The on-going deregulation in worldwide energy distribution markets is driving the need for smart utility distribution grids and smart meters, enabling both utility providers and consumers to monitor the detailed consumption of an end user at any time through open communication networks. The energy market is particularly concerned as of today but related issues are also relevant to other utility markets such as water or gas. Thus, although the following description will refer mainly to utility meter for measuring electric power consumption, the subject-matter of the invention does not limit to such meters but also relates to utility meters for controlling and measuring other kinds of utility consumptions, such as gas or water.
While a number of legacy meters already implement some point-to-point automated reading protocols using for instance standard optical or modem interfaces, they are not able to interact with either the end user home area network devices or the remote utility monitoring facilities using wireless or power line communication networks. The industry answer to this regulatory requirement in the next decade will therefore consist in swapping the legacy meters for so-called smart meters.
Smart meters enable utility providers to monitor the detailed consumption of an end user at any time through open communication networks and a number of them are now required to implement a remote disconnect feature, so that the utility can remotely stop the service distribution for instance in the case of non-payment.
The document WO2004/034069 discloses a system for controlling utility meters in which consumer electrical installations are each connected to a point of delivery meter (optionally associated with a prepayment controller) located inside the house of the consumer. Point of delivery meters are each provided with a data retention unit. Each data retention unit is operatively associated with short-range communication means for communicating its data to an external communication station. The latter is a mobile station which can be easily carried by an inspector when he has to go to the consumer's house for inspecting the supply installation and, for instance, determining whether or not there are irregularities. This mobile communication station has wireless communication means for communicating with a central processing station for exchanging data of a particular point of delivery meter (and/or prepayment controller) that is under examination by the inspector. Owing to this system the inspected has access to data from the utility meter (via the data retention unit) without having to go inside the consumer's house.
The document WO2011/025397 discloses an automatic remote-metering apparatus and system comprising a utility meter provided with input/output unit that sends and receives data signal to and from a control unit connected to a remote central metering station by a communication unit. The utility meter is also provided with sets of tampering sensors to deter and protect the meter from malicious activities/tampering.
The document WO02/37227 discloses a utility system comprising a distribution network for distributing resource to a customer, a meter for metering the resource and for connecting and disconnecting a supply of the resource distributed to the customer, a control center for controlling distribution of the resource and two communication systems for sending information either from the meter to the control center or from the latter to the meter. The information includes signals for disconnecting or connecting the supply of the resource distributed to the consumer.
Clearly, the resulting dependency of the basic metering functionality on remote communication messages raises significant concerns on the effective robustness to software bugs as well as emerging threats such as smart grid worms and viruses taking advantage of smart meter security design flaws that may not be known at the time of deployment, but may become critical later. This is particularly evident in the case of the remote disconnect feature, as a major disruption target for cyber-terrorism but also a possible entry point for local thieves as a way to disconnect some house alarms from their power source.
In practice, today's security designs for smart grids and smart meters are largely inspired by the telecommunication industry and a large part of them is subject to emerging standardization by international committees such as ANSI or IEC. However the requirements are very different, as telecommunication end devices such as mobile phones, set-top-boxes or even television receivers seldom exceed an operational lifetime of 10 to 20 years. In contrast, metering equipment is typically installed at the time of a house building and meant to last at least 20 years, if not 50 to 100 years.
Once the standard security specifications are defined, it is no longer possible to update their design (for instance, cryptographic algorithms, key lengths and key management systems) without breaking compliance, which is a major issue in deregulated markets where any metering device model from any manufacturer needs to operate with any utility provider infrastructure and this possibly for the next 50 to 100 years.
There is therefore a need for alternative solutions designed from the beginning to enable life-long security monitoring, maintenance and renewability. In this approach, special attention needs to be given to the design of security system messaging.
Moreover, in order to strengthen or renew their security by “over the air” updates, smart meters standards define ways to change security credentials as well as to update the firmware at the meter level, possibly for security purposes, through remote communications.
As described in the “OpenWay by Itron Security Overview” White Paper from Itron, for practical, operational reasons, some of the corresponding messages may be broadcast or multicast into the utility grid network without a secure receipt acknowledgement from each target meter, typically because of the overhead in managing the corresponding upstream messages in a large scale metering deployment (for instance 10 million meters). In such a communication infrastructure, a simple way for the end user to avoid remote disconnect, security credential updates or security firmware updates therefore consists in spying and filtering out the corresponding downstream command messages from the utility before they reach the smart meter, in a such a one-way (stateless) communication model.
Even the system operates in full (stateful) or partial (semi-stateful) 2-way communication model, a hacker will try to hack the smart meter private keys, especially those corresponding to global secrets, by various types of local attacks in order to steal the private keys and use them to generate artificial acknowledge upstream messages back to the utility, in a two-way communication models. Depending on the quality of the meter security implementation design, some of those attacks may require physical damage to the meter hardware and can therefore be detected afterwards, for instance in a meter integrity control visit by the utility staff; but some brute-force attacks may be applicable without opening the meter, and thus being undetectable afterwards.
Ideally, no global system security keys would be stored in the meter at any time, so as to prevent that hacking a single meter implementation to steal its secret keys results in a global system failure. An example of such a global failure is well known by those skilled in the art from the DVD-CSS security design failure in the field of video content protection. As illustrated from the above quoted Itron white paper, it is known however that current state of the art meter implementations rely upon a global secret key to initiate the security communication key handling protocols.
There is therefore a need for a better communication system and method design to enforce those security updates without relying on the combination of stateful two-way communications with a perfectly trusted security implementation at the meter side.