Security analysis of Dutch smart metering systems - Multiple Choices

More documents

Recommendations

Info

4.4 Port P3 4 PRACTICAL ANALYSIS mobile device registers itself at base station with at least an Access Point Name (APN) and its GPRS authentication credentials to get access to the GPRS network. An APN is a hostname which is associated with the GPRS connection and resolves to the Gateway GPRS Support Node (GGSN) that provides the connectivity between GPRS core network and the telecom operators or corporate router. This connectivity is often, but not necessarily, realized by means of a GRE tunnel between the GGSN and corporate router [34]. A schematic overview of a GPRS smart metering system is shown in figure 15. GPRS E G W Electricity Gas Water CAS RADIUS server GPRS E G W Tunnel GSM antenna GGSN GPRS E G W GPRS Figure 15: GPRS smart metering implementation E G W The GSM security model is considered as broken, because of weaknesses found in the A5 stream encryption algorithms that GSM utilizes [57]. The GPRS system uses a new implementation of the A5 stream encryption which should improve the security of the network. Currently, decryption of wireless GPRS signals is not feasible, but could be in the future when details of the new A5 algorithm becomes publicly available [5]. Therefore it is important that besides the GPRS encryption, additional end-to-end encryption between the meter and back-end system is realized. Some grid operators use the telecom provider’s APN for their smart metering systems to connect to, which gives the meter an IP address that could be accessible from the public Internet. Other operators have their own private APN and RADIUS server which gives the meter an internal IP address from the grid operator. Smart metering systems usually connect only once a day for a small period of time to communicate with the CAS and function only as a client, which makes direct attacks from the public Internet to a smart GPRS meter unlikely. Attacks on the P3 back-end systems could be possible when someone tries to log in to the grid operator’s private APN using a smart meter’s credentials. Therefore it is important that every meter uses unique and strong credentials to log into the APN. This risk is even bigger when the grid operator uses the APN of the telecom provider which is accessible to all customers of the 32
4.4 Port P3 4 PRACTICAL ANALYSIS same telecom provider. Grid operators should not solely rely on the GPRS authentication to grant access to back-end systems. Although sniffing of wireless GPRS signals does not yet seems feasible, local sniffing between the meter and an internal or external modem could be possible. We have discovered that some of the smart metering systems use an internal or external RS-232 connection between the metering system and the GPRS modem. The Xemex CT1020 module which is being used in the Eneco smart meter features a Telit GE863- QUAD-PY GPRS modem that communicates with the Xemex board using an internal RS-232 connection which can be seen in figure 16. This GPRS modem is accessed by the Xemex board using a standard modem AT command set [66]. Sniffing of a RS-232 connection is possible using a simple schematic [4], but is not possible without breaking the casing of the Xemex module. Mainboard Tamper switch Telit GPRS modem connected using a RS-232 connection Figure 16: Xemex CT1020 module with Telit GE863-QUAD-PY GPRS modem Sagem and possibly other manufacturers as well are introducing an external GPRS modem that can be connected to existing PLC meters using a RS-232 connection [63]. This link between the meter and modem could easily be sniffed to obtain more information about the GPRS communication. In case weak encryption and authentication mechanisms are used, data manipulation could also be possible using manipulation of the RS-232 data stream. Another attack to intercept GPRS communication would be to utilize a GSM/GPRS test station that normally is being used to test cell phones, but could also simulate a fake GSM access point [1]. By broadcasting a stronger signal than the telecom provider’s legit access point the test station can force the smart meter to connect to this fake access point. Once the smart meter is connected, analysis of the GPRS communication is possible. However, these devices are very expensive, which would make other attack methods more attractive to most attackers. The availability of meters that utilize GPRS as their communication channel can easily be attacked using a GSM jamming device which are available for less than 50 euros at Ebay or by placing a Faraday cage around the meter or its external GPRS modem. Power Line Carrier Power Line Carrier (PLC) or Power Line Communication is a data communication system which uses the conductor used for electric power transmission as a carrier. The digital data is modulated onto the carrier wave with a high frequency. This is the same system which is used to switch street lights on and off and to switch between day and night tariff in “dumb” electricity meters [9]. PLC uses a frequency of 3 to 148.5kHz which provides an actual performance of a few hundred bits per second with a distance limit of approximately 700 meters. 33
Page 1 and 2: Security analysis of Dutch smart me
Page 3 and 4: Introduction A smart meter refers t
Page 5 and 6: CONTENTS CONTENTS Contents 1 Smart
Page 7 and 8: 1 Smart metering introduction 1.1 G
Page 9 and 10: 1.2 Energy market 1 SMART METERING
Page 11 and 12: 1.3 Dutch standard for smart meteri
Page 13 and 14: 3 Theoretical analysis 3.1 CIA 3 TH
Page 15 and 16: 3.2 NTA 3 THEORETICAL ANALYSIS 3.2.
Page 17 and 18: 3.2 NTA 3 THEORETICAL ANALYSIS •
Page 19 and 20: 4 Practical analysis 4 PRACTICAL AN
Page 21 and 22: 4.1 Port P0 4 PRACTICAL ANALYSIS
Page 23 and 24: 4.1 Port P0 4 PRACTICAL ANALYSIS (a
Page 25 and 26: 4.2 Port P1 4 PRACTICAL ANALYSIS 4.
Page 27 and 28: 4.3 Port P2 4 PRACTICAL ANALYSIS (a
Page 29 and 30: 4.4 Port P3 4 PRACTICAL ANALYSIS op
Page 31: 4.4 Port P3 4 PRACTICAL ANALYSIS A
Page 35 and 36: CX 1000-5 PLC meters use the PLAN a
Page 37 and 38: 4.4 Port P3 4 PRACTICAL ANALYSIS hi
Page 39 and 40: 4.4 Port P3 4 PRACTICAL ANALYSIS DL
Page 41 and 42: 4.5 Port P4 4 PRACTICAL ANALYSIS IP
Page 43 and 44: 4.6 Port P5 4 PRACTICAL ANALYSIS
Page 45 and 46: 5 Recommendations 5 RECOMMENDATIONS
Page 47 and 48: 6 Conclusion 6 CONCLUSION During th
Page 49 and 50: REFERENCES REFERENCES [18] Eneco. M
Page 51 and 52: REFERENCES REFERENCES [57] L. Peson
Page 53 and 54: A.2 Date readout A LANDIS+GYR METER
Page 55 and 56: 3.1 Communication profiles The thre

Security analysis of Dutch smart metering systems - Multiple Choices

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?