Security analysis of Dutch smart metering systems Sander Keemink and - - PowerPoint PPT Presentation

security analysis of dutch smart metering systems
SMART_READER_LITE
LIVE PREVIEW

Security analysis of Dutch smart metering systems Sander Keemink and - - PowerPoint PPT Presentation

Dec 07, 2023 238 likes •432 views

Security analysis of Dutch smart metering systems Security analysis of Dutch smart metering systems Sander Keemink and Bart Roos July 2, 2008 1 / 19 Security analysis of Dutch smart metering systems 1 Smart metering introduction 2 Theoretical

slide-1
SLIDE 1

Security analysis of Dutch smart metering systems

Security analysis of Dutch smart metering systems

Sander Keemink and Bart Roos July 2, 2008

1 / 19

slide-2
SLIDE 2

Security analysis of Dutch smart metering systems

1 Smart metering introduction 2 Theoretical research 3 Practical research 4 Recommendations 5 Conclusion

2 / 19

slide-3
SLIDE 3

Security analysis of Dutch smart metering systems Smart metering introduction

Smart Metering goals

Accurate billing Insight in energy usage NTA Dutch Technical Agreement

First Generation Smart meters NTA 8130 2008 2009 2010 2011 Law in effect First Evaluation Second Evaluation Second Generation Smart meters NTA 8130 plus

3 / 19

slide-4
SLIDE 4

Security analysis of Dutch smart metering systems Smart metering introduction

NTA

CAS

Independent Services Provider Supplier Grid company

P1 G E Metering system

Other Services Module W/T

P3 P2 P4 P0 4 / 19

slide-5
SLIDE 5

Security analysis of Dutch smart metering systems Smart metering introduction

Your energy usage

What do you see in this image?

23 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

Hour of day

U S A G E

indicative

Electricity Water Gas

5 / 19

slide-6
SLIDE 6

Security analysis of Dutch smart metering systems Smart metering introduction

Research objective

“Analyze the possible impact of the use of smart metering systems on the security of electricity metering using the CIA-triad and minimum requirements as stated in the NTA-8130 regulation. Compare the NTA and a preferred situation with the smart metering systems that are currently implemented.”

6 / 19

slide-7
SLIDE 7

Security analysis of Dutch smart metering systems Theoretical research

Theoretical research

Defined the need for security using the CIA-triad Analyzed the NTA security requirements: P0 Not defined P1 Read-only P2 Encryption allowed if interoperable P3 Grid operator should take ‘appropriate measures’ P4 Grid operator should take ‘appropriate measures’ P5 Out of scope Defined possible attack vectors based on CIA-triad

7 / 19

slide-8
SLIDE 8

Security analysis of Dutch smart metering systems Practical research

Port 0 security

Optical interface (all meters) Programming buttons (some meters) Security measures

Switch behind security seal Tamper detection

8 / 19

slide-9
SLIDE 9

Security analysis of Dutch smart metering systems Practical research

Port 0 security

9 / 19

slide-10
SLIDE 10

Security analysis of Dutch smart metering systems Practical research

Port 2 security

Wired

M-Bus without encryption M-Bus interfaces widely available Simulate gas or water meter (slave) Simulate electricity meter (master)

Wireless

Proprietary protocols Wireless M-Bus not being used

10 / 19

slide-11
SLIDE 11

Security analysis of Dutch smart metering systems Practical research

Port 3 security

Communication methods:

PowerLine Communication (PLC) GPRS Ethernet Radio Frequency mesh (RF)

Risks

Sniffing (Serial GPRS modem and Ethernet) Disrupting communications Denial of Service attacks

11 / 19

slide-12
SLIDE 12

Security analysis of Dutch smart metering systems Practical research

Port 3 security

12 / 19

slide-13
SLIDE 13

Security analysis of Dutch smart metering systems Practical research

Port 5 security

Risks

Sniffing Man-in-the-Middle attack Shoulder surfing for credentials The usual risks

Basic security measures

SSL (HTTPS) Strong authentication

13 / 19

slide-14
SLIDE 14

Security analysis of Dutch smart metering systems Practical research 14 / 19

slide-15
SLIDE 15

Security analysis of Dutch smart metering systems Practical research 15 / 19

slide-16
SLIDE 16

Security analysis of Dutch smart metering systems Recommendations

Recommendations

NTA: Aggregate data per day, week or month More specific security requirements in NTA Port 0 should be part of NTA

Including minimal security requirements

16 / 19

slide-17
SLIDE 17

Security analysis of Dutch smart metering systems Recommendations

Recommendations

Supplier and grid operators: Do not trust security seals Data availability can not be guaranteed Use open encryption on all links Do not underestimate privacy aspects Use SSL and strong passwords on website Perform data checks to verify correctness of data

17 / 19

slide-18
SLIDE 18

Security analysis of Dutch smart metering systems Conclusion

Conclusion

Privacy underestimated NTA not specific enough about security Security of meter management functions not sufficient No secure channel between electricity and gas or water meter Supplier websites should improve their security

18 / 19

slide-19
SLIDE 19

Security analysis of Dutch smart metering systems Conclusion

Thanks

Thanks for your attention Any questions before enjoying your lunches?

19 / 19