secure and scalable automated meter reading by gjmpzlaezgx


									Domestic Use of Energy Conference 2003                                                                                   233

                     Secure and Scalable Automated Meter Reading
                                        Peter Palensky and Gerhard Pratl
               Institute of Computer Technology, Vienna University of Technology, Vienna, Austria

ABSTRACT                                                        number that is reasonable when it comes to private
                                                                customer meter reading. A possible order of magnitude of
This paper proposes architecture of Automated Meter             time for reading out one meter is some minutes. Analogue
Reading (AMR) that overcomes inabilities of existing            phone lines, establishing the connection, authentication,
solutions, namely lack of data security and lack of             protocol overhead and other factors lead to this
scalability. Traditional meter reading systems use              dimension. If it takes two minutes to read out one meter,
either point-to-point modem connections, which do not           one central modem can if no error is assumed, read out
scale well or radio or probably even Internet-based             approximately 700 meters per day. A utility company that
systems with questionable security. This article                wants to read out hundreds of thousands of customers
discusses these problems, suggests adequate solutions           needs therefore thousands of modems to fulfill this task.
and reports first test results.
                                                                Additionally, the nature of modems and telephone
1.   INTRODUCTION                                               technology is error-prone, modem lines tend to hang, dial-
                                                                signaling is filtered and altered by telephone systems, and
Automated Meter Reading (AMR) is an established                 so forth. So installing and maintaining such a modem-
method used by electric utilities for billing their large and   bank is not really desirable for utilities, especially because
industrial customers. Additionally to these “important”         it is not their natural business. A more promising way
customers, AMR also makes sense in regions like in some         would be to “outsource” this problem or to use some
parts of Eastern Europe, where manual reading is not at         existing, maintained and proved infrastructure. Modern
the required level of confidence. Additionally the              systems more and more try to use the infrastructure of the
intervals of reading can be increased: Human personnel          Internet. Internet Service Providers (ISPs) offer modem
might read the meters once a year or once a month, while        banks inherently with their network services. So existing
automation technology offers methods to get the                 infrastructure is shared and the maintenance is somehow
consumption chart in a resolution of minutes, which             outsourced.
might be necessary if the supply contract is based on the
shape of the consumption load. Far distances and a small        The desired AMR system has the following requirements:
density of population like in rural regions of southern               Scalability: It should be able to be used for ten
Africa can also be a reason against manual meter reading.                 meters as well as for hundreds of thousands of
Besides plain consumption data, additional information,                   meters without altering the architectural
like accumulated historical data, might be transmitted as                 principles.
well                                                                  Security: It should be based on state-of-the-art
                                                                          security methods that offer confidentiality and
AMR networks are as a matter of principle very useful.                    integrity of the measurement data.
Unfortunately the price of such a system is still at a level          Low-Cost: The system should be composed of
where it usually cannot be applied widely to all                          mass-production parts that have a reasonable
customers. The price of AMR is mainly determined by                       price in order to be used for a large number of
the costs of the hardware, the installation and the                       customers.
communication infrastructure. One can hope that AMR
will become a reasonable alternative to manual meter            2.1 IGUANA GATEWAY
reading since electronics and communication components
are tending to become cheaper and cheaper.                      The two first of the three requirements were tackled
                                                                within the IGUANA project, done 1999-2002 at the
2.   STATE OF THE ART AND PROBLEM                               Institute of Computer Technology in Vienna [1]. An IP-
                                                                able device the IGUANA gateway, reads out and logs
Generally AMR consists of data storage, usually a               energy meters via direct digital S0-inputs or via some
database, and a certain communication infrastructure for        local field area network like Lon Works [2]. The logged
retrieving the meter values. This paper is dedicated to the     data is then sent to or retrieved from the respective service
latter topic, the communication system.                         provider (typically an electric utility) via the Internet.
                                                                Envidatec Corporation in Hamburg, Germany and Festo
Existing and traditional AMR systems are typically based        Corporation in Vienna, Austria put the IGUANA project
on centralized point-to-point modem or radio connections        into practice. There are commercial products available on
which have one essential disadvantage: the central system       the market and have proved their commercial usefulness.
that collects and processes all meter values needs a pool       However, these products are slightly too expensive for
of modems (or comparable means of communication) for            private customers and are therefore currently only used
parallel access to as many meters as possible. This             for billing small/ medium enterprises and larger industrial
approach does not scale very well if hundreds of                customers.
thousands of meters have to be read every 24 hours, a
Domestic Use of Energy Conference 2003                                                                                234

The IGUANA architecture uses existing and local ISPs            3.   JAVA SUPPORT IN CONSUMER DEVICES
instead of requiring its own set of proprietary
communication infrastructure. The IGUANA gateway                Over the last years the Java programming language
node basically consists of an embedded microprocessor           returned more and more to the devices it was actually
system, based on embedded Linux, and a modem. The               planned for: electronic consumer devices. Because Java
modem is typically an analogue telephone modem or an            failed to achieve this goal when first initiated,
ISDN modem. The IP connection is a non-permanent one,           development focused more towards the more powerful
the devices dial in on-demand. Establishing the IP              desktop PC and workstation environment, where Java is
connection can happen in a number of different ways             by now an established programming language. Sun
depending on who wants to reach whom.                           Microsystems was always keen on supporting the
                                                                embedded devices market with various "dialects" of Java.
2.2    IGUANA SECURITY                                          In the years past, we have seen EmbeddedJava and
                                                                PersonalJava , both compatible with the Java language
Joining the “open IP world” does not only have                  specification, but with reduced memory footprint and
advantages. Especially the topic security must be               functionality in order to make Java feasible for embedded
investigated intensively, when connecting a billing device      devices. Both EmbeddedJava and PersonalJava did not
to the World Wide Web. The IGUANA security is based             fully satisfy the needs required for consumer devices, so
on Smart Card technology [3], where electronic chip             Sun started a new attempt to achieve the original goal of
cards are the secure container for all security relevant data   the Java Programming language.
and applications like digital keys, security algorithms or
electronic signatures.                                          This effort resulted in the Java 2 Micro Edition (J2ME),
The problems of the existing IGUANA gateways are:               which defines an environment targeted at embedded and
       Relatively high price                                   consumer devices such as wireless handhold’s, PDA’s,
       Internet access usually via a corporate                 and, of course, cellular phones. All these devices have in
           telephone system. This is an administrative          common that their design does not allow for full support
           problem (since such telephone connections are        of the Java 2 Standard Edition (J2SE) implementation [4].
           usually locked for certain telephone domains         A system that is based on the J2ME requires a cellular
           which include ISPs) and a technological              phone that supports not only J2ME, but also provides the
           problem (PABX telephone systems sometimes            necessary environment. This environment consists of a
           alter the signaling so that modems can not           configuration and a profile for the J2ME. The
           signal to each other).                               configuration being used in cellular phones is the
       General purpose Operating Systems like Linux            Connected Limited Device Configuration (CLDC), a
           are not ideal for security relevant applications,    configuration that is tailored towards resource-
           the security-relevant parts should be packed         constrained, low-end devices with limited connectivity
           into a secure environment.                           [5]. Sun has provided a reference implementation of the
                                                                Java virtual machine for the CLDC, which does not fully
IGUANA is thus the first version of a flexible and              support the J2SE 1.3, but on the other hand is designed
distributed AMR system, while this paper tries to sketch        for a memory footprint as small as some tens of kilobytes.
the next steps. The goals for these next steps are to:          A profile for the J2ME extends the configuration (in this
        reduce the price,                                      case the CLDC), providing extra features or libraries that
        use a more suitable global communication               are not included in the configuration by default. This
           network than the analogue telephone network,         allows for better adaptation to the devices being used by
           and                                                  adding, for example, support for user interface, persistent
        find a more secure hardware platform, without          storage of data or security mechanisms such as
           sacrificing the scalability of the distributed       encryption, authentication and Public Key Infrastructure
           IGUANA architecture.                                 (PKI) support. The profile commonly used today is the
                                                                Mobile Information Device Profile version 2 (MIDP 2.0).
The proposed new system is based on a hardware                  Aside of configurations and profiles other optional
platform that is currently not widely employed in AMR, a        packages are available, of which the Wireless Messaging
Java-enabled cellular phone. Instead of designing               API is relevant for our system, since it provides support
proprietary hardware, a regular off the shelf cellular          for sending and receiving text or binary messages.
phone provides the necessary resources for data
processing and transmission. The devices are relatively         4.   METER READING
cheap and the installation does not require any new
communication wires, which reduces the costs of the             The phone is the only device that is being used to process,
AMR system even more. Furthermore such devices offer            store and transmit data; it is connected to an energy meter
a sophisticated technology to implement state of the art        using the serial interface in the mobile phone. The mobile
data security.                                                  phone runs a Java application that has several different
This paper explains the technological background and            modules: a component that retrieves and translates the
discusses the pros and cons.                                    data from the energy meter, a storage component that
                                                                stores historical data until transfer to the utility
                                                                companies' database and a component that is responsible
Domestic Use of Energy Conference 2003                                                                                  235

for secure transmission using transport methods available       some kilobytes of non-volatile memory. Both can be used
in the GSM network.                                             to store historical data, the difficulty here arises from the
                                                                lack of standardization support. Currently, the J2ME is
The first problem is that the serial interface of the mobile    very restricted in its access of resources for reasons of
phone does not necessarily comply to the interface of the       security and prevention of abuse by malicious
energy meter, if it has a serial interface at all. The meter    applications. Standardization efforts are ongoing and will
might have a plain S0-output, an RS232, an M-Bus or a           result in an extended J2ME profile in the near future.
proprietary RS485 interface. So the respective component        Until then a proprietary solution has to be used, which
needs to be adapted in hardware and software to the             unfortunately decreases the ability of moving the system
specific energy meter being used. In most of the cases the      onto a different phone.
Java application has to count S0 pulses that the meter
sends and calculate the total consumed energy by                The means for transmitting data in a GSM network using
summing up the pulses. Vital for the correct reading of         a cellular phone are manifold. If not standard SMS (short
energy is that the component does not miss pulses, which        message service) is used [6], the proved family of
reflects in ensuring that the component is sufficiently         TCP/IP-based protocols might be a good choice. The
prioritized in the Java system. Secondly, the behaviour         decision that has to be taken here is, which higher layer
upon restarting the system is critical: after a power failure   protocol shall be used for transmitting data. A set of
the energy meter will start counting energy again and the       protocols has been examined towards suitability in [7]. In
cellular phone will have to boot up (assuming it is not         the AMR application it is reasonable to argue that the
equipped with a battery) while the counting component           protocol overhead imposed by additional higher-layer
might not be in action. Therefore we suppose two things         protocols shall be kept at a minimum. For once, the Java
for this AMR platform:                                          application has to implement the necessary protocol,
        Battery support, which is actually standard for        which increases the memory footprint; second the costs
           an off-the-shelf mobile phone.                       for data transmission can be kept low, if small protocol
        A hardware counter that does not miss pulses.          headers are added to the payload data. On the other hand,
           Since the Java Virtual Machine (JVM) is very         using a standard protocol like HTTP that is available by
           likely not real time able, this will be a small      default in many Java enabled phones removes the
           external component with a digital hardware           memory issues and allows for convenient standardized
           counter. It can be read out by the mobile phone      data transmission.
           or can even feed its values into the phone. This
           also solves a couple of problems like electrical     6.   SECURITY
           interfacing between the phone and the meter
           interface and the fact that phones currently can     The vital part of the data transmission is the security [8].
           not initiate serial communication but only           GSM has transport layer encryption built-in, which is
           respond to requests that can come from this          supported by most network providers. However, this
           external counter.                                    encryption is commonly not used all the way, but only for
                                                                radio transmission. As soon as the cable-bound GSM
5.   DATA STORAGE AND TRANSMISSION                              backbone is used, data is transmitted unencrypted. Aside
                                                                of that, a different form of security might be desired that
Although theoretically a cellular phone has the ability to      cannot be achieved by simply using the provided
maintain a permanent data connection (packet-oriented           transport layer security. The key issue here is the
services like GPRS), it will most likely not do so; the         distribution of keys between clients and data acquisition
reason for that are the costs that result from such a           systems. It shall also be possible that different users such
permanent connection; therefore it is reasonable to send        as utility companies and service providers use data
the logged values collected in packets of, for example,         originating from one cellular phone. The users shall not
one day. Therefore, the user of the system configures it to     be able to read data that are not intended for them. This
collect data for a certain amount of time (e. g. a day or a     results in a sophisticated user structure that has to be
month), to store this data and to transmit the complete set     reflected, for example, by having different keys available
of historical data at once, thus reducing online costs or       to communicate with different users.
protocol overhead. The storage has to be optimized, since       The most intuitive way to implement security would be to
memory resources are typically very limited [6]. Also, it       use the Smart Card that is present in the mobile phone
is only reasonable to use volatile memory if the cellular       (the SIM, Subscriber Identification Module). This will be
phone is equipped with a battery, which might not always        done in any case, however currently the standardization of
be the case; even if it is equipped with a battery, data will   the Java 2 Micro Edition does not yet support full access
be lost after longer periods of power disconnection.            to the Smart Card resources. For example it is not
Therefore usage of non-volatile memory is advisable.            possible to conveniently store encryption keys or use the
This memory comes in two kinds on cellular phone: for           crypto-co-processor of the SIM card. Some mobile
once, the phone itself is equipped with a certain amount        phones have two SIM slots where the second one could
of Flash memory that is usually used for configuration          be used for an ordinary Smart Card that hosts the security
data and phone-book entries. Second, modern Smart               relevant parts of the AMR application. The preferable
Cards that are used in cellular phones are equipped with        way of course would be to have one single SIM card that
                                                                can execute multiple small applications on a Mobile
Domestic Use of Energy Conference 2003                                                                                  236

Information Device (“MIDlets”) in a sandbox just like          Another very important aspect is the certification of such
Java Cards can already do (“Cardlets”) [5]. Until then, the    devices since systems for billing are usually requested to
processor of the mobile phone will host all parts of the       be compliant to some certain certification standard.
AMR application.
                                                               8.    REFERENCES
Security, however, is not fully achieved by simply
securing the data transmission channel with cryptographic      [1]   Pratl, G., Lobachov, M. and Sauter, T.: “Highly
methods even if they are done with a secure hardware like            modular gateway architecture for fieldbus/Internet
Smart Cards. A large part of security relevant aspects are           connections”, in 4th IFAC International Conference
of administrative nature. Possible measures against threats          on Fieldbus Systems and their Applications, 2001
to the AMR security are:
       Plausibility checks of the energy consumption          [2]   Loy, D., Dietrich, D. and. Schweinzer, H.-J (Eds.):
          (historical values of typical users and groups of          “Open Control Networks, LonWorks/EIA 709
          users can be taken as a range of validity for the          Technology”; Kluwer Academic Publishers, 2001
          consumption profile),
       Heartbeat signals of all involved devices,             [3]   Rankl, W. and Effing, W.: “Handbuch der
       Secure software platforms (with a sandbox,                   Chipkarten”, Hanser Verlag, Munich, ISBN 3-446-
          digitally signed applications, etc.), and                  22036-4, 2002
       Tamper logs and alarm messages (devices
          should realize that they are physically              [4]   Topley, K.: “J2ME in a Nutshell”, O'Reilly, 2002
                                                               [5]   C. E. Ortiz and E. Giguere: “Mobile Information
A system that supports services mentioned above was                  Device Profile for JAVA2 Micro Edition”, Wiley,
developed in the second part of the IGUANA project: the              2002
JEVis Database ( [9]. The
JEVis Database is a sophisticated and portal-like on-line      [6]   Guthery, S. B. and Cronin, M. J.: “Mobile Application
database system for energy-related data that is capable of           Development with the SMS and SIM Toolkit”,
calculating and interpreting energy data. Additionally it is         McGraw-Hill, New York, 2002
a management node for IGUANA gateways and is
modular enough to be connected to the new AMR nodes            [7]   Lobachov, M., Pratl, G. and Sauter, T.: “Applicability
of this article as well. This system can also discover               of Internet Protocols for Fieldbus Access”, in
thievery and ground faults by comparing measurement                  Proceedings of the 4th IEEE Workshop on Factory
data from the energy distributor and the billing data from           Communication Systems WFCS, 2002
the energy provider. The sources of these data do not
necessarily need to be a communication gateway like the        [8]   Sauter, T. and Palensky, P.: “Security Considerations
proposed mobile phones but can also be some other                    for FAN-Internet connections”; 3nd IEEE Workshop
database.                                                            on Factory Communication Systems, Barcelona, 2000

7.   RESULTS AND OUTLOOK                                       [9]   Palensky, P.: “The JEVis System - An advanced
                                                                     Database      for   Energy-related   Services”,
First tests for secure data transmission on Java-enabled             Proceedings of Power and Energy Systems, Palm
mobile phones were successfully done with SMS-based                  Springs, USA, 2003
communication. Further test will be done by using
standard TCP/IP connections via Internet Service               9.    AUTHOR(S)
Providers and by implementing of the overall concept.
Currently the standard SIMs and existing devices do not        Principal Author: Peter Palensky holds a Dr. degree
allow flexible hosting of applications on the native SIM       from the Vienna University of Technology, Austria. His
card of the phone, so either a second SIM card was used        research areas are distributed applications, networking and
for the security relevant parts of the AMR application or      energy management. He is also with Envidatec GmbH
they were even executed in the ordinary virtual machine        (Hamburg, Germany).
of the mobile phone. The usage of a second SIM card in
the phone was successfully tested, the availability of such    Co-author: Gerhard Pratl holds a master degree in
phones, however, is not guaranteed for the future. This is     electrical engineering from the Vienna University of
why multi-application SIM cards will be the future             Technology. His research interests are among others
platform of our choice.                                        network and automation technology, field area networks
Further research will also be done on the possibilities of     and the Internet.
prepaid systems that are entirely based on SMS
messaging so that one can “recharge” his energy supply         Presenter:
via his normal mobile phone as the user front-end.             The    paper     is    presented    by     Gerhard       Pratl

To top