Security analysis of Dutch smart metering systems - delaat.net · Simulate gas or water meter...

Security analysis of Dutch smart metering systems


Sander Keemink and Bart Roos

July 2, 2008

1 / 19


1 Smart metering introduction

2 Theoretical research

3 Practical research

4 Recommendations

5 Conclusion

2 / 19


Smart metering introduction

Smart Metering goals

Accurate billing

Insight in energy usage

NTA Dutch Technical Agreement

First GenerationSmart meters

NTA 8130

2008 2009 2010 2011

Law in effect

First Evaluation

Second Evaluation

Second GenerationSmart metersNTA 8130 plus

3 / 19



NTA

Page 6 of 137

File name: Dutch Smart Meter Requirements v2.2 final Main.doc Date: 18-04-2008

Author: KEMA Consulting Config. ID: B101

Version: 2.2 Final Project: Functional and technical specifications Smart Meters

1 INTRODUCTION

1.1 The Dutch standard for smart metering (NTA 8130)

The Ministry of Economic Affairs has at first commissioned the Netherlands Normalization

Institute, NEN, to formulate and describe a standardized minimum set of basic functions for

remotely readable metering for electricity, gas, thermal energy (heat and cold) and water for

domestic consumers (in this document we use the expression domestic consumers although

small scale consumers might be more appropriate). Under the auspices of the NTA 8130 pro-

ject group, set up for this purpose by NEN, work has been performed on the drafting of re-

quirements that ‘smart metering systems’ must satisfy. During the formulation process, the

formal field of view of mandatory functions has been reduced to electricity and gas. For water

and thermal energy, recommendations are given in an appendix. This process has been fi-

nalized in April 2007, as its result, a so-called Netherlands Technical Agreement called

“Minimum set of functions for metering of electricity, gas and thermal energy for domestic

customers” has been brought out. The reference number of this Netherlands Technical

Agreement is NTA 8130.

The document “Dutch smart meter requirements” is an elaboration of the NTA8130, commis-

sioned by the Dutch grid companies (ENBIN), and aimed at meter interoperability. Also re-

quirements have been added, mainly with respect to installation & maintenance, quality and

performance.

1.2 Short description of the metering installation

Figure 1-1 – Communication ports belonging to the metering installation

CAS

Independent Services Provider

Supplier

Grid company

P1

G

E

Metering

system Other

Services

Module

W/T

P3

P2

P4

P0

4 / 19



Your energy usage

What do you see in this image?

230 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

Hour of day

Label

U

S

A

G

E

indicative

Electricity Water Gas5 / 19



Research objective

“Analyze the possible impact of the use of smartmetering systems on the security of electricity meteringusing the CIA-triad and minimum requirements as statedin the NTA-8130 regulation. Compare the NTA and apreferred situation with the smart metering systems thatare currently implemented.”

6 / 19


Theoretical research

Theoretical research

Defined the need for security using the CIA-triad

Analyzed the NTA security requirements:

P0 Not defined

P1 Read-only

P2 Encryption allowed if interoperable

P3 Grid operator should take ‘appropriate measures’

P4 Grid operator should take ‘appropriate measures’

P5 Out of scope

Defined possible attack vectors based on CIA-triad

7 / 19


Practical research

Port 0 security

Optical interface (all meters)

Programming buttons (some meters)

Security measures

Switch behind security sealTamper detection

8 / 19


Practical research

Port 0 security

9 / 19


Practical research

Port 2 security

WiredM-Bus without encryptionM-Bus interfaces widely availableSimulate gas or water meter (slave)Simulate electricity meter (master)

WirelessProprietary protocolsWireless M-Bus not being used

10 / 19


Practical research

Port 3 security

Communication methods:

PowerLine Communication (PLC)GPRSEthernetRadio Frequency mesh (RF)

Risks

Sniffing (Serial GPRS modem and Ethernet)Disrupting communicationsDenial of Service attacks

11 / 19


Practical research

Port 3 security

12 / 19


Practical research

Port 5 security

Risks

SniffingMan-in-the-Middle attackShoulder surfing for credentialsThe usual risks

Basic security measures

SSL (HTTPS)Strong authentication

13 / 19


Practical research

14 / 19


Practical research

15 / 19


Recommendations

Recommendations

NTA:

Aggregate data per day, week or month

More specific security requirements in NTA

Port 0 should be part of NTA

Including minimal security requirements

16 / 19


Recommendations

Recommendations

Supplier and grid operators:

Do not trust security seals

Data availability can not be guaranteed

Use open encryption on all links

Do not underestimate privacy aspects

Use SSL and strong passwords on website

Perform data checks to verify correctness of data

17 / 19


Conclusion

Conclusion

Privacy underestimated

NTA not specific enough about security

Security of meter management functions not sufficient

No secure channel between electricity and gas or water meter

Supplier websites should improve their security

18 / 19


Conclusion

Thanks

Thanks for your attentionAny questions before enjoying your lunches?

19 / 19

Date post:	12-Aug-2019
Category:	Documents
Upload:	dangquynh
View:	213 times
Download:	0 times

Security analysis of Dutch smart metering systems - delaat.net · Simulate gas or water meter...

Documents