Security analysis of Dutch smart metering systems - Multiple Choices
Security analysis of Dutch smart metering systems - Multiple Choices
Security analysis of Dutch smart metering systems - Multiple Choices
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4.1 Port P0 4 PRACTICAL ANALYSIS<br />
Landis+Gyr meters feature several access levels with different security attributes. Level 0 is<br />
intended for public access and only allows parameter reading without password protection. Level<br />
1 and 2 are intended for data collection and field service and allow limited write operations using<br />
a password.<br />
Password protection for Landis+Gyr meters is adopted from the IEC specification, and allows<br />
passwords <strong>of</strong> exactly 7 or 8 hexadecimal characters, i.e. characters 0-9 and A-F. This results in an<br />
effective password strength <strong>of</strong> 32-bit, which allows 4.294.967.296 possible password combinations.<br />
Level 4 access is intended for extended utility service and allows access to settable and parameterizable<br />
data such as register clearing, password setting etc. Access level 4 does not require a<br />
password, but requires a correct setting <strong>of</strong> the security switches that are accessible under the main<br />
cover <strong>of</strong> the meter, protected by a certification seal.<br />
Sagem meters feature a comparable security mechanism: “To avoid any untimely modification, an<br />
option can be factory-programmed to authorise optical link programming only when the terminal<br />
cover is open.”<br />
It is important to mention that not all functions will be available on every meter. Industrial meters<br />
will feature more configuration options then <strong>smart</strong> <strong>metering</strong> <strong>systems</strong> found in most households.<br />
However, contacts at various grid operators and suppliers confirmed that the optical port is being<br />
used to configure tariff and communication settings <strong>of</strong> <strong>smart</strong> meters that are being used in The<br />
Netherlands. For example the day/night tariff setting <strong>of</strong> meters from electricity supplier Oxxio<br />
can be configured by an engineer during installation through the optical interface using a PDA.<br />
4.1.2 Implementation (Configuration buttons)<br />
Management functions that are accessible through configuration buttons on the <strong>metering</strong> device<br />
are manufacturer-specific, because they are not defined in any standard.<br />
For this research, only user manuals <strong>of</strong> Sagem meters were available, but other meters are likely<br />
to <strong>of</strong>fer similar functionality. The Sagem CX1000 and CX2000 meters support the following<br />
operations which are only available when the terminal cover is open, using the configuration<br />
buttons [61, 62]:<br />
• Activate (or deactivate) the communication data encryption key<br />
• Date and time setting<br />
• M-Bus device installation<br />
• M-Bus device deinstallation<br />
The most important options from a security perspective are the deactivation <strong>of</strong> data encryption<br />
and deinstallation <strong>of</strong> M-Bus devices. Deactivation <strong>of</strong> data encryption could lead to confidentiality<br />
breaches, and the deinstallation <strong>of</strong> connected M-Bus devices could lead to <strong>metering</strong> data<br />
availability breaches.<br />
4.1.3 Practical research<br />
For this research access to a <strong>smart</strong> <strong>metering</strong> system, supervised by a supplier or grid operator<br />
was not available, which limited the practical research that could be done. We did gain access<br />
to a live <strong>smart</strong> <strong>metering</strong> system operated by the Eneco grid operator installed at a household<br />
in Moordrecht. This <strong>smart</strong> <strong>metering</strong> system consists <strong>of</strong> a modular Landis+Gyr electricity meter<br />
type ZMF120ACd, combined with a Xemex GPRS communication module type CT1020 and a<br />
22