Security analysis of Dutch smart metering systems - Multiple Choices
Security analysis of Dutch smart metering systems - Multiple Choices
Security analysis of Dutch smart metering systems - Multiple Choices
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
4.4 Port P3 4 PRACTICAL ANALYSIS<br />
It is unclear whether encryption is being used in any <strong>of</strong> the proprietary RF protocols that are used<br />
today, or whether it will be used in NTA compliant wireless M-Bus implementations in the future.<br />
Further research is required to verify this. Generic devices that can sniff and simulate wireless<br />
signals, such as GNUradio [26] could be used to analyse this.<br />
4.3.2 Attack feasibility<br />
We have seen that simulation <strong>of</strong> a wired M-Bus master to send fake control commands is possible<br />
using a M-Bus Micromaster, making such an attack feasible. It is also possible to simulate a M-<br />
Bus slave using the M-Bus slave level converter, which makes simulation <strong>of</strong> a gas or water meter<br />
to send fake meter data feasible.<br />
Although the wireless encryption as defined in the M-Bus specification contains a potential weakness,<br />
further research is required for attacks on wireless communication. This is applicable to<br />
both wireless M-Bus as well as the various proprietary wireless protocols that are available. An<br />
overview <strong>of</strong> the different attacks is displayed in table 10.<br />
C • Wireless M-Bus sniffing Research required<br />
I • Alter meter data <strong>of</strong> M-Bus connected meters Feasible<br />
• Block P2 communication to and from meter Feasible<br />
A • Send fake valve close commands to wireless M-Bus meters Research required<br />
• Send fake valve open commands to M-Bus meters Feasible<br />
4.3.3 Recommendations<br />
Table 10: Port P2 attack feasibility<br />
Encryption and authentication between devices is necessary and should be required by the NTA.<br />
Especially in a wireless environment sniffing <strong>of</strong> meter communication could affect the confidentiality<br />
<strong>of</strong> meter data. Unauthorised control command could lead to a breach <strong>of</strong> availability when gas<br />
or water valves could be controlled from a remote distance.<br />
It would be recommended to update the M-Bus standard to a more modern encryption mechanism<br />
which could replace the single DES standard. In case the M-Bus standard defines encryption as<br />
mandatory instead <strong>of</strong> optional, more manufacturers would be likely to implement those features.<br />
4.4 Port P3<br />
Port P3 is defined as the communication port between the meter and grid operator. The NTA<br />
defines PLC, GPRS and Ethernet as possible communication technologies. Communication can<br />
take place directly from the <strong>smart</strong> meter to the CAS at the grid operator or through an intermediate<br />
data concentrator (DC) which passes it data to the CAS. Besides the technologies mentioned in<br />
the NTA we will also describe radio frequency (RF) based <strong>systems</strong> which are being used in various<br />
pilot projects.<br />
4.4.1 Implementation<br />
Ethernet (IP)<br />
Delta Energy is the only grid operator we have found testing a <strong>smart</strong> <strong>metering</strong> system which uses<br />
a broadband Internet connection as a communication channel. Delta is also the cable network<br />
28