Security considerations in AMR / AMI

Balagopal Mathoor
Kalki Communication Technologies Ltd
balagopal@kalkitech.in
Most utilities across the world are now in
their way towards smart grid by installing smart
meters and AMR/AMI in power generation,
transmission and distribution sectors for reasons
such as Aggregate Technical and Commercial loss
reduction, reduction of greenhouse gas emission
and aligning to governmental energy policies. In
this venture most utilities also try to address latest
smart grid functions such as Demand side
management including Home area network,
Remote Connect/ Disconnect and firmware

Figure 1: Typical AMR/AMI Network

upgrade over the air. The scene is thus set for

Information Technology and Telecommunication
to emerge and play an equally important role
along with Power system engineering in the
overall scheme of things. The critical nature of
application thus invites serious attention to data
security risks associated
with
IT based
telecommunication as the consequences of
security breach can range from mere invasion to
private data to serious life or health threats.

Problem overview :

Security Considerations

AMR/AMI is a very critical asset for any utility

with huge investment and shall be protected from
all sorts of security threats which may damage or
prevent from its normal functioning. There are
various intentional and unintentional data security
threats to the AMR/AMI with far reaching
consequences, a few are discussed below.

Authenticated access: All components in the

AMI network viz smart meter, intelligent modem/
Data concentrator, head end system shall support
user management with distinct role based access
with distinct security levels and passwords. The
access rights and security levels for each user
shall be judiciously planned during the project
design phase.
Data encryption: Cyber security using
cryptographic algorithm is already adopted in
critical
communications
of
Information
Technology systems. A cryptography algorithm
will transform the data at its source and then
transmit via communication link which is restored
back to original format at destination using the
algorithm and key as per the cryptography
scheme used. This prevents intentional eves
dropping and spoofing as unauthorized agents
cannot act without security elements. The
cryptography scheme selected shall be judiciously
used only for the critical data so that non-critical
and frequently read data is free from the
processing overheads required for cryptography.
Security suite shall be carefully selected to
withstand various attacks such as pattern
matching or replay mechanisms.
Data integrity checks: Data integrity check
mechanisms ensure that data received at
destination is authentic and not altered while in
transit. Data integrity checks can be part of data
link layer and/or application layer. Common
approach is to attach an authentication tag at the
end of the message computed for the message
using CRC generator polynomial or any
authentication algorithm,
Securing the security: Experience have taught us
that mere adoption of authentication/encryption is
not sufficient. The success of this mechanism
relies on security suite and its judicious use.
Requirements from the security suite includes
provision for securing the security elements such
as the keys, changing/ transferring the keys and
distinction between uni-cast and broad cast
communication the latter being critical. Above all
there shall be a strong security policy put in
practice such as regular change of passwords/
keys and non disclosure of the passwords to

A key for successful AMR/AMI is the

availability of communication link/bandwidth for
authorized clients for their routine activities such
as data retrieval or execution of commands(such
as connect disconnect / demand response). Many
a times a hacker can damage the availability by
inserting large volumes of data into the channel
there by jamming the network or denial of service
to authorized parties. The consequences vary from
preventing authorized AMR/AMI Client from
getting meter load/billing data to preventing a
connect/disconnect command execution which
could delay the consumer from getting back the
power supply or closing the gas/water meter
valve.
Another security issue is unauthorized parties
accessing AMR/AMI data by spying at any point
between meter and head end system. The first
level of consequences are unauthorized
system/person viewing meter data and breach of
privacy. There could be further consequences
depending on how the intercepted data is used
such as any critical password/key if obtained in
the process might enable the unauthorized
system/personnel to issue commands into the
meter.
Data integrity ensures that the data received by
one station is authentic and was never altered
while in transit either intentionally or
unintentionally. Data alteration scenarios vary
from manipulating the data while in transit there
by providing fraudulent information to spoofing
the meter by replacing it with a simulator
computer program/device.

unauthorized person.
Event logging and reporting: Any abnormal
activity or activity worth attention is called and
event and shall be recorded along with time stamp
and any other related information. The event log
can be thus used as an offline tool for audit trail or
diagnosis. Apart from logging, Events can be
prioritized and critical events can be configured
for real time reporting via the telemetry protocol
or SMS or email to the concerned authority.
An illustration of security related event log inside
meter is shown in figure 2.
Time-stamp

Source

Event description

01/01/11
02:00 PM

Programing
client

Logged in

01/01/11
02:00 PM

Programing
client

Billing/MD Reset

01/01/11
12:01 AM

Programing
client

Logged out

05/01/11
10:00 PM

Programming Invalid log-in rejected

client

05/01/11
10:10 PM

Programming Invalid log-in rejected

client

05/01/11
10:20 PM

Programming Invalid log-in rejected

client

05/01/11
10:22 PM

Self

Invalid log-in count

exceeded. Entering
Communication lock-in
period

Figure 2: Event log

Communication protocol:
All the above security consideration boils down to
the choice of communication protocol. This
section explains the AMR/AMI security aspects in
DLMS/ COSEM (IEC 62056), one of the most
popularly followed metering communication
protocol.
Role based access: DLMS/COSEM allows
modeling meter or data concentrator with multiple
logical devices each supporting multiple client
associations. Thus data can be organized in
multiple logical device as per role based access
requirements of the project. Within a logical
device, access rights can be further configured to

the minutest level i.e. object attributes/methods.

Depending on the criticality of the data each
attribute/method can be assigned any of the
following access rights
1. no access
2. read only
3. write only
4. read and write
5. authenticated read only
6. authenticated write only
7. authenticated read and write
Authentication:
The security level for sign-on authentication can
be configured for each user. The security levels
supported in DLMS/COSEM includes
1. No security
2. Low level security clear text password
3. High Level custom processing
4. High Level MD5 algorithm
5. High Level SHA1 algorithm
6. High Level - GMAC algorithm
Encryption and data integrity:
DLMS/COSEM supports AES GCM 128
cryptography
for
data
encryption
and
authentication. The security overview in DLMS is
shown in Drawing 2. Galois/Counter Mode
(GCM) is a symmetric key cryptographic block
cipher that has been widely adopted because of its
efficiency and performance. It is an authenticated
encryption algorithm designed to provide both
data authenticity (integrity) and confidentiality.
The AES algorithm is used by millions of users
for internet banking, wireless communications,
and the data on their hard disks. Theoretically the
number of steps to find the key for AES-128 is an
8 followed by 37 zeroes which is highly
impractical. Cryptographic protection of DLMS
messages (xDLMS PDUs) is illustrated in
Figure-3.

Figure 3: Cryptographic protection of xDLMS APDU using GCM

Event logs and reporting in DLMS: Profile

generic interface class allows to model event logs
to record events along with time-stamp and any
other associated data at the time of event. In
addition to logging into event log object, critical
events such as suspicious invalid login attempts
or invalid access/modification of security
elements shall be immediately brought into the
notice of utility. Event notification service in
COSEM application layer enables immediate
reporting of any critical event. Utility will be able
to dynamically enable or disable event reporting
by appropriately writing to event mask/ filter
objects there by optimizing the data traffic by not
having to report unnecessary events.

Conclusion
It is clear that the key for secure AMR/AMI is the
selection of the right protocol, adapting secure
user practices at utility back office and imparting
physical security and activity logs in all
components. We recommend DLMS/COSEM
protocol as secure, scalable and interoperable
metering
protocol.
The
flexibility
of
DLMS/COSEM also enable implementer to
achieve security without having to sacrifice
performance or cost.

About the author

Balagopal Mathoor works as Solution Architect in
AMR/AMI Center of Excellence of Kalki
Communication Technologies Ltd. He has been
working in the domain of metering
communication protocols for the past seven years
under various capacities such as software design
and development, consultant, trainer and solution
architect. He has been closely studying
DLMS/COSEM protocol since 2004 and has been
participating in various national and international
standardization committees and conferences.