. Reading consumption data is less harmful than full control. But ideally, that situation should never occur. It’s all about monitoring and having the ability to act.
Right now, I haven’t seen any organization capable of testing full technology stacks for this kind of threat. Every country has its own rules and regulations. If this level of oversight is required, it would need to come from a national certification body with the technical ability to test meter software for vulnerabilities. But I haven’t seen that yet. At Cuculus, we work in many countries, and this kind of deep, national-level security testing is still missing.
I’ve never seen a meter send data to an unauthorized server. I’ve seen malfunctioning meters, sure, but not one that actually tried to communicate somewhere it shouldn’t. At the moment, we have 25 million households connected to our platform, working with more than 200 vendors – and that has never happened.
Can you share some best practices or innovative solutions that have been successfully implemented to strengthen security in utilities?
One of the clients we work with that we often present as having the highest security levels is the utility in Salzburg, Austria. Salzburg is a city of approximately half a million inhabitants, and the local utility there has invested heavily in building a highly secure setup. It’s a good example of how to implement a hardware security module (HSM) solution. They use a central key management system that encrypts all communication and handles all key exchanges through this setup.
Alongside that, they’ve implemented measures to protect the network and react to what I call day-zero attacks – incidents that nobody could have predicted. That’s the essence of cybersecurity: you can never claim a system is completely secure, because a day-zero event will happen eventually. It’s just a matter of time. That’s why systems should be designed to be resilient, so they can survive such attacks. Resilience starts with the way the entire solution is organized. For example, structuring it into isolated islands that are connected to one another means that if one part is compromised, it can be disconnected to protect the rest. Some utilities even split their meter population across different systems. These might be the same type of system or from the same vendor, but they are separated so that if one part is affected, the rest can continue operating. That way, a single breach doesn’t take down the whole country.
On the other side, I’ve seen what’s happening in Germany, which is quite unique. In most countries, we talk about smart metering. In Germany, we’re actually talking about smart grid – and more specifically, smart low-voltage grids. There’s a lot of functionality being developed alongside meters, not just for metering but also to control assets like PV generation systems or large energy consumers such as EV chargers and heating systems. These systems use data from smart meters to balance the grid in real time. That’s being implemented at the low-voltage level, and it hasn’t been attempted on this scale in other countries.
This ambition is one of the reasons Germany is progressing more slowly. The scope is very broad, the complexity is high, and so are the threats. For example, if a large number of PV systems were suddenly shut down, that could destabilize the grid. The same is true if many heat pumps were turned off simultaneously. Events like these could lead to outages across entire areas of the grid.
There’s a lot of security built into the German approach – sometimes over-security – and it’s backed up by multiple overlapping solutions. It’s incredibly complex. And that’s where my concern lies. Extremely high and especially complex security setups can become difficult to manage. It can make it harder to detect threats and harder to respond effectively when something happens. Simple systems are easier to monitor, control, and bring back into balance.
The goal in Germany is to use the smart metering infrastructure to support flexibility in the grid. The challenge is that while the need for flexibility has become urgent, the rollout of smart metering has been slower than expected. Now, the flexibility demand has overtaken the infrastructure. We’re in a situation where we must align the smart metering systems with the flexibility needs of the grid, and doing that effectively is a major challenge.
The Salzburg example also highlights the importance of system design. The concept of organizing systems into isolated islands makes it possible to contain an attack. And what I find really effective in Austria is the collaboration between utilities. Because there are many utilities in the country, and they are interconnected, they’ve built systems for sharing alerts. If one utility is attacked, others are informed and can take protective actions. That kind of peer-to-peer alerting is a very simple concept, but it’s extremely powerful.
Monitoring on its own is important – but even more valuable is sharing that information. We’ve seen this especially with customers in Eastern Europe, who face daily cyberattacks. These attacks are ongoing, and utilities are constantly being tested by attempts to compromise their systems. But it’s not just the attack that matters – what’s critical is how the utility responds, how it pushes back, and how it recovers. That experience is valuable for the entire sector.
A shared platform where utilities could exchange this kind of operational experience in a structured way would be incredibly helpful. The knowledge gained from dealing with attacks, the tools used to respond, and the insights from post-attack analysis – these are all resources that could strengthen the sector as a whole. Building a space to share that knowledge could have a real impact.
Conclusions:
Cybersecurity in smart metering must cover the entire system, not just individual meters, as traditional protection methods are no longer sufficient. Resilient systems that maintain operation during breaches are crucial for modern utilities.
Internal vulnerabilities and grid imbalances pose greater risks than external attacks, making security a matter of both technology and process management. Utilities must focus on rapid response capabilities to maintain stability.
Collaboration and shared threat intelligence among utilities strengthen cybersecurity by enabling faster responses to attacks. A structured platform for exchanging security insights could significantly enhance grid protection.
Question for audience:
How can utilities balance the need for strong cybersecurity with the complexity and cost of implementation?