In this interview, we speak with Brecht Wyseur, a Director of Cybersecurity Standardization in Kudelski IoT and Board Member of the DLMS User Association, who shares how the energy sector is evolving from traditional perimeter-based models to zero trust architectures.
Drawing on decades of experience, he outlines how hardware-level security, interoperability standards, and certification frameworks are reshaping utility cybersecurity. From securing chipsets to shaping EU-level regulation, this conversation unpacks what it takes to protect the grid of tomorrow.
Alongside your role as a Director of Cybersecurity Standardization, you are also a Board Member of the DLMS User Association, where you play a key role in cybersecurity standardization for smart energy solutions. Can you tell us more about your work in Kudelski and DLMS and how it contributes to strengthening security in Smart Home and Smart Grid technologies?
Certainly. Let me start with my role at Kudelski IoT and the background of our company, because I think that’s essential to understanding our engagement in smart energy systems – including smart home and smart grid technologies.
Kudelski IoT is part of the Kudelski Group, a cybersecurity company with around 2,000 people operating globally. We have over 30 years of heritage in digital TV content protection technology, securing pay TV systems at large scale. We’re actually the largest supplier for cybersecurity in that market.
Over the decades, we’ve built deep expertise in two core areas. First, key management at scale – translating the needs of content distribution operators into end-to-end key management systems. Second, embedded security – implementing robust security directly into devices. This includes protecting devices like set-top boxes or smart cards from physical attacks. Our capabilities span software, firmware, and even hardware-level security.
About ten years ago, we began to diversify our business into new markets. The energy sector stood out because of its large-scale infrastructure risks. That’s when we started deploying our technology in this space and joined the DLMS User Association. Around the same time, we also became a member of the European Energy ISAC, a threat-monitoring association in Europe.
On of our focus areas has since been on smart home and smart grid, with smart energy as the common denominator. We quickly recognized DLMS as a key player in this domain. DLMS offers core security functionalities within its communication protocol, which we saw as a critical foundation. That made it a natural partner for deploying our security technologies.
I currently serve as a Board Member of the DLMS User Association. Together with other members, we recently launched a Security Task Force and a Commissioning Task Force. Both are areas where we’re deeply involved.
The Security Task Force is about maintaining and advancing DLMS as a secure protocol, especially as new features are added to the standard. We’re also aligning DLMS capabilities with emerging regulations to support manufacturers in achieving compliance. For example, we’re working on mapping existing regulations to the standard’s features, helping members navigate that space. Additionally, we’re looking ahead to challenges like quantum computing, ensuring DLMS can evolve to support post-quantum cryptography.
On the Commissioning Task Force side, we focus on enabling secure device lifecycle management. That means supporting secure commissioning – from manufacturing through to operational deployment – so DLMS can be used meaningfully across the entire ecosystem.
Our commitment in DLMS is to contribute both to the evolution of the standard and to the broader industry. Personally, I also stay closely involved with regulatory developments, such as those at CEN/CENELEC related to the Cyber Resilience Act. We’re active on that front too, trying to guide the market toward meaningful cybersecurity outcomes.
So yes, with over 30 years of cybersecurity experience and a strong, technically diverse team, we’re well-positioned to make a solid contribution to the DLMS community and the energy sector at large.
What do you see as the biggest cyber security challenges for utility companies today, and how can the industry address them?
One of the biggest shifts happening in the market right now is the integration of renewables and electric vehicle (EV) charging infrastructure. This isn’t exactly new – we’ve seen this happening for years – but it’s accelerating, and the industry is adapting. From a cybersecurity perspective, I prefer not to talk about “challenges” in the negative sense. I see opportunities.
The way utility infrastructure is evolving is key here. Traditionally, the energy market operated with a limited number of integrators. A utility would either handle integration itself or work with a single integrator to manage connections between the transmission network, distribution grid, and end consumers like industries and households. It was a manageable, centralized system.
But that’s changing. Now, utilities are integrating with EV charge point operators, smart home systems, heat pumps, and more. Instead of one integrator, you might have many – or sometimes none at all. For instance, an individual might install a battery or EV charger at home using a local electrician or a retail product. Suddenly, you’re dealing with a fragmented integration landscape.
This creates complexity – but also opportunities. For utilities, it opens the door to new use cases. For manufacturers, it means building devices that are plug-and-play and can easily be integrated. For tech companies like Kudelski, it’s an opportunity to secure these systems. And for regulators, it’s about creating frameworks that ensure everything works together smoothly and securely.
Security and interoperability must go hand in hand. One of the foundational elements in securing complex infrastructures is having standards that support both. And not just on paper – these standards need to enable rigorous development, testing, and validation of devices. Compliance alone isn’t enough. You need to ensure that devices actually interoperate securely at all levels.
Take DLMS, for example. It operates at the application layer. But to build a secure system, you also need network-level standards – like those for RF technologies – to be tested. Devices need to be able to talk to each other properly. Miscommunication can be as simple as a Wi-Fi device failing to connect, and that’s just the tip of the iceberg.
We also need to ensure that every system actor is clearly identified and authorized. That means implementing robust identity frameworks. It’s not just about encrypting data – it’s about verifying who’s communicating and whether they’re authorized to do so.
This becomes especially important when you’re dealing with data exchange between systems. In smart metering, for example, the head-end system might send commands to shut down a device like a heat pump or EV charger. That command must remain authentic even when traveling through different devices or networks like from the head-end system over a smart meter to the end device. DLMS provides end-to-end data protection, and as such provides a means to authenticate commands from head-end system to end devices.
Even in cases where communication doesn’t pass through the smart meter – say, between utilities and third-party charge point operators – you still need protection. If any device in that communication path is compromised, security mechanisms should still hold. That’s the essence of resilient system design.
As for smart meters themselves, the industry is making significant progress. Chipset manufacturers are embedding core security functions. Meter vendors are implementing features such as secure boot mechanisms and ensuring firmware integrity. We’re moving in the right direction.
Those stories about meters being easy to hack? Hopefully, they’re behind us. Utilities today have the responsibility – and the tools – to rigorously test equipment before deploying it. That’s where due diligence comes in: validating both the hardware and the data that flows through it.
That said, the level of control varies. Utilities typically have authority over what meters are connected to their network – they can perform deep testing. But with other devices like heat pumps, which aren’t necessarily utility-installed, the situation is more complex. In such cases, broader frameworks and guidelines are needed to govern what devices can be connected.
Utilities can and should test the meters they deploy. In most markets, they do. But practices and responsibilities vary across regions. So while the capability exists, its application depends on local context.
In the end, the key is a layered approach – combining secure devices, robust standards, interoperability, and strong identity management. Only then can we secure the complex, decentralized future of utility networks.
Can you share some best practices or innovative solutions that have been successfully implemented to strengthen security in utilities?
To understand best practices and innovative solutions for improving cybersecurity in utilities, we first have to look at how the infrastructure is evolving. The market is shifting—from having just a few integrators managing OT infrastructure, to a complex, interconnected ecosystem with many integrators and connected devices. In the past, utility networks were largely isolated, with security built around zoning. You had separate segments, each protected at the perimeter, with tightly controlled interfaces. That model worked for a time.
But now, we’re operating in much more open environments. You have connected households, third-party devices, decentralized generation, and an increasingly blurred boundary between operational and consumer domains. The old perimeter-based model simply doesn’t hold up anymore. That’s why the utility industry is now shifting toward a zero trust approach.
Zero trust starts from the assumption that your network is already compromised. You assume the attacker is in the system and build your defenses accordingly. That changes everything. Instead of relying on isolation, security is built on unique device identities, secure authentication, encrypted communication, and verifiable data integrity. Each device must be secure in itself, capable of proving it is trustworthy, and able to ensure the data it sends is reliable—even in a hostile environment.
To enable that, we need to move beyond simple authentication mechanisms. What’s emerging instead is a focus on the chipset level—hardware-based security. Chipset manufacturers play a key role here. They’re embedding features like secure storage, unforgeable device identities, secure boot processes, and attestation mechanisms. These hardware-level capabilities are then leveraged by device manufacturers to build secure systems.
Utilities won’t interact directly with chipsets, of course. That’s not realistic. But they do set the requirements that device manufacturers must follow. Utilities can demand that equipment proves it can do only what it’s meant to do, that it hasn’t been tampered with, and that it supports secure communication. How the manufacturer meets those requirements—whether by using secure chipsets or other means—is up to them. But the utility should be able to verify that those requirements are met, either through direct validation or certification.
Certification is a key part of this. If a device manufacturer can present a cybersecurity certificate, it simplifies things for everyone. That’s also a current topic of discussion within DLMS. The DLMS protocol today provides secure communication, and devices can be certified for protocol compliance. But that doesn’t yet mean the device itself is secure—only that it uses DLMS correctly.
So there are two possible paths. DLMS could extend its certification process to include device-level security, or it could recognize and align with third-party cybersecurity certifications. These third-party schemes are already in development—especially under the European Cyber Resilience Act and EU Common Criteria framework. We expect these certifications to be in place by 2027. When that happens, the combination of DLMS protocol compliance and device-level cybersecurity certification will give utilities a solid foundation to build on.
Beyond energy, zero trust principles are being adopted in other industries—smart home, smart buildings, and beyond. We’re seeing more and more emphasis on secure device identity, attestation, and commissioning. Devices are no longer trusted by default. They must prove themselves, be onboarded securely, and maintain trust through their lifecycle.
Organizations like NIST are helping shape this direction. They’re developing guidance and standards for secure IoT onboarding, and we’re actively contributing to those efforts at Kudelski. This work directly informs what we’re doing at DLMS, particularly in the commissioning task force, where we’re focused on secure device onboarding using zero trust principles.
At the same time, we can’t ignore traditional approaches. Zero trust is essential, but utilities still need some degree of network isolation where possible and monitoring capabilities. That’s where Security Operation Centers (SOCs) come in. SOCs monitor the network in real-time, detect threats, and respond to incidents. Utilities need both: secure systems built on zero trust principles, isolate networks where possible and monitoring systems that can detect and respond when something goes wrong. A layered security approach.
This approach is embedded in frameworks like the NIST’s Cybersecurity Framework 2.0. It outlines a full lifecycle based on 6 pillars: governance, identity, protection, detection, response, and recovery. Utilities must build secure systems, but they must also have processes in place to detect vulnerabilities, respond to threats, and restore secure operations—whether that’s updating firmware, isolating compromised components, or adjusting their processes.
In traditional isolated systems, when something went wrong, you could cut off the affected segment—creating an “island”—and contain the threat. In a zero trust environment, intervention looks different. Instead of isolating physical segments, you isolate untrusted data. You don’t have to cut off the device from the network; instead, you stop trusting its data. If a sensor is compromised and starts sending false voltage data, the system must recognize that source as untrustworthy and disregard it in decision-making. You don’t make grid management decisions based on unverified or corrupted data.
That’s the shift: from isolating networks to validating and isolating trust at the data and device level. It’s a more dynamic, data-driven form of control that reflects the complexity of today’s energy systems.
Conclusions:
Traditional perimeter-based security models are no longer sufficient for the modern, interconnected utility landscape. The industry is embracing zero trust principles that rely on device identity, authentication, encryption, and data integrity to ensure system resilience.
As smart energy systems become more decentralized, ensuring secure interoperability through rigorous standards like DLMS and aligning with emerging EU cybersecurity certifications is critical. Certification frameworks will enable utilities to trust that devices are secure by design, not just compliant on paper.
Security must be embedded at the chipset level, including secure boot and attestation, to support a trusted ecosystem. Secure commissioning and lifecycle management of devices are necessary to maintain integrity from manufacturing to deployment across the smart energy network.
Question:
As we move toward a decentralized energy landscape, how prepared is your organization to adopt zero trust principles and validate the trustworthiness of every connected device?