Security analysis of Dutch smart metering systems - Multiple Choices

More documents

Recommendations

Info

4.4 Port P3 4 PRACTICAL ANALYSIS (a) Connections (b) WebRTU Figure 12: EnergyICT WebRTU Z1 installed in a test lab at Delta grid operator Delta engineer. Furthermore readout of metering data through this web interface is not protected by a password or any other security measure as can be seen in figure 13. This leads to a serious confidentiality issue. Figure 13: WebRTU web interface accessible from the public Internet According to new information received from a Delta project manager after reviewing this document, the WebRTU systems which are installed at employees are configured to only allow connections from the IP-address of a central server. This was not the case in the setup we have seen at the Delta test lab and does not seem to be a configuration option in the WebRTU itself. This could be accomplished by firewall rules in the cable modem, but we were unable to verify this. Also, it is important to note that access to the WebRTU settings does require a valid username and password. 30
4.4 Port P3 4 PRACTICAL ANALYSIS A number of attacks on the availability of meter data are possible. First of all, in this setup it would be easy to disconnect the WebRTU from the cable modem. From the outside a denial of service attack could be initiated with the WebRTU or the cable modem as a target. Overloading the connection with random traffic could cause the WebRTU to fail when trying to reach the CAS. Because of the standard Ethernet setup sniffing would be very easy in this configuration. A man in the middle attack could be difficult as long as the symmetric proprietary EIWeb encryption algorithm or shared key has not been cracked. Other systems that utilize a standard Diffie- Hellman key exchange to generate a shared key could possibly be vulnerable to a man-in-themiddle attack [11]. Currently, Delta is performing tests with a new setup that uses a Landis+Gyr meter with a Windmill Anybridge Smart Client 4200 pluggable module for communication over IP. In this setup all wires are covered and customers only have access to their cable and Internet connection through a so called “media gateway” as shown in figure 14. This is basically a housing that covers the wired connections between the Windmill module and cable modem, and provides a Coax and Ethernet connector to connect the customer’s TV and computer. (a) Overview (b) Cable modem & ‘media gateway’ Figure 14: Landis+Gyr / Windmill smart metering with cable modem and Delta’s ‘media gateway’ Unfortunately we did not get access to documentation of the Windmill module, therefore no conclusions to the communication security of this module can be made. The Windmill Innovation website notes that the AnyBridge platform is based on open IP standards like TCP/IP, SMTP, FTP and that “the AnyBridge platform is based on a unique and patented point-to-point bidirectional e-mail communication method to get messages across” [69]. Most of the attacks that are mentioned could still be possible. Sniffing could be possible using an ARP-spoofing attack or by removing the cover of the “media gateway”. GPRS Together with PLC, GPRS is one of the main technologies used in smart metering pilot projects by the major grid companies in The Netherlands. Some of the companies that are using or testing GRPS are Eneco, Essent, Continuon, Delta and Oxxio. General Radio Packet System (GPRS) is an add-on to the Global System for Mobile Communications (GSM) network to facilitate a range of data services for mobile communication. The 31
Page 1 and 2: Security analysis of Dutch smart me
Page 3 and 4: Introduction A smart meter refers t
Page 5 and 6: CONTENTS CONTENTS Contents 1 Smart
Page 7 and 8: 1 Smart metering introduction 1.1 G
Page 9 and 10: 1.2 Energy market 1 SMART METERING
Page 11 and 12: 1.3 Dutch standard for smart meteri
Page 13 and 14: 3 Theoretical analysis 3.1 CIA 3 TH
Page 15 and 16: 3.2 NTA 3 THEORETICAL ANALYSIS 3.2.
Page 17 and 18: 3.2 NTA 3 THEORETICAL ANALYSIS •
Page 19 and 20: 4 Practical analysis 4 PRACTICAL AN
Page 21 and 22: 4.1 Port P0 4 PRACTICAL ANALYSIS
Page 23 and 24: 4.1 Port P0 4 PRACTICAL ANALYSIS (a
Page 25 and 26: 4.2 Port P1 4 PRACTICAL ANALYSIS 4.
Page 27 and 28: 4.3 Port P2 4 PRACTICAL ANALYSIS (a
Page 29: 4.4 Port P3 4 PRACTICAL ANALYSIS op
Page 33 and 34: 4.4 Port P3 4 PRACTICAL ANALYSIS sa
Page 35 and 36: CX 1000-5 PLC meters use the PLAN a
Page 37 and 38: 4.4 Port P3 4 PRACTICAL ANALYSIS hi
Page 39 and 40: 4.4 Port P3 4 PRACTICAL ANALYSIS DL
Page 41 and 42: 4.5 Port P4 4 PRACTICAL ANALYSIS IP
Page 43 and 44: 4.6 Port P5 4 PRACTICAL ANALYSIS
Page 45 and 46: 5 Recommendations 5 RECOMMENDATIONS
Page 47 and 48: 6 Conclusion 6 CONCLUSION During th
Page 49 and 50: REFERENCES REFERENCES [18] Eneco. M
Page 51 and 52: REFERENCES REFERENCES [57] L. Peson
Page 53 and 54: A.2 Date readout A LANDIS+GYR METER
Page 55 and 56: 3.1 Communication profiles The thre

Security analysis of Dutch smart metering systems - Multiple Choices

Create successful ePaper yourself

Delete template?

Save as template?