Loading header...

A meter that can be read remotely can also be tampered with remotely — unless the protocol enforces strong security. DLMS/COSEM has a well-defined security architecture built into the standard.

Why Security Matters in Metering

  • Revenue protection — an attacker who can SET energy registers can zero out consumption
  • Grid safety — an attacker who can invoke disconnect on thousands of meters simultaneously can destabilise the grid
  • Privacy — 15-minute interval data reveals occupancy, appliance usage, and daily routines
  • Data integrity — billing disputes require proof that meter readings were not modified in transit

Security Suites

DLMS defines three security suites (also called security policies):

Suite Authentication Encryption Use case
Suite 0 None or low-level password None Legacy / non-critical
Suite 1 Challenge-response (GMAC) AES-GCM 128-bit Standard deployments
Suite 2 ECDSA + ECDH AES-GCM 256-bit High-security / critical infra

Most modern deployments use Suite 1 — AES-128 with GCM (Galois/Counter Mode), which provides both encryption and authentication in a single pass.

Suite 1 — How AES-GCM Works

AES-GCM provides authenticated encryption: the ciphertext can only be decrypted by someone with the correct key, AND any tampering with the ciphertext is detected.

flowchart LR P[Plaintext APDU] --> E[AES-128-GCM\nEncrypt + Authenticate] K[Encryption Key\n128-bit] --> E IV[Initialisation Vector\nSystem title + Frame counter] --> E E --> C[Ciphertext] E --> T[Authentication Tag\n12 bytes] C --> TX[Transmitted APDU] T --> TX

The frame counter is a monotonically increasing 32-bit value. It prevents replay attacks — an eavesdropper cannot replay a captured packet because the meter rejects any frame whose counter is not higher than the last accepted one.

Keys in DLMS

Each meter holds multiple cryptographic keys:

Key name Purpose
Global Unicast Encryption Key (GUEK) Encrypts unicast communication
Global Broadcast Encryption Key (GBEK) Encrypts broadcast commands (e.g. demand response)
Authentication Key (AK) Used in authentication tag computation
Master Key (MK) Used only to wrap/unwrap other keys during key change

Keys are provisioned at the factory and rotated periodically by the utility. Key rotation uses the key_transfer ACTION method, where the new key is wrapped (encrypted) with the Master Key.

Authentication Levels

DLMS defines four access levels, controlled by the Association objects inside the meter:

Level Name Typical rights
0 No security Read public data (serial number, firmware version)
1 Low-level (LLS) Password-based; read standard energy data
2 High-level (HLS) GMAC challenge-response; full read + some writes
3 High-level manufacturer Full access including calibration

The HLS handshake:

sequenceDiagram participant C as Client (HES) participant S as Meter C->>S: AARQ with client challenge (Cc) S-->>C: AARE with server challenge (Cs) + result=pending Note over C: Compute f(Cc, Cs, AK) using AES-GMAC C->>S: ACTION(reply_to_HLS_authentication, f(Cs)) Note over S: Verify f(Cs), compute f(Cc) S-->>C: ACTION.response with f(Cc) Note over C: Verify f(Cc) — mutual authentication complete

Both sides verify each other — neither the meter nor the HES blindly trusts the other.

Security in Practice

flowchart TD A[Meter provisioned at factory\nKeys burned in secure element] --> B[Deployed in field] B --> C{HES connects} C -->|AARQ + challenge| D[Meter sends server challenge] D --> E[Both sides authenticate\nusing AES-GMAC] E --> F[Encrypted session begins] F --> G[All APDUs encrypted\nwith AES-GCM] G --> H[Frame counter checked\non every packet] H -->|Counter replay?| I[Reject + log security event] H -->|Counter valid?| J[Accept and process]

Common Security Pitfalls

Problem Consequence
Default keys not changed Any attacker with the default key can control all meters
Frame counter not stored in NVM After power cycle, meter resets counter; replay attacks possible
Broadcast key reused across all meters Compromise of one meter compromises all
No key rotation policy Old keys accumulate risk over years

Key Takeaway

DLMS security is not optional — it is part of the standard. Suite 1 with AES-128-GCM is the minimum for any production deployment. The most common vulnerability in real deployments is not a flaw in the cryptography but in key management: default keys, no rotation, and insecure provisioning.