security analysis of dutch smart metering systems
play

Security analysis of Dutch smart metering systems Sander Keemink and - PowerPoint PPT Presentation

Security analysis of Dutch smart metering systems Security analysis of Dutch smart metering systems Sander Keemink and Bart Roos July 2, 2008 1 / 19 Security analysis of Dutch smart metering systems 1 Smart metering introduction 2 Theoretical


  1. Security analysis of Dutch smart metering systems Security analysis of Dutch smart metering systems Sander Keemink and Bart Roos July 2, 2008 1 / 19

  2. Security analysis of Dutch smart metering systems 1 Smart metering introduction 2 Theoretical research 3 Practical research 4 Recommendations 5 Conclusion 2 / 19

  3. Security analysis of Dutch smart metering systems Smart metering introduction Smart Metering goals Accurate billing Insight in energy usage NTA Dutch Technical Agreement Second Law in First Evaluation effect Evaluation 2008 2009 2010 2011 First Generation Second Generation Smart meters Smart meters NTA 8130 NTA 8130 plus 3 / 19

  4. Security analysis of Dutch smart metering systems Smart metering introduction NTA Independent Services Provider P0 Metering P4 P1 P3 system Other Supplier Services CAS Module E P2 Grid company W/T G 4 / 19

  5. Security analysis of Dutch smart metering systems Smart metering introduction Your energy usage What do you see in this image? indicative U S A G E 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Hour of day Electricity Water Gas 5 / 19

  6. Security analysis of Dutch smart metering systems Smart metering introduction Research objective “Analyze the possible impact of the use of smart metering systems on the security of electricity metering using the CIA-triad and minimum requirements as stated in the NTA-8130 regulation. Compare the NTA and a preferred situation with the smart metering systems that are currently implemented.” 6 / 19

  7. Security analysis of Dutch smart metering systems Theoretical research Theoretical research Defined the need for security using the CIA-triad Analyzed the NTA security requirements: P0 Not defined P1 Read-only P2 Encryption allowed if interoperable P3 Grid operator should take ‘appropriate measures’ P4 Grid operator should take ‘appropriate measures’ P5 Out of scope Defined possible attack vectors based on CIA-triad 7 / 19

  8. Security analysis of Dutch smart metering systems Practical research Port 0 security Optical interface (all meters) Programming buttons (some meters) Security measures Switch behind security seal Tamper detection 8 / 19

  9. Security analysis of Dutch smart metering systems Practical research Port 0 security 9 / 19

  10. Security analysis of Dutch smart metering systems Practical research Port 2 security Wired M-Bus without encryption M-Bus interfaces widely available Simulate gas or water meter (slave) Simulate electricity meter (master) Wireless Proprietary protocols Wireless M-Bus not being used 10 / 19

  11. Security analysis of Dutch smart metering systems Practical research Port 3 security Communication methods: PowerLine Communication (PLC) GPRS Ethernet Radio Frequency mesh (RF) Risks Sniffing (Serial GPRS modem and Ethernet) Disrupting communications Denial of Service attacks 11 / 19

  12. Security analysis of Dutch smart metering systems Practical research Port 3 security 12 / 19

  13. Security analysis of Dutch smart metering systems Practical research Port 5 security Risks Sniffing Man-in-the-Middle attack Shoulder surfing for credentials The usual risks Basic security measures SSL (HTTPS) Strong authentication 13 / 19

  14. Security analysis of Dutch smart metering systems Practical research 14 / 19

  15. Security analysis of Dutch smart metering systems Practical research 15 / 19

  16. Security analysis of Dutch smart metering systems Recommendations Recommendations NTA: Aggregate data per day, week or month More specific security requirements in NTA Port 0 should be part of NTA Including minimal security requirements 16 / 19

  17. Security analysis of Dutch smart metering systems Recommendations Recommendations Supplier and grid operators: Do not trust security seals Data availability can not be guaranteed Use open encryption on all links Do not underestimate privacy aspects Use SSL and strong passwords on website Perform data checks to verify correctness of data 17 / 19

  18. Security analysis of Dutch smart metering systems Conclusion Conclusion Privacy underestimated NTA not specific enough about security Security of meter management functions not sufficient No secure channel between electricity and gas or water meter Supplier websites should improve their security 18 / 19

  19. Security analysis of Dutch smart metering systems Conclusion Thanks Thanks for your attention Any questions before enjoying your lunches? 19 / 19

Recommend


More recommend