In the 145th episode of the IoT Use Case Podcast, host Ing. Madeleine Mickeleit speaks with Dr. André Engers, Solution Manager Security at Landis+Gyr, and Oliver Kleindienst, Head of Marketing at Rhebo, about cybersecurity for critical infrastructures and energy grids. The discussion focuses on best practices for securing smart meters, anomaly detection in OT networks, and the impact of the Cyber Resilience Act on the industry. Together, they highlight real-world use cases and demonstrate how modern security solutions can support companies in the energy transition.
Episode 145 at a glance (and click):
Podcast episode summary
In this episode of the IoT Use Case Podcast, the focus is on securing critical infrastructures and energy grids—an increasingly important issue in the connected energy sector. The experts explore how modern security solutions help combat the growing threat of cyberattacks.
At the heart of the discussion is the need for a comprehensive security strategy that goes beyond the “Secure by Design” principle, incorporating ongoing threat detection and anomaly monitoring. Technologies like Deep Packet Inspection, employed by Rhebo, monitor OT communication to identify suspicious activities before any damage can occur.
The episode also addresses new regulatory requirements, particularly the Cyber Resilience Act. Companies are challenged to implement cybersecurity effectively while avoiding bureaucratic pitfalls. Unified protocols like DLMS in smart metering play a key role in ensuring secure and standardized network communication.
Real-world examples, such as Rhebo’s collaboration with battery storage provider Sonnen and Landis+Gyr’s protection of 4.5 million smart meters, illustrate these solutions in practice. The importance of structured risk management processes and monitoring technologies in detecting threats early and closing security gaps is made clear.
This episode provides valuable insights into cybersecurity practices and highlights how companies can protect their critical systems in an increasingly digital world.
Podcast interview
Today’s episode brings you practical insights into real-world use cases from the realm of critical infrastructures and energy networks—also relevant for all manufacturing companies. Our guests are Dr. André Engers, Solution Manager Security at Landis+Gyr, and Oliver Kleindienst, Head of Marketing at Rhebo. We’ll be answering questions such as: What are the best practices for protecting devices and products? How does anomaly detection work? What does the Cyber Resilience Act mean in practice? Is it a helpful tool for certification or just bureaucratic overhead? All this and more, right now. You can find all the details in the show notes or at www.iotusecase.com. Let’s go!
Hello Oliver, hello André, great to have you here, and welcome to the IoT Use Case Podcast. Oli, where are you right now, and how are you doing?
Oliver
Thank you, Madeleine. Hello André, greetings from a slightly cloudy Leipzig. I hope the weather will improve. We’re at the office at Rhebo, and the team sends their regards. I’m looking forward to my first podcast recording for IoT Use Case. We’re at the office at Rhebo, and the team sends their regards. I’m looking forward to my first podcast recording for IoT Use Case.
Greetings! Great to have you with us. Shoutout to all colleagues in Leipzig and everyone tuning in from wherever you are. André, are you in Leipzig as well or somewhere else?
André
Hello, good morning, and thanks for the invitation. I’m not in Leipzig; I’m in Aachen, near the Dutch border, and today I’m working from home.
Nice. To get started, I’d be interested to hear a bit about you as individuals. Could you briefly tell us how you met? Oliver, would you like to start?
Oliver
Gladly. André and I know each other from our time at Rohde & Schwarz Cybersecurity, where we gained our first experiences. André was already in product management back then, while I was in marketing. Then, our paths took us in different directions. I moved to Rhebo, specializing in OT security, and André can share how things went for him. Now we’re back together, as Landis+Gyr fully acquired Rhebo in 2021, which we’ll definitely dive deeper into during the podcast.
Nice. André, maybe you can tell us a bit more about Landis+Gyr and your background?
André
Gladly. My background is also in computer science. As Oli already mentioned, we met at Rohde & Schwarz Cybersecurity, where we primarily developed security products for industries and public authorities, including work related to the BSI and classified data. It was, of course, a completely different field than what we’re working on now—another sector, although still broadly considered a critical one. Landis+Gyr is a company with a long history, founded in 1896 and headquartered in Switzerland. We’re the world market leader in metering, which involves everything related to measuring electricity. Our core business is electricity meters for households and industries, but we also offer water meters, heat meters, gas meters, and the corresponding backend systems—everything needed for the energy transition, including charging stations. We have a very broad range of offerings.
How did it come about that both of you are here today? Are you working on joint projects, or how does this connection work?
André
Oli already mentioned it: at some point, Landis+Gyr decided to acquire Rhebo.
The story is quite interesting. I still remember it well, the company’s ten-year anniversary wasn’t that long ago. If I recall correctly, Landis+Gyr was Rhebo’s first paying customer in this area. The company recognized early on that anomaly detection in the OT sector was a relevant field. Landis+Gyr serves the entire portfolio of a power grid operator, from backend systems to substations, which can, for example, be monitored by the Rhebo Protector. In some countries, cybersecurity is already very advanced, while in others, it’s not. Rhebo’s products are a logical step towards providing comprehensive protection for our customers. This is driven both by requirements and regulatory mandates, which we can discuss in more detail later.
Oliver
Just to add a bit: we already had customers in other areas, but when Landis+Gyr came on board with smart metering and the advanced metering infrastructure, it opened up an exciting new field for us with connected devices.
You’ve already touched on the topic of smart metering. The podcast is always about practical applications. Do you have any concrete projects or examples that could illustrate this topic? You don’t have to name any customers, but an example would help make the subject more tangible.
Oliver
We have already presented a use case, which can be found on the IoT Use Case platform, featuring the battery storage provider Sonnen. We have a lot of connected devices in use there—over 130,000 devices worldwide now. Our monitoring solution runs on these devices as a kind of agent that ensures fleet management, monitoring, and cybersecurity. This is particularly important because connected devices create new attack vectors. It’s a fascinating use case. We are also working with Landis+Gyr to secure smart meters and Head End Systems as the world becomes increasingly networked. There are more and more devices on the market that communicate with each other, which makes protection even more complex.
André, could you tell us about the typical use cases at Landis+Gyr? Is it mainly about smart metering, or does it go beyond that?
André
Gladly. Our main projects involve nationwide rollouts, which are often very extensive. As mentioned, different countries are at various stages of development. Some countries are still on their first generation of smart meter rollouts, while others are much further along. For instance, in Belgium, there are about 4.5 million meters—quite a significant number. We offer both on-site service for the meters and backend systems to read the meters. We then deliver this meter data back to the customer. An important aspect here is securing the hosting environment. It’s not just about operating the meters securely but also keeping an eye on the entire infrastructure and identifying and addressing risks in a timely manner.
[07:55] Challenges, potentials and status quo – This is what the use case looks like in practice
I’d like to focus again on the business case. IoT isn’t an end in itself, and the technologies and products you use at Rhebo serve a specific purpose. Could you give us some insight into the classic business case or the business challenges you face at Landis+Gyr?
André
We need to modernize the meter parks. The added value we offer customers – including private individuals – with a smart meter is significant. A simple example is dynamic electricity tariffs, where you can set your car to charge at night when electricity is cheaper. However, you can’t control that it charges on weekends when the sun is shining. These are basic examples, but they can be expanded in many ways, especially in connection with existing home automation systems.
So, it’s about modernizing the IT infrastructure, while security plays a major role at the same time. Oliver, what are the biggest risks if customers don’t take security seriously? We’re talking about thousands of devices, 130,000 at Sonnen, and even 4.5 million at Landis+Gyr. How can this be managed from a security perspective?
Oliver
You have to look at the situation in a more layered way because there are different stakeholders, each with their own reasons for prioritizing security. One reason is ensuring business continuity. It’s about keeping processes running smoothly, ensuring devices work, and avoiding losses – for instance, in a solar park or battery storage systems. Nobody wants to lose money. On the other hand, there are compliance requirements, such as the NIS2 directive or the IT Security Act. Companies must ensure they operate in compliance with regulations to avoid penalties.
One important point I learned when I switched from IT security to OT security is that in the OT world, the focus isn’t on data security but on process stability. Everything has to keep running, and nothing can be interrupted. Errors can occur in OT networks, and during our risk and security assessments, we often see many issues and challenges. Still, these networks typically function, and we can work in real-time operations to implement improvements step by step. That’s a crucial aspect of why cybersecurity is so important in this field.
For those who may be hearing NIS2 for the first time: The NIS2 directive was created by the European Union, which sets cybersecurity standards for critical infrastructure and raises security standards. This is coupled with mandatory security measures. There is also the Cyber Resilience Act, which focuses on the cyber security of products and software. Oli, you just mentioned that errors can occur, meaning outages can happen. Could you explain in more detail what problems can arise with these devices and the challenges they bring?
André
For large deployments, such as those with 4.5 million meters, these are controlled and read centrally – depending on the power quality. Sometimes meters need to be reconfigured, or power has to be disconnected due to non-payment by a customer. These meters can actually cut off electricity. There are a variety of commands and configurations that can be executed on a meter, and these must be secured very well, both technically and organizationally, so that not just anyone can access them.
This also directly impacts the stability of the power grid. When you control a large load, you can destabilize the grid. With over 4.5 million meters, that’s a significant amount of load that can be controlled. The regulations you mentioned earlier play a role in ensuring a uniform level of security. There are often still national differences in the security requirements, which are to be harmonized by NIS2. However, each country has to implement the directive individually, and in Germany, this can be more complex than necessary.
The secure operation – from deployment to change management to monitoring – presents significant challenges for many customers. That’s where we, as a product manufacturer, come in, working together with Oli and his solutions for visibility to help customers tackle these challenges.
Oliver, I’ll pass the question directly to you. We’re talking about very large rollouts, but you also have customers with fewer devices. Are similar challenges observed with these smaller customers?
Oliver
Yes, definitely. The challenge, especially in connection with the NIS2 directive, is ever-present. Compared to the previous IT security legislation, NIS2 entails greater responsibility, such as personal liability for managing directors. This naturally leads to uncertainty about how exactly to implement the requirements. We do not offer free tickets for NIS2, but are part of a holistic solution. It’s not just about technical security, but also resilience, reporting, and a structured approach to implementing solutions. This affects large customers as well as smaller ones, such as municipal utilities, energy providers, waterworks, or companies in the food, pharmaceutical, and chemical industries, which also fall under the Critical Infrastructure Regulation. This regulation is dynamic, with thresholds regularly adjusted, such as the inclusion of waste incineration plants earlier this year. This often causes uncertainty: which companies are affected, and how do you correctly implement the regulations?
Could you elaborate on the challenges for manufacturers, especially in connection with the Cyber Resilience Act? Is it more of a bureaucratic burden or a necessary measure?
André
The Cyber Resilience Act primarily targets products that communicate with the internet. It defines different criticality categories: the majority of devices fall into the standard category, followed by “important” and “critical.” Most of our customers are already covered by NIS regulations, and the Resilience Act states that products sold to NIS-regulated entities must be classified as at least “important,” often even “critical.” This means that these products will likely need certification by a third party, such as TÜV.
For manufacturers, this means that products must meet both technical requirements and process-related aspects, such as a secure development lifecycle. Many talk about the Secure Software Development Lifecycle, but actual implementation varies widely. Currently, as a manufacturer, we are moving towards certification because we want to maintain our market leadership. However, there are still no harmonized standards for this certification, and it’s unclear what they will look like. There could be specific standards for different product categories such as Head End Systems, monitoring components or meters. This is still evolving.
Do you think the Cyber Resilience Act and NIS2 will hinder, slow down or make IoT and IIoT projects more bureaucratic? Or do you believe these regulations will make IoT projects easier in the long run?
André
I think it will get a bit more challenging. The problem I see lies with the people involved in enabling these processes. The security capabilities of a company, the necessary testing bodies, the auditors—all of this represents a bureaucratic overhead. This should not be underestimated. But it is also necessary and the only way to advance certain things to the point where they can be used properly. I was at a Cyber Security Energy Forum in Brussels yesterday, where ENISA was also present, and a good example was given of why product security in IoT applications is important. Many years ago, no one wanted to use their credit card online because the risk of data theft was high. There was a lack of trust in this digital solution. Today, it’s completely normal for us to pay with Apple Pay or similar services – trust in these systems has developed. It will be similar here: once the connected services are secure, people will trust and use them.
Let’s get back to the technological challenges. You mentioned that errors can occur, and managing thousands of devices is a big challenge. Can you give examples of which types of data are particularly relevant for these IoT security projects and how they are processed?
Oliver
I’ll start from my perspective. In cybersecurity, we mainly deal with the forwarding of data via Syslog. We use a deep packet inspection system to analyze the traffic—not just the headers, but also the contents of the communication. For us, the valuable data are those that indicate anomalies in the communication. We look to see if the communication is what we expected through baselines or if there are anomalies that we need to investigate. That’s our part of data analysis. André can certainly provide more details about the types of data used within the devices themselves.
André
Gladly. For electricity meters, we use the DLMS application protocol. It is the de facto standard in the EU and is also widely used in many parts of Asia. In the U.S., a different protocol is used. DLMS transports consumption data, which is the primary use case for our customers. This protocol also allows software updates to be applied to the meter or configurations to be changed, such as parameterizing or updating the modem. For us as a manufacturer, control commands are particularly important to maintain control over the meters—for instance, to disconnect the power when necessary.
There are several other critical commands that carry a high risk if misused. We make extra efforts to secure these. The DLMS protocol is already relatively secure and offers three security levels for authentication, encryption, and data integrity. Similar to what you see with TLS. However, for particularly critical commands, such as disconnecting the power, we go a step further and additionally sign certain commands. We also use hardware security modules to ensure that only authorized systems can execute such commands. If these critical commands are misused on many devices, it could, as I mentioned earlier, have a massive impact on grid stability.
Before we get into the specifics of implementation: You’ve already mentioned many technical aspects like anomaly detection and authentication. Feel free to share in the comments what challenges you’re facing in this area and where you see obstacles right now.
[23:22] Results, Business Models and Best Practices – How Success is Measured
I’m particularly interested in how this works in practice. If I, as a company, want to implement such solutions, how do I go about it? Can you briefly explain what components are needed and how you collaborate with your customers?
Oliver
On one hand, there is the “Security by Design” approach, in which André is heavily involved, ensuring that products are securely developed from the outset. On the other hand, we have the Rhebo approach, which acknowledges that nothing is 100% secure. Therefore, it’s essential to have an attack detection or anomaly detection system in place to monitor the entire system—not just the devices themselves, but also the network and the communicating components. Our approach is based on a passive, non-intrusive anomaly detection system, also known as IDS or SzA, which scans the entire network traffic.
When we start with customers, we let the system run for two to three weeks to record all network traffic. This allows us to identify what legitimate traffic looks like, which processes are running correctly, and what anomalies or faulty conditions exist that need to be addressed. The goal is to ensure continuous monitoring of the network traffic to identify potential threats early on.
Is this the system you referred to earlier as Deep Packet Inspection? Do you analyze all the network traffic with it? How does that work?
Oliver
Yes, exactly. Deep Packet Inspection is a central part of our solution, the Rhebo Industrial Protector. We developed this technology ourselves, and it analyzes all network traffic. That means we don’t just see the types of packets, such as whether they are TCP/IP packets, but also the content of the communication. This allows us to determine what is actually being exchanged between systems and to detect whether the communication is legitimate or if a potential threat scenario exists that needs to be stopped.
So, with this tool, you can detect in a substation or a factory if there is an unusual command sequence or if parameters are being changed in an abnormal way to identify potential attacks or malfunctions. Can you put it that way?
Oliver
Yes, absolutely. We have two examples from real-world applications: one was a power plant where a component was sending a signal to a Russian server once a week, even though the server no longer existed. The communication continued regardless. We were able to monitor this and then deactivate it. The second example was in a wind farm, where someone in a turbine was trying to access the internet via WhatsApp—perhaps to order a pizza. Such activities are, of course, not intended and represent attack vectors that we aim to prevent with our attack detection system.
André
That’s a very good example, especially the first one. It shows that while you can build systems as securely as possible, they are still very complex,. That includes the components involved. Here it’s about supply chain security. There is some level of visibility into the supply chain, but the issue of the software supply chain with third-party components and libraries presents a separate challenge. It’s important to have such visibility to detect when something is wrong in the infrastructure. Even if you document and plan systems, problems sometimes arise in practice.
For us, it is an advantage when we deploy a system and integrate a monitoring component. This helps us because, as a company, we act as a manufacturer, integrator, and operator in many areas and therefore face many regulations, almost all of which apply to us. Such a monitoring component enhances security in both the backend system and the edge systems. You can sleep more soundly when you have a watchdog in place.
Yes, that sounds reassuring. André, you mentioned earlier about the signing and authentication of devices. What is the advantage of that, and how do you implement it when there are thousands of devices?
André
The HES or Head End System, i.e. the backend system, communicates with the meters. The client connects to the meters; it is a one-to-many relationship. We have integrated hardware security modules (HSMs) from Thales for data signing. These HSMs perform secure cryptographic operations and store the necessary keys extremely securely against physical attacks. A signature is very sensitive, and we want to ensure that only authorized personnel can sign commands to make changes to meters, for example. The signatures are distributed to the meters step by step via a queuing system, so even large volumes of commands can be handled securely.
[29:54] Transferability, Scaling, and Next Steps – Here’s how you can use this use case.
Oliver, you just mentioned another provider. How does integrating other systems work in your case? Are you open to situations where a company already has other systems in place? Can this data also be integrated into your system?
Oliver
A widely known system that many are familiar with is Splunk. It is used across various industries. Another example would be IBM QRadar or similar solutions in this field. The advantage of such systems is that you can consolidate all the data in one place, especially with the growing importance of IT and OT convergence. This allows you to define which data is particularly important for operations and needs to be monitored, and which is less relevant. These systems are very useful for providing a comprehensive overview.
Great. I’ll include your contact details and information about Rhebo and Landis+Gyr’s products in the show notes. Make sure to check them out; it’s really interesting. And if you have any questions, both André and Oliver are available. I have many more questions, but we can dive into those on other channels if needed.
Oliver
Absolutely, thank you.
To wrap things up, maybe one last question: do you have any best practices or key pitfalls to watch out for when implementing such systems? You’ve already gained a lot of experience.
André
One word: risk management. It’s really important to conduct risk analyses for the products to understand what they consist of, where the risks lie, and how they can be efficiently and cost-effectively minimized. Too few people do this. So definitely make it a priority!
Oli, do you have any best practices from your customers that you’d like to share?
Oliver
I’d also start with risk analysis. It’s the best entry point, and we like to call it a “Security Health Check.” The entire system is examined to understand what’s happening. It’s always a good starting point to get an overview and see if you’re well-protected or if there are areas that need improvement. It’s a bit like a regular health check-up.
Yes, very nice. A great addition. Before I forget, Oli, we also talked about your own podcast. For those who want to dive deeper into the topic, especially security experts, check out the OT Security Made Simple podcast by Rhebo. The host is Klaus Mochalski, and I’ve also been a guest. It’s a fantastic podcast—be sure to give it a listen!
Oliver
Thank you, we appreciate that! We’re also glad we could welcome you as a guest on our podcast. That episode will probably be released at the same time as this one. Thanks for joining us!
Yes, definitely check it out. I talk about the categorization of use cases and how organizations can position themselves effectively to learn from best practices. I think today we got a good overview of who you are, what your companies do, and what your business case is. We discussed many challenges and regulations, but also how you make IT and OT secure and the added value that comes from it. Thank you both for joining us today. I’ll leave you with the closing words!
Oliver
Many thanks also from my side. Thank you, André, and thank you, Madeleine, for having us and allowing us to share our knowledge. OT security is an important topic. As you mentioned, the podcast is out there—feel free to check it out; you might find something interesting. Thanks, André, for sharing your insights from the Landis+Gyr perspective.
André
Thank you both, and thanks for the invitation, Madeleine. It was an exciting experience, and I hope some of the listeners can benefit from what we discussed. As I said, I’m always open for discussions if there are any questions.
Thank you both, and have a great rest of the week! Take care. Bye.
André
All right, thanks, goodbye!
Oliver
Bye!