Professional Documents
Culture Documents
Abstract—Power System infrastructure is one of the critical intended functionalities [9]. Security of the AMI System [3]
components of any nation. The automation of the power system provides the necessity of the use of Device Language
is essential for the reliable and secure operation of the grid. message specifications-Companion Specifications for Energy
Data plays a vital role in any automated system. So, data Metering (DLMS-COSEM) protocol in smart meters.
security should be inherently present in any automated system DLMS-COSEM based energy meters are being developed
for the proper operation of the available components. For the and deployed to serve the requirements of AMI. DLMS-
automation of metering system, Advanced Metering COSEM was derived from IEC-62056 with some
Infrastructure (AMI) is being deployed in the power system. A modifications.
smart meter is a critical component of AMI, whose data is used
for load forecasting, scheduling, billing, and energy As a part of the standardization, the DLMS-COSEM
management. DLMS-COSEM acts as an application layer protocol standard is being followed globally for the smart
protocol for meter data exchange. This paper provides a meters. COSEM specifies interface class and methods for the
detailed understanding of the DLMS-COSEM communication functionalities of the meter. DLMS specifies the messages
vulnerabilities, communication attack scenarios, high-security and transportation of the data in the meter. DLMS-COSEM
features, authentication procedures and suggests the best specifications are available in the form of colored books.
methodologies to be followed by a client or third-party system Bluebook [2] describes the interface classes and
while communicating to the DLMS-COSEM servers in order
methodologies to be implemented in the meter. Green book
to have a secure data exchange.
[1] specifies procedures for the transportation of data
Keywords— DLMS-COSEM; smart meters; power system; between the client and the meter and the communication
security; Advanced Metering Infrastructure profiles for communicating through different channels are
also specified. DLMS also specifies the security architecture
for the data exchange between the client and the server. This
I. INTRODUCTION paper discusses the various security features available in the
The energy demand is increasing in a rapid phase. To DLMS-COSEM [1] and the appropriate usage of these
meet the increased energy demand, the power system has features for the authentication of the client and the data
grown from an isolated system into a robust interconnected exchange [7][16] with some case studies.
system of network. For the reliable and secure operation of
This paper contains 7 sections. Section II provides the
the power system, automation of the power system plays a
information about the procedure to access the DLMS-
crucial role. As a part of automation, Advanced metering
COSEM server objects, section III discusses the
infrastructure was being deployed in the power system. AMI
authentication procedures of the client, section IV gives the
consists of smart meters, communication networks, and data
data exchange procedures to be implemented for secure data
management systems. Implementation of AMI provides
exchange. Section V discusses possible scenarios of attacks
numerous advantages like measurement of energy usage,
and section VI provides how to communicate securely by
detect tampering, and prevents outages. As a part of AMI,
using the available DLMS-COSEM security features to
energy meters are being replaced by smart energy meters.
mitigate these attacks and section VII ends with a
Smart energy meters can communicate with the control
conclusion.
center head-end system using various communication forms
like cellular communication, Radio Frequency Mesh, NB-
IoT, LoRA, etc. The data provided by the meters are being II. DLMS-COSEM
used for billing, energy forecasting, scheduling, and energy The DLMS-COSEM server objects can be accessed by
management. The vulnerability of data being modified by the clients with proper application association (AA) of the
man-in-the-middle attacks and other cyber-attacks is client with the server. During the application association,
significant in the modern world. Different types of cyber- client and server authenticate themselves [1]. If the
attacks in the power system were presented in [6]. The application association is successful, access to the objects of
authentication of the clients, transfer of data through a secure the server will be granted based on the security contest and
channel using proper security algorithms is inevitable. Data the access rights. After the success of the application
security features must be implemented along with the association depending on the service request from the client
This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 International License
92
Asian Journal of Convergence in Technology Volume VII and Issue I
ISSN NO: 2350-1146 I.F-5.11
the service response will be generated and sent to the client server. If the password by the client is accepted by the server
via available service access points. then the application association is established otherwise
application association will be rejected by the server.
The security context specifies the encryption, digital
signatures, and key agreement algorithms to be used for the
association. Access rights like reading access, write access
will be provided by the server depending on the type of
application association. The service access points (SAP)
present in the application layer of DLMS-COSEM can be
TCP-UDP/IP wrapped address, an HDLC address, etc.
93
Asian Journal of Convergence in Technology Volume VII and Issue I
ISSN NO: 2350-1146 I.F-5.11
94
Asian Journal of Convergence in Technology Volume VII and Issue I
ISSN NO: 2350-1146 I.F-5.11
receiver. Security features for the metering system were responses between client1 and client2, the attacker would be
discussed in [12]. The corresponding keys required for the authenticated by the clients.
encryption initially must be provided. The security setup
class also provides the provision for the key changes An experimental environment has been setup to create
depending on the key change architecture available in the scenario with authentication mechanism 3(MD5) as
DLMS-COSEM [1][8]. shown in Fig.4 the client1, client2 are deployed in systems
with IPs 10.180.5.175, 10.180.5.225 and server in
10.180.6.61. The challenge and system title of the clients are
V. SUMULATION OF ATTACKS ON DLMS exchanged where client 1 solves the challenge of the client2
COMMUNICATION and vice versa, by adding the necessary headers and
exchanging the hash provided by the clients’, the attacker
A. Authentication Attacks can be authenticated by the clients. The results of the
In low-level security (LLS) association as per the experiment have been shown in Fig.5. Similarly, the attacker
standard, the password has to be provided in plaintext in both can authenticate with clients using other authentication
ciphering and non-ciphering mode. Attackers can snip the mechanisms also except authentication mechanism 7.
communication, decipher, understand the packets, and can
The authentication mechanism 7 using ECDSA is based
retrieve the password. This password can be used by the
on asymmetric keys. The response to the challenge will be
attacker for authentication with meter and can retrieve meter
signed with the private key of the clients. The attacker acting
data. So, the LLS association has to be avoided for the
as server exchanges the challenge-response between client1
purpose of association. HLS association is preferable for
and client2. The client1 and client2 try to verify the signature
authentication of client and server, but the following are the
with the public key of the server, which will not match the
case studies where an attacker can be authenticated in HLS
intended signature. So, the attacker will not be authenticated
association.
by the clients using the ECDSA authenticating mechanism.
1) Attacker acting as a server
2) Attacker acting as a client
As shown in Fig.4 with reference to [5] the authentication
As shown in Fig.6 with reference to [13], the attacker
of clients by an attacker acting as a server can be possible by
acting as one of the clients and also placing a man in the
exchanging the challenges and challenge-response between
middle interfaces in between the client and the server. In this
client1 to client2 and client2 to client1. This is possible when
scenario, the MITM would sniff the packets of the client1
both the clients are connected to the server and initiate the
and the attacker acting as a client, exchanges the packets and
association with the same authentication mechanism in the
sent to the server. So server considers the attacker as the
same instant of time.
authorized client and the client1 as the unauthorized client.
In authentication mechanisms 3 and 4 as shown in Fig.2
An experimental setup as shown in Fig.6 client, server
the HLS secret field was not known. In general HLS secret
and attacker are deployed in machines with IP addresses
of both clients will be the same. So by exchanging the
10.180.5.175,10.180.6.16, 10.180.5.225 and the man in the
challenge responses between client1 and client2, the attacker
middle(MITM) interface has been achieved using
would be authenticated by the clients. In authentication
ettercap[17] tool running at 10.180.5.224 which monitors the
mechanism 5 using GMAC as shown in Fig.2 also has the
packets between the clients and the server.
same vulnerability even though the fields involved in
generating message digest would be different compared to Firstly the client and the attacker would get connected to
authentication mechanism 3 and 4. Both client1 and client2 the DLMS server, then the attacker would monitor the
have the same symmetric keys as the server. So clients would request and response packets of the client. The attacker
generate the same response as the server, by exchanging both frames the association request packet and sends it to the
the challenge responses between client1 and client2, the server along with the client. The server processes the request
attacker would be authenticated by the clients. and sends the reply back to the client (10.180.5.175) and the
attacker(10.180.5.225), ettercap[17] acting as the man in the
middle(MITM) interface exchanges the server response of
the client to the attacker and vice versa. So that the client
solves the challenge of the server given to the attacker and
sends it to the server, the attacker waits for the replay of the
client and MITM exchanges the client’s pass3 request with
attackers. Now the server receives the pass3 request from the
client and attacker, it authorises the attacker and un-
authorises the client. The pseudo logic for the ettercap filter
in MITM is shown below.
If source IP is 10.180.5.225 and destination port is 4059
If data is association request(pass1)
Fig. 4. Scenario of attacker acting as Server
Log the data as attacker_pass1
In the authentication mechanism 6 using SHA256 as If source IP is 10.180.5.175 and destination port is 4059
shown in Fig.2, the system titles of the clients and the server If data is association request (pass1)
would be mentioned in pass1 and pass2 of the HLS Log the data as client_pass1
authentication mechanism. Both client1 and client2 have the
same HLS secret. So client1 and client2 would generate the If source IP is 10.180.6.16 and destination IP is
same response as the server, by exchanging the challenge 10.180.5.225
95
Asian Journal of Convergence in Technology Volume VII and Issue I
ISSN NO: 2350-1146 I.F-5.11
96
Asian Journal of Convergence in Technology Volume VII and Issue I
ISSN NO: 2350-1146 I.F-5.11
97
Asian Journal of Convergence in Technology Volume VII and Issue I
ISSN NO: 2350-1146 I.F-5.11
[15] Tellbach, D., and Y. F. Li. "A survey on the cyber-security of Advanced Metering Infrastructure." In 2020 IEEE International
distributed generation systems." Proceedings of the ESREL, Portorož, Conference on Power Systems Technology (POWERCON), pp. 1-6.
Slovenia (2017): 18-22. IEEE, 2020.
[16] Sidhartha, Dodla, Lagineni Mahendra, Katta Jagan Mohan, RK [17] https://www.ettercap-project.org/
Senthil Kumar, and B. S. Bindhumadhava. "Secure and Fault-tolerant
98