Advances in metering technology over the past three decades have made today’s AMR systems economically viable for utilities to use. Over the next five to 10 years most utilities will likely use some type of AMR system to both comply with energy policies and regulations, and increase their profit margins with more accurate billing reads and lower operating cost. But will these policies and regulations in the U.S. and similar requirements in other countries turn AMR into a zero-sum game for utilities? How can a company determine if its internal processes and controls are sufficient to ensure that its revenue data is secure and accurate?
Utility Information Technology (IT) departments commonly understand security aspects of the backend which runs the AMR system, and metering departments usually understand the security aspects of the meters themselves, but everything between those points could be the weakest link of your AMR system. Just as the strength of a chain is no greater than its weakest link, an AMR system’s security depends on the security of every piece of the application, the communications devices, communications media and protocols.This article describes some of the security aspects to consider when evaluating various AMR communication systems available today and provides questions you can ask vendors to assure that your entire AMR system is as secure as it needs to be.
What is AMR link security?
The purpose of the communications link from the back-end system to the meter is to be able to provide reliable communications to authorized users.A system is reliable if it is both available when you need it and accurate in relaying your messages.To say the link is secure means that it is available to authorized users and free from being intercepted, altered, or listened to by unauthorized agents.I use the word agents in this article not to imply secret agents, but to emphasize that the participants in the network aren’t necessarily human beings. We want to assure that agents such as unauthorized communications or computing equipment are also prevented from access.
Three properties of security
There are three essential properties of security. They are confidentiality, integrity and availability.All must be present for a communications link to be considered secure.
Confidentiality
The first property of security is confidentiality. “Confidentiality” means information is never disclosed to unauthorized agents. If your email is able to be read by an unauthorized third party, its confidentiality is being violated.
Integrity
The second property of security is integrity. If information is never altered in any unauthorized way, then a system manifests the property of integrity. Although they seem very similar,
confidentiality does not guarantee integrity. For example, an encrypted message might be altered without the perpetrator knowing what the encrypted message actually says. One might expect that decrypting a message that had been altered would normally reveal that it had been altered, but this is not always the case. In the original version of the IEEE 802.11 standard describing WiFi, the encryption method used was found to be easily decrypted because of confusion between the two properties of confidentiality and integrity.
Availability
The third property of security is availability, which means that the system always responds to authorized agents.If a vandal breaks off a key in your car door so that you can no longer unlock the door, the transportation that the car provides is no longer available to you.In communications, the analogy is a denial of service attack in which an attacker could issue millions of data packets to a router to overload system capacity and deny you access to your AMR communications system.Even though the attacker might not be able to penetrate your defenses (i.e., the confidentiality and integrity of the system are not violated) you will still have a problem if you are denied availability to data.
Three things that can go wrong
There are three fundamental things that can go wrong with a communications link:
interruption, corruption, and interception.
Interruption
Unintentional interrupts could be as simple as a homeowner inadvertently digging through the telephone line to a meter or as complex as an unintentional harmonic generated in a nearby
television transmitter jamming the system’s radio frequency (RF) signal. Note that both of these interrupts could also be caused intentionally. That is, someone could intentionally cut a
telephone line or jam an RF signal.
Corruption
Corruption of data can occur on any media. It can be caused by such things as a noisy
connection on a telephone line, intermittent RF interference or fading on a radio link.
Interception
Interception is different from the interruption and corruption because it is almost always intentional.A hacker can theoretically intercept your communications by physically tapping into wired lines or by monitoring a radio signal.I say “theoretically” because while it is always possible to intercept a communication signal given enough time and resources, it may not be practical for anyone to actually do so.For instance, it would take sophisticated spread- spectrum radio test equipment, custom built decoding hardware, knowledge of advanced cryptographic techniques, and three years of continuous brute-force computer time to intercept data from a communication system using controlled mesh network technology. The data would have to be extremely valuable for the interceptor to justify the effort and expense involved in intercepting and decoding it.
Link characteristics
Link characteristics are important because they can make any of the things that could go wrong (including hacking) either more likely or less likely.For example, if a communications protocol has a built-in retry mechanism, corruption and interruption are less likely because a missed data packet can be re-sent automatically, if required. Additionally, it is easier to intercept a simple data signal sent out over a single RF channel than it is to rent a submarine and tap into an undersea fiber optic cable. Another link characteristic you should consider is that it is easier to decode unencrypted data than encrypted data provided the hacker does not already know the decryption key and algorithm.These link characteristics suggest two preferred practices:that if all else is equal, you should prefer communications links that send encrypted data over those that send unencrypted data, and you should keep your decryption keys secret.
Data encryption
The problem with using encrypted communication links instead of unencrypted links is that all things are not usually equal because encryption is not free.Encryption requires computational resources and there are overhead costs associated with managing encryption keys.Consider this simple analogy. Doors with locks are more secure than those without, so why doesn’t every door in every building have a lock?The answer, of course, is cost and convenience.Obviously, doors with no locks are cheaper than doors with them.It is also quicker to open a door if you do not have to fiddle with a key.Imagine a restaurant in which the waiters had to unlock the door to the kitchen before they brought out a tray of food!Service would be much slower and the restaurant would most likely soon go out of business.Now imagine a bank where the vault door does not have a lock.Clearly, it makes sense for banks to protect their customers’ assets by locking them in the vault, but for a restaurant it does not make sense because speed and service are more important than securing the kitchen.These lessons apply to data encryption because it has a similar effect on communications as a lock on a door; encryption costs more and it slows things down.
Physical security
If the link is a wire, then a wire that is in a steel conduit is probably more secure than wire which is not.It is not impossible to tap into an armored cable, but it is a lot more difficult.In the case of radio systems, physical security still applies.For instance, on WiFi systems, the output power is often adjustable.If the power is turned up to maximum, the WiFi signal can penetrate the walls of a building and be accessible outside the building.A hacker in the parking lot would have access to the signal.However, if the output power is turned down so that it can only be picked up inside the walls of a building, then a hacker in the parking lot can no longer receive the signal.
Mesh radio systems also help with physical security, since the self-healing properties of a mesh network tend to make the loss of a single node less likely to render any but that single node’s data inaccessible.This is different from a system in which the links are point-to-point in a chain because in such systems, disruption of a single node can render many other nodes inaccessible. Frequency hopping spread spectrum transmissions also help because the signal is spread out over a wider bandwidth.To jam such a signal, a hacker would have to send out a wider bandwidth signal than would be required to jam the corresponding single frequency signal. In order to jam such a signal, the jamming signal would also have to transmit more power.Transmitting a more powerful signal generally requires a more expensive transmitting system and it becomes less economical for a hacker to disrupt such a system.
Passwords
Passwords are very useful to restrict access, but they are only effective if used in a secure manner.For example, if I invest in a state-of-the-art lock for the front door of my home, it does not slow a thief down one bit if a key is hidden under the welcome mat.Under the mat is an obvious place for a spare key to be located, so it is not a very secure place to hide the spare key. Likewise, if all of your meters are password-protected but every meter is programmed with the same password and everyone in the utility knows that password, the likelihood that your meter data is secure is less than if all meters had different passwords and every person authorized to read meter data had his own unique password.However, as with data encryption, a common sense approach is needed to determine what is more important; security or ease of service. It costs a lot of time and money to manage the logistics of maintaining many different passwords.Real system designers must strike a balance between what is possible and what is realistic.One frequently used compromise is to only encrypt the password, but not the data.In that approach, each password is not sent over the communications channel “in the clear” (i.e., unencrypted) but the transfer of bulk data is not slowed down by trying to encrypt both the data and the password.
AMR link risk analysis
Once we have identified the generic risks involved with a communications link, the next step is risk analysis.One commonly employed method of risk analysis is to start with three pieces of data for each thing that can go wrong:a description of what could go wrong, the probability that it will go wrong, and the cost resulting from this failure.The cost times the probability will give a value which is called the Annual Loss Estimate (ALE).This can be used as a rough indication of how much it is worth to address this problem.
This is the classic approach to risk analysis, but assigning the probabilities and costs can be very difficult in practice.What is the probability that a given homeowner will dig through the telephone line for his meter?What is the probability that some unknown source will jam your radio signal?You may or may not have historical data to refer to when estimating these probabilities. Also, it is often difficult to assign costs to these items. For instance, if the threat is a customer resetting the peak demand just before the AMR system reads it, the cost might be small if the customer is a residential customer or the cost might be significant if it’s a large industrial customer.Such a reset might also be merely an annoyance if peak demand is not used for billing.
Another method for risk analysis that is somewhat more qualitative and easier to use is to enumerate the threats, the vulnerabilities and countermeasures. As with the ALE method, it is still useful to estimate a cost resulting from a failure, but with this method an estimate is usually sufficient to effectively analyze risk. After enumerating the risks, the next step is to examine the countermeasures and determine which are feasible. Some of the kinds of countermeasures one can take may cost very little, such as enabling encryption over a WiFi link that already has encryption available even if you estimate that the probability of an attack on the WiFi link is very low.
Conclusion
When considering the security of your AMR system, whether existing or proposed, remember that there are three components to your system: the backend computer, the meter, and the
communications infrastructure that connects them. When evaluating the security of the
communications link, consider the characteristics of the data link that may make your communications link more or less secure, including its physical security and whether it uses encryption. Ultimately, any security considerations must be evaluated in the context of the real world in which we operate. AMR planners must balance the cost and performance of the system against the costs and probabilities of system failure. n
About the Author
Edward Beroset has been working with computers and software for over 20 years. He is the manager of the software and test group at Elster Electricity, where he has worked for eight years. Prior to that, Edward worked in BIOS development at Compaq. He serves on IEC and ANSI electricity metering protocol standards groups and chairs the working group which is responsible for creating the C12.22 standard. He is a member of both the IEEE and the ACM, has published several articles and holds several US and foreign patents. edward.j.beroset@us.elster.com
Utility Information Technology (IT) departments commonly understand security aspects of the backend which runs the AMR system, and metering departments usually understand the security aspects of the meters themselves, but everything between those points could be the weakest link of your AMR system. Just as the strength of a chain is no greater than its weakest link, an AMR system’s security depends on the security of every piece of the application, the communications devices, communications media and protocols.This article describes some of the security aspects to consider when evaluating various AMR communication systems available today and provides questions you can ask vendors to assure that your entire AMR system is as secure as it needs to be.
What is AMR link security?
The purpose of the communications link from the back-end system to the meter is to be able to provide reliable communications to authorized users.A system is reliable if it is both available when you need it and accurate in relaying your messages.To say the link is secure means that it is available to authorized users and free from being intercepted, altered, or listened to by unauthorized agents.I use the word agents in this article not to imply secret agents, but to emphasize that the participants in the network aren’t necessarily human beings. We want to assure that agents such as unauthorized communications or computing equipment are also prevented from access.
Three properties of security
There are three essential properties of security. They are confidentiality, integrity and availability.All must be present for a communications link to be considered secure.
Confidentiality
The first property of security is confidentiality. “Confidentiality” means information is never disclosed to unauthorized agents. If your email is able to be read by an unauthorized third party, its confidentiality is being violated.
Integrity
The second property of security is integrity. If information is never altered in any unauthorized way, then a system manifests the property of integrity. Although they seem very similar,
confidentiality does not guarantee integrity. For example, an encrypted message might be altered without the perpetrator knowing what the encrypted message actually says. One might expect that decrypting a message that had been altered would normally reveal that it had been altered, but this is not always the case. In the original version of the IEEE 802.11 standard describing WiFi, the encryption method used was found to be easily decrypted because of confusion between the two properties of confidentiality and integrity.
Availability
The third property of security is availability, which means that the system always responds to authorized agents.If a vandal breaks off a key in your car door so that you can no longer unlock the door, the transportation that the car provides is no longer available to you.In communications, the analogy is a denial of service attack in which an attacker could issue millions of data packets to a router to overload system capacity and deny you access to your AMR communications system.Even though the attacker might not be able to penetrate your defenses (i.e., the confidentiality and integrity of the system are not violated) you will still have a problem if you are denied availability to data.
Three things that can go wrong
There are three fundamental things that can go wrong with a communications link:
interruption, corruption, and interception.
Interruption
Unintentional interrupts could be as simple as a homeowner inadvertently digging through the telephone line to a meter or as complex as an unintentional harmonic generated in a nearby
television transmitter jamming the system’s radio frequency (RF) signal. Note that both of these interrupts could also be caused intentionally. That is, someone could intentionally cut a
telephone line or jam an RF signal.
Corruption
Corruption of data can occur on any media. It can be caused by such things as a noisy
connection on a telephone line, intermittent RF interference or fading on a radio link.
Interception
Interception is different from the interruption and corruption because it is almost always intentional.A hacker can theoretically intercept your communications by physically tapping into wired lines or by monitoring a radio signal.I say “theoretically” because while it is always possible to intercept a communication signal given enough time and resources, it may not be practical for anyone to actually do so.For instance, it would take sophisticated spread- spectrum radio test equipment, custom built decoding hardware, knowledge of advanced cryptographic techniques, and three years of continuous brute-force computer time to intercept data from a communication system using controlled mesh network technology. The data would have to be extremely valuable for the interceptor to justify the effort and expense involved in intercepting and decoding it.
Link characteristics
Link characteristics are important because they can make any of the things that could go wrong (including hacking) either more likely or less likely.For example, if a communications protocol has a built-in retry mechanism, corruption and interruption are less likely because a missed data packet can be re-sent automatically, if required. Additionally, it is easier to intercept a simple data signal sent out over a single RF channel than it is to rent a submarine and tap into an undersea fiber optic cable. Another link characteristic you should consider is that it is easier to decode unencrypted data than encrypted data provided the hacker does not already know the decryption key and algorithm.These link characteristics suggest two preferred practices:that if all else is equal, you should prefer communications links that send encrypted data over those that send unencrypted data, and you should keep your decryption keys secret.
Data encryption
The problem with using encrypted communication links instead of unencrypted links is that all things are not usually equal because encryption is not free.Encryption requires computational resources and there are overhead costs associated with managing encryption keys.Consider this simple analogy. Doors with locks are more secure than those without, so why doesn’t every door in every building have a lock?The answer, of course, is cost and convenience.Obviously, doors with no locks are cheaper than doors with them.It is also quicker to open a door if you do not have to fiddle with a key.Imagine a restaurant in which the waiters had to unlock the door to the kitchen before they brought out a tray of food!Service would be much slower and the restaurant would most likely soon go out of business.Now imagine a bank where the vault door does not have a lock.Clearly, it makes sense for banks to protect their customers’ assets by locking them in the vault, but for a restaurant it does not make sense because speed and service are more important than securing the kitchen.These lessons apply to data encryption because it has a similar effect on communications as a lock on a door; encryption costs more and it slows things down.
Physical security
If the link is a wire, then a wire that is in a steel conduit is probably more secure than wire which is not.It is not impossible to tap into an armored cable, but it is a lot more difficult.In the case of radio systems, physical security still applies.For instance, on WiFi systems, the output power is often adjustable.If the power is turned up to maximum, the WiFi signal can penetrate the walls of a building and be accessible outside the building.A hacker in the parking lot would have access to the signal.However, if the output power is turned down so that it can only be picked up inside the walls of a building, then a hacker in the parking lot can no longer receive the signal.
Mesh radio systems also help with physical security, since the self-healing properties of a mesh network tend to make the loss of a single node less likely to render any but that single node’s data inaccessible.This is different from a system in which the links are point-to-point in a chain because in such systems, disruption of a single node can render many other nodes inaccessible. Frequency hopping spread spectrum transmissions also help because the signal is spread out over a wider bandwidth.To jam such a signal, a hacker would have to send out a wider bandwidth signal than would be required to jam the corresponding single frequency signal. In order to jam such a signal, the jamming signal would also have to transmit more power.Transmitting a more powerful signal generally requires a more expensive transmitting system and it becomes less economical for a hacker to disrupt such a system.
Passwords
Passwords are very useful to restrict access, but they are only effective if used in a secure manner.For example, if I invest in a state-of-the-art lock for the front door of my home, it does not slow a thief down one bit if a key is hidden under the welcome mat.Under the mat is an obvious place for a spare key to be located, so it is not a very secure place to hide the spare key. Likewise, if all of your meters are password-protected but every meter is programmed with the same password and everyone in the utility knows that password, the likelihood that your meter data is secure is less than if all meters had different passwords and every person authorized to read meter data had his own unique password.However, as with data encryption, a common sense approach is needed to determine what is more important; security or ease of service. It costs a lot of time and money to manage the logistics of maintaining many different passwords.Real system designers must strike a balance between what is possible and what is realistic.One frequently used compromise is to only encrypt the password, but not the data.In that approach, each password is not sent over the communications channel “in the clear” (i.e., unencrypted) but the transfer of bulk data is not slowed down by trying to encrypt both the data and the password.
AMR link risk analysis
Once we have identified the generic risks involved with a communications link, the next step is risk analysis.One commonly employed method of risk analysis is to start with three pieces of data for each thing that can go wrong:a description of what could go wrong, the probability that it will go wrong, and the cost resulting from this failure.The cost times the probability will give a value which is called the Annual Loss Estimate (ALE).This can be used as a rough indication of how much it is worth to address this problem.
This is the classic approach to risk analysis, but assigning the probabilities and costs can be very difficult in practice.What is the probability that a given homeowner will dig through the telephone line for his meter?What is the probability that some unknown source will jam your radio signal?You may or may not have historical data to refer to when estimating these probabilities. Also, it is often difficult to assign costs to these items. For instance, if the threat is a customer resetting the peak demand just before the AMR system reads it, the cost might be small if the customer is a residential customer or the cost might be significant if it’s a large industrial customer.Such a reset might also be merely an annoyance if peak demand is not used for billing.
Another method for risk analysis that is somewhat more qualitative and easier to use is to enumerate the threats, the vulnerabilities and countermeasures. As with the ALE method, it is still useful to estimate a cost resulting from a failure, but with this method an estimate is usually sufficient to effectively analyze risk. After enumerating the risks, the next step is to examine the countermeasures and determine which are feasible. Some of the kinds of countermeasures one can take may cost very little, such as enabling encryption over a WiFi link that already has encryption available even if you estimate that the probability of an attack on the WiFi link is very low.
Conclusion
When considering the security of your AMR system, whether existing or proposed, remember that there are three components to your system: the backend computer, the meter, and the
communications infrastructure that connects them. When evaluating the security of the
communications link, consider the characteristics of the data link that may make your communications link more or less secure, including its physical security and whether it uses encryption. Ultimately, any security considerations must be evaluated in the context of the real world in which we operate. AMR planners must balance the cost and performance of the system against the costs and probabilities of system failure. n
About the Author
Edward Beroset has been working with computers and software for over 20 years. He is the manager of the software and test group at Elster Electricity, where he has worked for eight years. Prior to that, Edward worked in BIOS development at Compaq. He serves on IEC and ANSI electricity metering protocol standards groups and chairs the working group which is responsible for creating the C12.22 standard. He is a member of both the IEEE and the ACM, has published several articles and holds several US and foreign patents. edward.j.beroset@us.elster.com