Measured consumption data forms the basis for all contracts between the market participants in a liberalised energy market. In the past, the most critical criterion a meter had to fulfil was precision of the measure-ment. Today precision is taken for granted. In addition, the market requires a secure and traceable data exchange process from the meter to the bill. The Selma concept (secure electronic measurement data exchange) provides a security architecture supporting the authentication of measuring data, secure data access and the certification of software.
Selma represents a comprehensive security concept adapted to the needs of liberalised energy (electricity, gas, water, heat) markets. Selma considers the complete metering process chain – from calibration and installation to measurement and billing. The Selma security architecture considers the following ‘boundary conditions’:
- Existing international standards for communication and security.
- Economic conditions in the metering environment (low life-cycle costs, communication channels with limited capacity).
- Regulatory conditions in the metering environment (country- specific approval and calibration processes).
The Selma solution is modular and scalable. With Selma customised, cost-efficient security solutions can be built. Interoperability is achieved by using standards, enabling system integration at minimal costs.
SELMA’S THREE SECURITY MODULES
Authentication of measuring data:
(Classic correspondence: signed document)
The metering device adds an electronic signature to the measurement data. The signature stays with the data during its entire lifetime. The signature provides proof that the data is original, that it originates from a well defined meter, and that it was measured at a specified time. Market participants can check their bills by verifying the signature.
(Classic correspondence: sealed envelope)
A digital signature is added to the communication services, which identifies the client accessing the metering device and the metering device itself. The metering device grants access to predefined clients, providing predefined sets of data. With the help of this module even insecure channels can be used for security-critical interactions (e.g. clock setting, parameter download, SW download). This module enables the use of the Internet for measuring data acquisition and meter park management.
Certified device components:
(Classic correspondence: registration mark)
New parameter sets or new software versions are certified and signed by the corresponding certification authorities. On the other side, the measuring device verifies the signature. Only parameter sets or software versions with a valid signature are accepted. This module forms the basis for ‘in-field’ reconfiguration. Costly dismounting and re-certification can be avoided, and meter maintenance can be substantially simplified.
Figure 1. The three application modules of Selma
THE SECURITY TECHNOLOGY
The signature method shown in Figure 2 forms the basis for all security modules. The data to be sent (e.g. the measurement data) is compressed to a fixed number of bytes using a standard algorithm – the so-called hash value. The signature is calculated by encrypting the hash value using the private key. The signature is then transmitted together with the original data. It should be noted that the original data is not altered by the signature, so it is still possible for the receiver to interpret the data using existing communication means, by just ignoring the signature. (This facilitates the stepwise introduction of signed data into an existing system environment).
On the receiver’s side the received signature is decrypted and compared with the calculated hash value. If the two values are equal, the signature is declared valid, and the data is accepted as authentic.
The described ‘asymmetric’ ciphering method uses a different key for encryption and decryption. For signature applications the encryption key is kept secret (private key) whereas the decryption key is made public (public key). This means the generation of the signature is only possible for the authorised, whereas the verification of the signature can be performed by anybody.
The distribution of the public keys is a critical issue. The keys must be certified by a trustworthy body (SigCA, Signature Certification Agency). The key exchange is based on key certificates signed by the certification body. The security concept of Selma specifies the key exchange in detail by building on the existing infrastructure of approval and certification bodies.
Authentication of measurement data in the system environment
The measurement data is divided into daily profiles, which are load profiles according to VDEW2.1 , divided into daily units. Each daily unit is signed separately by the measuring device. Additional information (meter number, meter point identification, measurement date and other measurement parameters) is added in order to make the daily data units unambiguously interpretable at any point of time.
Figure 2. Security through signature technology
Figure 3. Authenticated measuring data for the validation of the customer bill
Selma defines the daily profiles and other data models in great detail . For this purpose the same standardised description language is used as in the DLMS standard . This allows the Selma data models to be transferred to international standards easily.
Signed daily profiles are transmitted via the existing communication channels to the data acquisition system and archived (see figure 3). In addition, the measuring data is packed into an Internet-compatible XML file. The XML file is then offered to the end customer via an existing Internet server. The customer can validate the authenticity of the measuring data and cross-check it with the bill.
The Selma concept allows the use of existing infrastructure on the one hand, and on the other hand it opens the doors for new technology. Selma is particularly suitable for use in conjunction with Internet technologies.
The architecture of the measuring device must be adapted to the new possibilities offered by electronic certification of software and parameters. Figure 4 shows how the software must be partitioned into ‘certified SW’ (signed by the certification body) and ‘approved SW’ (signed by the approval body) according to established approval practice. The download handler classifies the SW and intitiates the corresponding signature verification.
Figure 4: Certified software/parameter handling
Checks during the initial approval process ensure that the download handler correctly performs the classification of the SW and that the signature verification is correctly done.
The signature unit as standard component
The signature method is based on standard algorithms  and . By using these standards an internationally accepted security level is reached. In addition, standards guarantee independence of the manufacturers.
Selma goes one step further. In order to ease the approval process for the introduction of the novel technology in the metering environment, Selma uses a pre-certified signature module. The module comes in the form of a chip-card, which is placed under the certification seal of the meter. Manufacturers using the pre-certified chip-card do not need additional approval tests for the signature unit.
Selma offers a security concept matched to the business processes around energy consumption metering. The signature of the measurement data greatly simplifies the validation of the consumption data at any point in the process chain from the meter to the bill. Customer call-backs and re-readings of meters can be avoided, and Selma enables downloading of certified software/parameter packages. Meter maintenance can be automated and maintenance costs can be reduced. Selma is based on established international standards and can therefore easily be integrated into existing IT infrastructures. The Selma security architecture is scalable and can be introduced step by step, keeping the investment risk low.