The non-domestic smart meter rollout in the United Kingdom has been one of the largest IoT deployments in recent infrastructure history. Roughly two million commercial gas and electricity meters now report consumption data continuously to suppliers, regulators, and increasingly to specialist analytics platforms that businesses use to manage their energy contracts. The connectivity that makes this possible has produced operational benefits that businesses have only begun to capture, but the same connectivity has also expanded the cybersecurity attack surface in ways that critical infrastructure operators are still working through.
For cybersecurity professionals working with UK clients in the commercial sector, smart meter security sits at the intersection of operational technology, IoT security, and critical national infrastructure protection. It deserves more attention than it currently receives.
What the smart meter actually is from a security perspective
A modern non-domestic smart meter is, in cybersecurity terms, an IoT endpoint with several distinct attack surfaces.
The meter itself runs firmware that handles measurement, local storage, and communication with the wider network. Compromised firmware on a single meter is a localised problem; compromised firmware deployed across a fleet through a poisoned update process is a systemic one.
The communication layer connects the meter to the supplier’s data infrastructure, typically through cellular networks using SIM or eSIM connectivity. The connection has to remain available across long deployment lifetimes (10+ years in many cases) and across diverse physical environments where the meter is installed, which produces specific challenges for credential rotation and certificate management.
The data layer captures consumption profiles at half-hourly granularity, producing a time-series dataset that reveals patterns about when a business is operating, when it is closed, when its production schedule shifts, and other operationally sensitive information. Aggregated across an industrial estate or a sector, the same data becomes a meaningful intelligence resource.
Where the security gaps actually sit
Three structural patterns recur in commercial smart meter deployments.
Patch lag. Meters deployed five or seven years ago run firmware that has not always kept pace with security advances. Patching at scale is harder than in conventional IT environments because meters are physically distributed, sometimes in inaccessible locations, and tied to regulatory compliance regimes that constrain how updates can be deployed.
Credential and certificate management. Long-lived deployments produce credentials and certificates that need careful lifecycle management. Operators that did not plan for this in 2018 are increasingly running into operational challenges in 2025 and 2026.
Data exposure through downstream platforms. The half-hourly consumption data leaves the meter and lands in supplier databases, broker platforms, energy management dashboards, and various other downstream systems. Each of those platforms is its own attack surface. Several of the recent UK energy-sector breaches have not affected the meters themselves but the systems consuming the meter data downstream.
The operational outcomes the same data enables
The same connectivity infrastructure that produces these security challenges also enables a meaningful set of legitimate operational outcomes. Specialist procurement services such as Utility Bidder consolidate quotes across the active commercial supplier panel using exactly the kind of granular consumption data that smart meters now produce, replacing the annual-survey-and-spreadsheet approach that defined commercial energy procurement before the IoT meter rollout matured. Energy management platforms run analytics on the same data to identify operational anomalies, equipment running outside scheduled hours, and consumption patterns that suggest specific cost-reduction opportunities.
For cybersecurity professionals advising commercial clients, the framing that helps is to treat smart meter data as both a security responsibility (because it can be exfiltrated and exploited) and an operational asset (because it produces real value when used correctly). The two threads are not in tension; they are different layers of the same system.
Practical recommendations for cybersecurity teams
Three practices reduce the meaningful risk in commercial smart meter deployments.
Inventory the deployment. Many commercial operators do not have a current inventory of their connected meters, the suppliers managing them, or the downstream platforms consuming the data.
Audit the data flow. Map where consumption data goes, who has access, and which platforms have signed appropriate data processing agreements under UK GDPR.
Apply standard IoT/OT security controls. Network segmentation, certificate lifecycle management, anomaly detection on data feeds, and structured incident response procedures for energy data breaches should be in place at the same maturity level as for any other operational technology system.
The UK National Cyber Security Centre publishes guidance on IoT and operational technology security, and Ofgem has begun to formalise expectations around smart meter data handling that commercial operators should track.
FAQ
Are commercial smart meters more vulnerable than domestic ones? Both run on similar technology, but commercial meters typically produce higher-value data and operate in more complex environments, which increases the practical risk profile.
What governs commercial smart meter cybersecurity in the UK? Ofgem regulatory requirements, the Smart Energy Code, NCSC guidance, and broader UK GDPR data protection obligations all apply.
How is smart meter data used in commercial energy procurement? Specialist brokers and energy management platforms consume half-hourly consumption data to produce more accurate procurement decisions and identify operational savings.
Should commercial operators audit their meter data flows? Yes. Many operators do not have a current map of which platforms consume their meter data and what controls apply at each stage.
