Security analysis of Dutch smart metering systems - Multiple Choices
Security analysis of Dutch smart metering systems - Multiple Choices
Security analysis of Dutch smart metering systems - Multiple Choices
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
4.6 Port P5 4 PRACTICAL ANALYSIS<br />
• Authorisation The P4 port should tightly control access to data and to <strong>smart</strong> meter control.<br />
No supplier should be able to read information from other supplier’s customers, nor should<br />
they be able to control other customers <strong>smart</strong> meters.<br />
• Access The P4 port should only be accessible by suppliers and <strong>metering</strong> companies. No<br />
access should be possible from the public Internet. Because <strong>of</strong> the small market and parties<br />
in the energy market access should be controlled using a private network.<br />
• Logging Because <strong>of</strong> the customers privacy and the impact <strong>of</strong> security breaches all access<br />
and actions should be logged.<br />
4.6 Port P5<br />
Port P5 is the port we defined as the supplier’s website which enables customers to get access to<br />
their usage data, or possibly upgrade their prepaid credit.<br />
4.6.1 Implementation<br />
At this moment only two suppliers <strong>of</strong>fer access to usage data obtained from <strong>smart</strong> meters through<br />
their website. Other suppliers do <strong>of</strong>fer a personal website for their customers where they, among<br />
others, can enter manual yearly meter readings, view their bills and, and view or change personal<br />
information. It would be likely that the <strong>smart</strong> meter readouts will be made available on these<br />
websites in the future. The websites which we analysed can be seen in table 14.<br />
4.6.2 Practical research<br />
Websites with <strong>metering</strong> data:<br />
Websites without <strong>metering</strong> data:<br />
Table 14: Suppliers websites<br />
• Oxxio [54]<br />
• Delta [10]<br />
• Nuon [53]<br />
• Essent [23]<br />
• Eneco [18]<br />
Web applications are a common victim <strong>of</strong> cyber crime and is an area in which a lot <strong>of</strong> research has<br />
been done [65]. When a web application is compromised an attacker may be able to steal private<br />
and personal information, carry out fraud, and perform malicious actions against other users.<br />
A few common seen techniques to compromise a web application are:<br />
• Broken authentication<br />
• Broken access controls<br />
• Cross-site scripting<br />
• SQL injection<br />
• Information leakage<br />
Because <strong>of</strong> the information already available on web application security an in depth <strong>analysis</strong> or<br />
penetration testing <strong>of</strong> the websites is out <strong>of</strong> the scope <strong>of</strong> this project. We made a general <strong>analysis</strong><br />
<strong>of</strong> the websites and how they could be compromised. Based on the theoretical <strong>analysis</strong> we looked<br />
at the privacy and access aspects <strong>of</strong> the website:<br />
42