Katja Hakoneva, product manager, Tuxera says it is vital to protect your smart meters.

Smart meters have evolved from measurement tools to real-time data nodes central to the energy transition. These devices sit at the grid edge, collecting, storing, and transmitting energy usage data to support demand-side management, customer analytics, and predictive maintenance.

But as infrastructure modernises, the local embedded storage layer often remains critically under-secured. While most cybersecurity strategies focus on communication protocols, the flash memory inside meters holding billing records, firmware logs, and user data can remain exposed. This overlooked component now represents a key risk in the evolving smart infrastructure landscape.

Stored data: A high-stakes vulnerability

Smart meters store and process data continuously for up to 20 years, often in harsh environments and under resource constraints. If this stored data is accessed or manipulated, whether through physical tampering or remote software exploits, it can lead to serious consequences such as inaccurate billing, operational disruption, compliance failures, and lost customer trust.

These attacks don’t always become obvious from the outset. Data corruption or loss may unfold quietly over time until systemic issues, like forecasting errors or billing disputes, reveal the damage.

Below the surface: The hidden costs of cybersecurity

Meeting the rising expectations of cybersecurity within smart infrastructure is not only a technical challenge but also a resource and cost-intensive exercise. For many UK and EU manufacturers, taking on in-house vulnerability management means building and retaining dedicated teams, often requiring three to five full-time specialists responsible for managing threat detection, incident response, and routine updates each year.

Secure-by-default configurations frequently necessitate hardware upgrades to handle stronger encryption protocols and enhanced security measures. This has a direct impact on the Bill of Materials (BOM) and design timelines, while many existing software stacks, not optimised for compact embedded systems, require significant re-engineering to accommodate modern security layers. These efforts are essential as the cost of an undetected cyberattack can exceed $8,800 (≈£6,900) per minute, with consequences that stretch beyond financial loss to regulatory fines and, in critical infrastructure contexts, potential service disruptions that can risk lives.

The CRA: Raising the security bar for all connected devices

The Cyber Resilience Act (CRA), due to take effect across the European Union by 2027, is set to redefine the security expectations for all products with digital elements, including smart meters.

For companies in the UK and beyond that manufacture, integrate, or supply to the EU market, CRA alignment is not optional. It will become part of the mandatory CE marking process, which determines whether a product is market-ready.

Key CRA obligations include:

  • No known vulnerabilities at launch


  • Secure-by-default configurations


  • Ongoing patching and vulnerability management


  • Transparent documentation and lifecycle support

For smart meters, this means providing secure functionality from deployment through to decommissioning, often a 20+ year horizon. Vendors who can demonstrate secure data-at-rest strategies will be better positioned to meet these rising requirements.

Designing for trust: confidentiality, integrity, and authenticity

Modern smart infrastructure requires security that is not just bolted on but built in. For data storage, this translates into three essential principles:

  • Confidentiality: Ensuring data cannot be accessed by unauthorized parties. This means encrypting stored energy data and access credentials, protecting keys, and using secure protocols for meter-to-cloud communications.


  • Integrity: Ensuring data remains accurate and untampered, even during power outages or system crashes. This can be achieved through robust file systems with built-in error correction, secure booting, and real-time validation checks.


  • Authenticity: Ensuring that firmware updates and communications come from trusted sources. Digital signatures and secure update processes help prevent the injection of malicious code or counterfeit software.


Building organisational readiness

Embedding security into smart meter design is just one part of the compliance journey under the CRA, NIS2, and IEC 62443 frameworks. Equally critical is ensuring that organisations adopt a security-first mindset across their people, processes, and documentation.

For many manufacturers, a practical starting point is to address common pillars across these frameworks. These include, maintaining accurate Software Bills of Materials (SBOMs), conducting thorough supply chain and risk assessments, retaining robust test reports, and developing clear incident response plans. Internally, organisations should focus on preparing their teams by implementing staff training on cybersecurity best practices, establishing data minimisation and retention policies, and defining clear access controls and role-based responsibilities. This holistic approach ensures that cybersecurity becomes an embedded practice, supporting both regulatory compliance and long-term resilience within smart infrastructure.

With advances in quantum computing potentially undermining current encryption standards within the next two decades, smart meter infrastructure must be cryptographically agile. Devices should support over-the-air (OTA) updates to upgrade cryptographic algorithms as new standards emerge.

Though post-quantum cryptography is not yet mainstream in embedded systems, the CRA and global regulatory conversations are beginning to acknowledge these developments, especially in devices with long operational lifespans.

Practical lessons from the field

Flash memory, which stores meter data, wears out over time due to frequent write/erase cycles. Without smart memory management, this leads to premature device failure, increased maintenance costs, and data integrity issues.

In real-world cases, utilities have deployed file systems and flash controllers that have dramatically improved meter resilience. Some have extended operational lifetimes by 50%, from 20 years to 30, while maintaining full data integrity across more than 15,000 unplanned power interruptions.

This level of reliability not only supports CRA compliance but also strengthens customer relationships and reduces lifetime costs.

Smart security as a competitive advantage

Smart infrastructure demands smart security, from the edge to the core. For smart meter manufacturers and utility providers, protecting data at rest is no longer just an IT issue but affects the bottom line.

As the CRA becomes a new benchmark for secure digital products in Europe, the manufacturers that embed storage resilience now will lead the next wave of smart energy innovation, which will be reliable, secure, and future-proofed by default.