[go: up one dir, main page]

WO2025090021A1 - Security system and method for data communication concerning power grid - Google Patents

Security system and method for data communication concerning power grid Download PDF

Info

Publication number
WO2025090021A1
WO2025090021A1 PCT/SG2024/050675 SG2024050675W WO2025090021A1 WO 2025090021 A1 WO2025090021 A1 WO 2025090021A1 SG 2024050675 W SG2024050675 W SG 2024050675W WO 2025090021 A1 WO2025090021 A1 WO 2025090021A1
Authority
WO
WIPO (PCT)
Prior art keywords
power grid
data
secure device
network
backend system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/SG2024/050675
Other languages
French (fr)
Inventor
Kok Ann WONG
Yi Tang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Etymology Pte Ltd
Original Assignee
Etymology Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Etymology Pte Ltd filed Critical Etymology Pte Ltd
Publication of WO2025090021A1 publication Critical patent/WO2025090021A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles

Definitions

  • the present invention relates to power distribution systems, specifically focusing on the communication between individual power distribution grid meters and a backend system center for data retrieval, monitoring, and management.
  • Smart meters provide numerous advantages over traditional meters, including real-time monitoring, enhanced accuracy, and the ability to support dynamic pricing models. These meters measure various parameters such as energy consumption, voltage levels, and current, providing valuable data to both consumers and utility providers. However, to fully leverage the capabilities of smart meters, efficient communication between individual meters and the backend system center is essential.
  • a secure device adapted for power grid metering network having a plurality of power meters and a power grid metering backend system.
  • the secure device comprises a communication module having a socket for locally connecting to the power grid meters or the power grid backend system, as a gateway to transmit data over a communication network; a microprocessor acts as a control unit for the secure device and handles the data flow; an FPGA chip operationally encrypting/decrypting the data; a secure element for handling key diversification for encrypting/decrypting the data by FPGA chip.
  • the secure device is connected locally to the power grid meters and power grid metering backend system, operationally, encrypting/decrypting data transmitting through the communication network, such that the data is end-to-end encrypted across the power grid metering network by the secure device.
  • the secure element is certified by Common Criteria (CC) or Federal Information Processing Standards (FIPS).
  • CC Common Criteria
  • FIPS Federal Information Processing Standards
  • the secure device further comprises an admin authenticator for access authentication to the secure device.
  • the admin authenticator is in a card form having its own secure element embedded therein. It is also possible that the admin authenticator is integrated on the secure device in a form of biometric scanner/sensor. The admin authenticator may be deployed remotely from the secure device.
  • a method for providing additional encryption/decryption for a power grid metering network over a communication network comprises adding secured devices to the power grid metering network having power grid meters and power grid metering backend system connected through a communication network; activating secured elements of the secured devices; encrypting data from power grid meter through the secured devices; transmitting the encrypted data to the power grid metering backend system through the communication network; and decrypting the encrypted by the secured devices for processing by the power grid metering backend system.
  • the data transmitted through the communication network is end-to-end encrypted by the secure devices.
  • FIG. 1 illustrates a block diagram of a secured smart power grid metering system in accordance with an embodiment of the present invention
  • FIG. 2 illustrates a secured smart power grid metering network in accordance with an alternative embodiment of the present invention
  • FIG. 3 illustrates a process flow a secured smart power grid metering network in accordance with an embodiment of the present invention
  • FIG. 4 illustrates a schematic diagram of the EV charging network having secured devices of FIG. 1 in accordance with an embodiment of the present invention
  • FIG. 5 illustrates a block diagram of a secure device in accordance with an alternative embodiment of the present invention.
  • FIG. 1 illustrates a block diagram of a secured transmission system for power grid metering network 100 in accordance with an embodiment of the present invention.
  • the power grid metering network 100 comprises a plurality of power meters 110 connected to a power grid metering backend system 120 through a communication network 150. Each of the power grid meter is locally connected with a secured device 182 for encrypting/ decrypting data to be transmitted through the communication network 150.
  • the communication network 150 can be a private data network dedicated for the power grid metering network, or a public data network or cloud network.
  • the power grid metering network 100 further comprises a backend system secured device 184 locally connected directly to the power grid metering backend system 120 for decrypting data transmitted across the communication network 150.
  • the power grid metering backend system 120 or simply backend system for a power grid metering infrastructure is a critical component that manages, processes, and analyses data received from individual power meters.
  • One of its primary functions is data collection and aggregation.
  • the backend system may continuously collect real-time data from power meters, including energy consumption, voltage, current, and power quality parameters. This data is then compiled from numerous meters for consolidated reporting and analysis, ensuring a comprehensive view of the power grid's status and performance.
  • the backend system processes and analyses the collected data to compute energy usage, facilitating accurate billing. It may also perform pattern analysis to identify trends, peak usage times, and potential inefficiencies.
  • Anomaly detection capabilities allow the system to identify unusual patterns or discrepancies that may indicate meter tampering, fraud, or malfunction, enabling prompt intervention.
  • billing and customer management are seamlessly integrated into the backend system allowing automated billing functions.
  • the system can send alerts and notifications to customers regarding usage, billing cycles, and detected anomalies, enhancing customer service and transparency.
  • Security and compliance are paramount concerns for the backend system. It implements robust security measures to protect data from unauthorized access and cyber threats.
  • the backend system ensures that data management practices comply with industry regulations and standards, maintaining the integrity and legality of operations.
  • the secured devices 182 and the backend system secured device 184 each comprises a certified secured element adopted to encrypt/decrypt data transmitting through the communication network 150.
  • the certified secured element must at least be certified under the Common Criteria (CC) and/or Federal Information Processing Standards (FIPS) certifications. It is well understood to a skilled person that CC and FIPS certifications are security standards used to evaluate the security features of a device or system, including the smart chip, also known as a secure element. These certifications evaluate a range of security features, such as access control, authentication, secure boot, and key management, to ensure that the device or system is designed and implemented securely.
  • CC Common Criteria
  • FIPS Federal Information Processing Standards
  • the communication network 150 can be any data communication network, wired and/or wireless, which include local area network (LAN) or wide area network (WAN). In another embodiment, it can also be a mobile communication network.
  • LAN local area network
  • WAN wide area network
  • the secured devices 182, 184 are adapted as a plug- and-play devices
  • the secured devices 182, 184 may adopt connectors compatible with the data communication network 150, such as the Power over Ethernet (PoE), Coax, RJ45 etc.
  • PoE Power over Ethernet
  • Coax Coax
  • RJ45 etc.
  • the secured devices 182, 184 may be adopted as integral part of the power meters and backend system.
  • the secured element in this description refers to security module that is designed to provide secure storage and processing of sensitive data, such as cryptographic keys, certificates, and passwords. They are microchips embedded in a device and it is designed to provide a secure execution environment for sensitive operations, such as authentication, encryption, and decryption, and is often used in applications that require a high level of security, such as mobile payments, digital identity, and secure communications. Further, it offers a range of security features, such as secure boot, hardware-based encryption, and secure storage of cryptographic keys. These features help to protect the secured element from physical and logical attacks, such as side-channel attacks, brute-force attacks, and tampering.
  • Secured elements are often certified by independent organizations, such as the Common Criteria (CC) or Federal Information Processing Standards (FIPS), to ensure that they meet specific security requirements. These certifications provide assurance to users and customers that the secured element has undergone rigorous testing and evaluation to ensure that it meets a high level of security.
  • CC Common Criteria
  • FIPS Federal Information Processing Standards
  • the secure element is hardware based solution for securing data at the transport layer.
  • the solution can be a plug-and-play system that can be customized and upgraded according to the owner’s requirement and fully controlled by the owner because it can be separately fabricated and configured without affecting the power meters.
  • the owner may manage the entire power meters and the security thereof remotely and securely.
  • the use of separate encryption and decryption devices provides end-to-end encryption of data transmitting over the network. Further, such external devices having the secured element can be added to existing power meters. With this additions, the data transmissions over the power metering network can be secured, even against manufacturers of the power metering system.
  • FIG. 2 illustrates a secured transmission system for power grid metering network 200 in accordance with an alternative embodiment of the present invention.
  • the power grid metering network 200 comprises a plurality of power meters 210 connected to a power grid metering backend system 220 through a communication network 250 Each of the power meters is connected with a secured device 282 for encrypting/decrypting data to be transmitted through the communication network 250.
  • the power grid metering network 200 further comprises a backend system secured device 284 connected directly to the power grid metering backend system 220 for decrypting data received from the communication network 250.
  • the secured devices 282, 284, each comprises a secured element therein, for encrypting/decrypting data channeled into the secured devices 282, 284.
  • the secured smart power grid metering network 200 further comprises admin authenticators 292.
  • the admin authenticators 292 adapted and personalised to the users carrying the admin authenticators 292.
  • the admin authenticators carry the user biometrics and/or passwords for authentication.
  • the authentication is needed to operate and manage the secured devices 282, 284. That realises a two-factors authentication (2FA) to activate and operate the secured devices 282, 284 for added security to the secured smart power grid metering network 200. Accordingly, in order to access the secured elements at upstream and downstream, authentication is required through the admin authenticator 292.
  • 2FA two-factors authentication
  • the admin authenticators 292 also comprises a secured elements that work in conjunction with the secured devices 282, 284.
  • the secured devices 282, 284 may further comprise a reader that operationally perform verification and authentication of the admin authenticators 292.
  • the reader may equip with wired or wireless means for reading the admin authenticators 292.
  • the admin authenticator can be in a form of card that store the admin user authentication details.
  • the admin authenticator can be integrated on the secured devices 282, 284 in a form of biometric scanner/sensor, whereby authorised personnel can access the secure elements 282,284 for maintenance with their registered biometric information.
  • the secured devices 282, 284 can be activated at first used through the admin authenticators 292, and any subsequent maintenance shall require the admin authenticators 292 to access the secured devices 282, 284. Accordingly, without the admin authenticators 292, unauthorised personnel will not be able to access the secured devices due to the highly secured elements embedded in the admin authenticators 292. And even with the presence of the admin authenticators 292, one will require an authentication factor, such as password, biometric identification, to prove identity of the person holding the admin authenticator 292.
  • an authentication factor such as password, biometric identification
  • the admin authenticators 292 may be a handheld device having the secured element In another embodiment, the admin authenticators 292 may be in a form of smart-chip/card, or tokens having a secured element that can be easily carried around. In one embodiment, the secured devices 282, 284 may further comprise biometric reader and/or password keypad.
  • the authentication process involves the use of biometric authentication, such as fingerprint recognition or facial recognition in conjunction with the encrypted credentials to offer multi-layers security measures to ensure that only authorized personal can access the secured devices 282,284.
  • biometric authentication such as fingerprint recognition or facial recognition
  • the secured devices 282 can only be accessed through the remote authentication from through the secure device 284, which is usually managed by the central office. These devices offer enhanced protection against unauthorized access by employing advanced encryption standards.
  • FIG. 3 illustrates a process flow for a power grid metering network in accordance with an embodiment of the present invention
  • the process comprises adding secured devices to a power grid metering network at step 302; activating secured elements of the secured devices at step 304; encrypting data from power meters through the secured devices at step 306; transporting the encrypted data to the power grid metering network through the communication network at step 308; and decrypting the encrypted by the secured devices for processing by the power grid metering backend system 312.
  • the data communication over the communication network is bidirectional. All power meters can retrieve information from the power grid metering backend system, and vice versa.
  • the secured devices are added to each power meter and the backend system of the power grid metering network.
  • Each of the secured devices comprises secured elements for securing at least encryption keys.
  • Each of the secured devices can be fabricated as external or add-on devices to the power grid metering network.
  • each of the secure elements shall be activated on first used by authorized administrators. The authorized administrators are usually authorized personnel from the operator or owner of the power grid metering network. Only those activated secure elements can be used for encrypting/ decrypting the data.
  • step 306 all data transmitted through the power grid metering network is encrypted by the secure element of the secured device with the encryption keys.
  • the encrypted data is transmitted to the power grid metering network through the communication network. It is to be noted and understood that when the encrypted data travels over the communication network, which may include external network, such as internet, the encrypted data is only decryptable by the keys of the intended recipient. In the present case, the encrypted data is decryptable only by the secured device connected to the backend system (i.e. intended recipient).
  • the secured device when the secured device receives the encrypted data from the respective power meter having a secured device connected thereto, it decrypts the encryption of the encrypted data then feeds the decrypted data to the power grid metering backend system for further processing and storing the data.
  • FIG. 4 illustrates a schematic diagram of the power grid metering network 100 having secured devices of FIG. 1 in accordance with an embodiment of the present invention.
  • the secured devices 182 and 184 comprises a communication module 402, a microprocessor 404 and a secured element 406.
  • the secured devices 182 are provided at each power meter at the upstream side, and the secured device 184 is provided at the downstream side such that data from the upstream sides are encrypted before travelling across the network and decrypted by the secured device at the downstream secured device.
  • the communication module 402 provides communication ports for interfacing the power meter and the power grid metering backend system with the communication network 150.
  • Data transmitted through the secured devices is being processed by the microprocessor 404 to encrypt/decrypt data with the keys possessed by the secured elements 406.
  • data 410 from the power meters 110 are encrypted/decrypted by the secured device 182.
  • the encrypted data 420 is then transmitted to the metering backend system 120 through the network 150. Without the secured device 184, the encrypted data 420 would be meaningless to the power grid metering backend system 120. Therefore, the secured device 184 is connected to the metering backend system 120 to decrypt the encrypted data 420.
  • the decrypted data 430 may then process and store on the power grid metering backend system 120.
  • data processing is done by the microprocessor 404 in conjunction with the secured elements 406 to encrypt/decrypt the data for enhanced security.
  • the present invention offers an additional, self-managed, point-to-point hardware-based encryption to secure the data over the network at transport layer.
  • the communication module may comprise a wireless communication means, i.e. antenna, GSM module, WIFI module, or Bluetooth module and/or the like.
  • FIG. 5 illustrates a block diagram of a secure device 500 in accordance with an alternative embodiment of the present invention.
  • the secure device 500 comprises a microprocessor 502, a FPGA Chip 504, a secure element 506, an ethemet transceiver 508 and an RJ46 socket 509. These devices offer enhanced protection against unauthorized access by employing advanced encryption standards.
  • the microprocessor 502 acts as the control unit, managing data flow, high-level tasks, and etc., while also handling communication protocols for the ethemet transceiver 508. It hands over the data to the FPGA chip 504 for performing computationally intensive encryption or decryption tasks.
  • the FPGA chip 504 works in conjunction with the secure element 506 that handles key diversification, ensuring that encryption keys are unique and secure. This secure element 506 operationally generates or stores cryptographic keys, making it difficult for unauthorized parties to gain access. After the FPGA chip 504, aided by the secure element 506, completes the encryption or decryption, the microprocessor 502 performs additional tasks such as appending metadata, error checking, or routing the encrypted data to its destination. The microprocessor can also dynamically reconfigure the FPGA to switch between different algorithms as needed and manage other security measures.
  • the microprocessor 502 or the server/computer can be compromised by hacker or insider leak.
  • the data in/out through the RJ45 socket 509 then the ethemet transceiver 508 is hardware encrypted/decrypted by the FPGA chip 504.
  • the FPGA chip 504 obtained keys from the secure element 506 where key diversification is carry out. So without the key, the data would be meaningless to any hacker or intruder who obtained them.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a secure device adapted for power grid metering network having a plurality of power grid meters and a power grid metering backend system. The secure device comprises a communication module having a socket for locally connecting to the power grid meter or the power grid metering backend system to transmit data over a communication network; a microprocessor acts as a control unit for the secure device and handling the data flow; an FPGA chip operationally encrypting/decrypting the data; a secure element for handling key diversification for encrypting/decrypting the data by FPGA chip. The secure device is connected locally to the power grid meters or power grid metering backend system, such that the data is end- to-end encrypted across the power grid metering network by the secure device. There is also provided a power grid metering network and method therefor in present invention.

Description

SECURITY SYSTEM AND METHOD FOR DATA COMMUNICATION
CONCERNING POWER GRID
Field of the Invention
[0001] The present invention relates to power distribution systems, specifically focusing on the communication between individual power distribution grid meters and a backend system center for data retrieval, monitoring, and management.
Background
[0002] Traditionally, electrical consumption was measured using analogue meters that required manual reading by utility personnel. This method was labour- intensive, prone to human error, and lacked the ability to provide real-time data. Consequently, utility companies faced challenges in accurate billing, timely detection of outages, and efficient energy management.
[0003] The advent of digital smart meters has revolutionized the way electrical consumption is monitored and managed Smart meters provide numerous advantages over traditional meters, including real-time monitoring, enhanced accuracy, and the ability to support dynamic pricing models. These meters measure various parameters such as energy consumption, voltage levels, and current, providing valuable data to both consumers and utility providers. However, to fully leverage the capabilities of smart meters, efficient communication between individual meters and the backend system center is essential.
[0004] Various communication technologies have been developed to facilitate the transmission of data from smart meters to backend system. Radio Frequency (RF) mesh networks use low-power radio signals to create a mesh topology where each meter acts as a node that can relay data. This decentralized approach ensures robustness and reliability, as data can take multiple paths to reach the backend system center. Despite its advantages, RF mesh networks can be limited by range and interference issues, particularly in densely populated areas.
[0005] Meters equipped with communication modems can directly send data to the backend system center via existing data network infrastructure. Despite the advancements in communication technologies, several challenges persist in the efficient and reliable transmission of data between smart meters and backend system centers. Data security and privacy are paramount, requiring robust encryption and authentication mechanisms to prevent unauthorized access and data breaches. High-density urban areas with numerous meters can experience network congestion, leading to delays in data transmission and potential data loss. As the number of smart meters increases, the communication infrastructure must scale to handle the increased data volume without compromising performance.
[0006] In view of these challenges, the present invention aims to provide an improved method and system for data communication between individual power distribution grid meters and a backend system center. The invention seeks to enhance data security, reduce network congestion, ensure scalability, and improve the reliability of data transmission. By introducing innovative communication protocols and architectures, the invention aims to optimize the performance and efficiency of smart meter communication systems, thereby supporting the effective management and monitoring of power distribution grids. Summary
[0007] In one aspect of the present invention, there is provided a secure device adapted for power grid metering network having a plurality of power meters and a power grid metering backend system. The secure device comprises a communication module having a socket for locally connecting to the power grid meters or the power grid backend system, as a gateway to transmit data over a communication network; a microprocessor acts as a control unit for the secure device and handles the data flow; an FPGA chip operationally encrypting/decrypting the data; a secure element for handling key diversification for encrypting/decrypting the data by FPGA chip. The secure device is connected locally to the power grid meters and power grid metering backend system, operationally, encrypting/decrypting data transmitting through the communication network, such that the data is end-to-end encrypted across the power grid metering network by the secure device.
[0008] In one embodiment, the secure element is certified by Common Criteria (CC) or Federal Information Processing Standards (FIPS).
[0009] In another embodiment, the secure device further comprises an admin authenticator for access authentication to the secure device. It is possible that the admin authenticator is in a card form having its own secure element embedded therein. It is also possible that the admin authenticator is integrated on the secure device in a form of biometric scanner/sensor. The admin authenticator may be deployed remotely from the secure device.
[0010] In another aspect of the present invention, there is further provided a power grid metering network having a plurality of power grid meters connected to a power grid metering backend system via a communication network. The communication network can be wired or wireless network. The power grid metering network comprises the aforesaid secure devices. These secure devices are connected locally and directly to the power grid meter such that data passes through the secure device before transmitting to the communication network, and another secure device connected directly before the power grid metering backend system.
[0011] In yet another aspect, there is provided a method for providing additional encryption/decryption for a power grid metering network over a communication network. The method comprises adding secured devices to the power grid metering network having power grid meters and power grid metering backend system connected through a communication network; activating secured elements of the secured devices; encrypting data from power grid meter through the secured devices; transmitting the encrypted data to the power grid metering backend system through the communication network; and decrypting the encrypted by the secured devices for processing by the power grid metering backend system. The data transmitted through the communication network is end-to-end encrypted by the secure devices. These devices offer enhanced protection against unauthorized access by employing advanced encryption standards.
[0012] In one embodiment, the end-to-end encryption is done by the aforesaid security device.
Brief Description of the Drawings
[0013] This invention will be described by way of non-limiting embodiments of the present invention, with reference to the accompanying drawings, in which:
[0014] FIG. 1 illustrates a block diagram of a secured smart power grid metering system in accordance with an embodiment of the present invention;
[0015] FIG. 2 illustrates a secured smart power grid metering network in accordance with an alternative embodiment of the present invention; [0016] FIG. 3 illustrates a process flow a secured smart power grid metering network in accordance with an embodiment of the present invention,
[0017] FIG. 4 illustrates a schematic diagram of the EV charging network having secured devices of FIG. 1 in accordance with an embodiment of the present invention, and
[0018] FIG. 5 illustrates a block diagram of a secure device in accordance with an alternative embodiment of the present invention.
[0019] These devices offer enhanced protection against unauthorized access by employing advanced encryption standards.
Detailed Description
[0020] In line with the above summary, the following description of a number of specific and alternative embodiments are provided to understand the inventive features of the present invention. It shall be apparent to one skilled in the art, however that this invention may be practiced without such specific details. Some of the details may not be described at length so as not to obscure the invention. For ease of reference, common reference numerals will be used throughout the figures when referring to the same or similar features common to the figures.
[0021] FIG. 1 illustrates a block diagram of a secured transmission system for power grid metering network 100 in accordance with an embodiment of the present invention. The power grid metering network 100 comprises a plurality of power meters 110 connected to a power grid metering backend system 120 through a communication network 150. Each of the power grid meter is locally connected with a secured device 182 for encrypting/ decrypting data to be transmitted through the communication network 150. The communication network 150 can be a private data network dedicated for the power grid metering network, or a public data network or cloud network. The power grid metering network 100 further comprises a backend system secured device 184 locally connected directly to the power grid metering backend system 120 for decrypting data transmitted across the communication network 150.
[0022] In this application, the power grid metering backend system 120 or simply backend system for a power grid metering infrastructure is a critical component that manages, processes, and analyses data received from individual power meters. One of its primary functions is data collection and aggregation. The backend system may continuously collect real-time data from power meters, including energy consumption, voltage, current, and power quality parameters. This data is then compiled from numerous meters for consolidated reporting and analysis, ensuring a comprehensive view of the power grid's status and performance. The backend system processes and analyses the collected data to compute energy usage, facilitating accurate billing. It may also perform pattern analysis to identify trends, peak usage times, and potential inefficiencies. Anomaly detection capabilities allow the system to identify unusual patterns or discrepancies that may indicate meter tampering, fraud, or malfunction, enabling prompt intervention. Hence, billing and customer management are seamlessly integrated into the backend system allowing automated billing functions. Additionally, the system can send alerts and notifications to customers regarding usage, billing cycles, and detected anomalies, enhancing customer service and transparency. Security and compliance are paramount concerns for the backend system. It implements robust security measures to protect data from unauthorized access and cyber threats. Furthermore, the backend system ensures that data management practices comply with industry regulations and standards, maintaining the integrity and legality of operations.
[0023] The secured devices 182 and the backend system secured device 184, each comprises a certified secured element adopted to encrypt/decrypt data transmitting through the communication network 150. The certified secured element must at least be certified under the Common Criteria (CC) and/or Federal Information Processing Standards (FIPS) certifications. It is well understood to a skilled person that CC and FIPS certifications are security standards used to evaluate the security features of a device or system, including the smart chip, also known as a secure element. These certifications evaluate a range of security features, such as access control, authentication, secure boot, and key management, to ensure that the device or system is designed and implemented securely.
[0024] The communication network 150 can be any data communication network, wired and/or wireless, which include local area network (LAN) or wide area network (WAN). In another embodiment, it can also be a mobile communication network.
[0025] In one embodiment, the secured devices 182, 184 are adapted as a plug- and-play devices The secured devices 182, 184 may adopt connectors compatible with the data communication network 150, such as the Power over Ethernet (PoE), Coax, RJ45 etc.
[0026] In another embodiment, the secured devices 182, 184 may be adopted as integral part of the power meters and backend system.
[0027] For avoidance of doubt, the secured element in this description refers to security module that is designed to provide secure storage and processing of sensitive data, such as cryptographic keys, certificates, and passwords. They are microchips embedded in a device and it is designed to provide a secure execution environment for sensitive operations, such as authentication, encryption, and decryption, and is often used in applications that require a high level of security, such as mobile payments, digital identity, and secure communications. Further, it offers a range of security features, such as secure boot, hardware-based encryption, and secure storage of cryptographic keys. These features help to protect the secured element from physical and logical attacks, such as side-channel attacks, brute-force attacks, and tampering. Secured elements are often certified by independent organizations, such as the Common Criteria (CC) or Federal Information Processing Standards (FIPS), to ensure that they meet specific security requirements. These certifications provide assurance to users and customers that the secured element has undergone rigorous testing and evaluation to ensure that it meets a high level of security.
[0028] The secure element is hardware based solution for securing data at the transport layer. The solution can be a plug-and-play system that can be customized and upgraded according to the owner’s requirement and fully controlled by the owner because it can be separately fabricated and configured without affecting the power meters. The owner may manage the entire power meters and the security thereof remotely and securely. The use of separate encryption and decryption devices provides end-to-end encryption of data transmitting over the network. Further, such external devices having the secured element can be added to existing power meters. With this additions, the data transmissions over the power metering network can be secured, even against manufacturers of the power metering system.
[0029] FIG. 2 illustrates a secured transmission system for power grid metering network 200 in accordance with an alternative embodiment of the present invention. Similarly, the power grid metering network 200 comprises a plurality of power meters 210 connected to a power grid metering backend system 220 through a communication network 250 Each of the power meters is connected with a secured device 282 for encrypting/decrypting data to be transmitted through the communication network 250. The power grid metering network 200 further comprises a backend system secured device 284 connected directly to the power grid metering backend system 220 for decrypting data received from the communication network 250. [0030] The secured devices 282, 284, each comprises a secured element therein, for encrypting/decrypting data channeled into the secured devices 282, 284. The secured smart power grid metering network 200 further comprises admin authenticators 292. The admin authenticators 292 adapted and personalised to the users carrying the admin authenticators 292. In one embodiment, the admin authenticators carry the user biometrics and/or passwords for authentication. The authentication is needed to operate and manage the secured devices 282, 284. That realises a two-factors authentication (2FA) to activate and operate the secured devices 282, 284 for added security to the secured smart power grid metering network 200. Accordingly, in order to access the secured elements at upstream and downstream, authentication is required through the admin authenticator 292. In a desired embodiment, the admin authenticators 292 also comprises a secured elements that work in conjunction with the secured devices 282, 284. The secured devices 282, 284 may further comprise a reader that operationally perform verification and authentication of the admin authenticators 292. The reader may equip with wired or wireless means for reading the admin authenticators 292. In one embodiment, the admin authenticator can be in a form of card that store the admin user authentication details. In another embodiment, the admin authenticator can be integrated on the secured devices 282, 284 in a form of biometric scanner/sensor, whereby authorised personnel can access the secure elements 282,284 for maintenance with their registered biometric information.
[0031] With the reader equipped on the secured devices 282, 284, the secured devices 282, 284 can be activated at first used through the admin authenticators 292, and any subsequent maintenance shall require the admin authenticators 292 to access the secured devices 282, 284. Accordingly, without the admin authenticators 292, unauthorised personnel will not be able to access the secured devices due to the highly secured elements embedded in the admin authenticators 292. And even with the presence of the admin authenticators 292, one will require an authentication factor, such as password, biometric identification, to prove identity of the person holding the admin authenticator 292.
[0032] The admin authenticators 292 may be a handheld device having the secured element In another embodiment, the admin authenticators 292 may be in a form of smart-chip/card, or tokens having a secured element that can be easily carried around. In one embodiment, the secured devices 282, 284 may further comprise biometric reader and/or password keypad.
[0033] The authentication process involves the use of biometric authentication, such as fingerprint recognition or facial recognition in conjunction with the encrypted credentials to offer multi-layers security measures to ensure that only authorized personal can access the secured devices 282,284.
[0034] It is well recognized that the secured elements certified under CC and/or FIPS are highly secured. One reason for this is that these secured elements are designed with specific functionality and isolation with a limited number of commands that are strictly controlled and regulated, i.e. limited attack surface. This ensures that only authorized users can access the secured devices and perform the necessary operations. Additionally, the limited number of usable commands also makes it more difficult for attackers to exploit vulnerabilities in the secured element, as there are fewer avenues for them to exploit. This limited functionality makes secured elements highly secure and provides a strong defence against a wide range of threats. Overall, secured elements that have been certified under CC or FIPS are an essential component of modern security architectures and provide a crucial layer of protection for sensitive data and applications.
[0035] In another embodiment, the secured devices 282 can only be accessed through the remote authentication from through the secure device 284, which is usually managed by the central office. These devices offer enhanced protection against unauthorized access by employing advanced encryption standards.
[0036] FIG. 3 illustrates a process flow for a power grid metering network in accordance with an embodiment of the present invention The process comprises adding secured devices to a power grid metering network at step 302; activating secured elements of the secured devices at step 304; encrypting data from power meters through the secured devices at step 306; transporting the encrypted data to the power grid metering network through the communication network at step 308; and decrypting the encrypted by the secured devices for processing by the power grid metering backend system 312. It is to be noted that the data communication over the communication network is bidirectional. All power meters can retrieve information from the power grid metering backend system, and vice versa.
[0037] At the step 302, the secured devices are added to each power meter and the backend system of the power grid metering network. Each of the secured devices comprises secured elements for securing at least encryption keys. Each of the secured devices can be fabricated as external or add-on devices to the power grid metering network. At the step 304, each of the secure elements shall be activated on first used by authorized administrators. The authorized administrators are usually authorized personnel from the operator or owner of the power grid metering network. Only those activated secure elements can be used for encrypting/ decrypting the data.
[0038] At the step 306, all data transmitted through the power grid metering network is encrypted by the secure element of the secured device with the encryption keys. At the step 308, the encrypted data is transmitted to the power grid metering network through the communication network. It is to be noted and understood that when the encrypted data travels over the communication network, which may include external network, such as internet, the encrypted data is only decryptable by the keys of the intended recipient. In the present case, the encrypted data is decryptable only by the secured device connected to the backend system (i.e. intended recipient). At the step 312, when the secured device receives the encrypted data from the respective power meter having a secured device connected thereto, it decrypts the encryption of the encrypted data then feeds the decrypted data to the power grid metering backend system for further processing and storing the data.
[0039] FIG. 4 illustrates a schematic diagram of the power grid metering network 100 having secured devices of FIG. 1 in accordance with an embodiment of the present invention. As shown, the secured devices 182 and 184 comprises a communication module 402, a microprocessor 404 and a secured element 406. The secured devices 182 are provided at each power meter at the upstream side, and the secured device 184 is provided at the downstream side such that data from the upstream sides are encrypted before travelling across the network and decrypted by the secured device at the downstream secured device. The communication module 402 provides communication ports for interfacing the power meter and the power grid metering backend system with the communication network 150. Data transmitted through the secured devices is being processed by the microprocessor 404 to encrypt/decrypt data with the keys possessed by the secured elements 406. In effect, data 410 from the power meters 110 are encrypted/decrypted by the secured device 182. The encrypted data 420 is then transmitted to the metering backend system 120 through the network 150. Without the secured device 184, the encrypted data 420 would be meaningless to the power grid metering backend system 120. Therefore, the secured device 184 is connected to the metering backend system 120 to decrypt the encrypted data 420. The decrypted data 430 may then process and store on the power grid metering backend system 120.
[0040] In one embodiment, data processing is done by the microprocessor 404 in conjunction with the secured elements 406 to encrypt/decrypt the data for enhanced security.
[0041] The present invention offers an additional, self-managed, point-to-point hardware-based encryption to secure the data over the network at transport layer.
[0042] In another embodiment, the communication module may comprise a wireless communication means, i.e. antenna, GSM module, WIFI module, or Bluetooth module and/or the like.
[0043] FIG. 5 illustrates a block diagram of a secure device 500 in accordance with an alternative embodiment of the present invention. The secure device 500 comprises a microprocessor 502, a FPGA Chip 504, a secure element 506, an ethemet transceiver 508 and an RJ46 socket 509. These devices offer enhanced protection against unauthorized access by employing advanced encryption standards. [0044] The microprocessor 502 acts as the control unit, managing data flow, high-level tasks, and etc., while also handling communication protocols for the ethemet transceiver 508. It hands over the data to the FPGA chip 504 for performing computationally intensive encryption or decryption tasks. The FPGA chip 504 works in conjunction with the secure element 506 that handles key diversification, ensuring that encryption keys are unique and secure. This secure element 506 operationally generates or stores cryptographic keys, making it difficult for unauthorized parties to gain access. After the FPGA chip 504, aided by the secure element 506, completes the encryption or decryption, the microprocessor 502 performs additional tasks such as appending metadata, error checking, or routing the encrypted data to its destination. The microprocessor can also dynamically reconfigure the FPGA to switch between different algorithms as needed and manage other security measures.
[0045] It is well understood to a skilled person that the microprocessor 502 or the server/computer can be compromised by hacker or insider leak. Hence, the data in/out through the RJ45 socket 509 then the ethemet transceiver 508 is hardware encrypted/decrypted by the FPGA chip 504. During the encryption/decryption, the FPGA chip 504 obtained keys from the secure element 506 where key diversification is carry out. So without the key, the data would be meaningless to any hacker or intruder who obtained them.
[0046] With the secure device 500 added to the upstream (i.e. power meters) and downstream (i.e. power grid metering backend system) of the power grid metering network, the data transmitted through the communication network can be encrypted/decrypted through the secured device 500. [0047] In an alternative embodiment, the Secure Element (SE) collaborates with the Field-Programmable Gate Array (FPGA) chip to automatically validate the digital signatures of all received packets, including ICMP echo requests commonly known as "ping" packets. If the digital signature of an incoming packet does not align with the cryptographic computation performed internally by the SE, the packet is deemed to be invalid. Consequently, the SE discards this packet without issuing any response, effectively rendering the device unresponsive to unauthorized ping requests, and making its IP address invisible to potential attackers.
[0048] It should be understood that the present invention is not limited to the specific embodiments described herein. The use of the secured element and communication module is broadly applicable across various technologies beyond the disclosed examples. Any system or device requiring secure data transmission between upstream and downstream components can benefit from the integration of such secured elements. For example, is also applicable on CCTV network, EV charging network, loT network to take advantages of the inventive ideas to protect the data network integrity, ensuring that transmitted information remains safeguarded from unauthorized access or interception, without departing from the scope of the invention.

Claims

Claims
1. A secure device adapted for power grid metering network having a plurality of power meters and a power grid metering backend system, the secure device comprising: a communication module having a socket for locally connecting to the power grid meters or the power grid backend system, as a gateway to transmit data over a communication network; a microprocessor acts as a control unit for the secure device and handling the data flow; an FPGA chip operationally encrypting/decrypting the data; a secure element for handling key diversification for encrypting/decrypting the data by FPGA chip; wherein the secure device is connected locally to the power grid meters and power grid metering backend system, operationally, encrypting/decrypting data transmitting through the communication network, such that the data is end-to-end encrypted across the power grid metering network by the secure device.
2. The secure device of Claim 1, wherein the secure element is certified by Common Criteria (CC) or Federal Information Processing Standards (FIPS).
3. The secure device of Claim 1, wherein the secure device further comprises an admin authenticator for access authentication to the secure device.
4. The secure device of Claim 3, wherein the admin authenticator is in a card form having its own secure element embedded therein.
5. The secure device of Claim 3, wherein the admin authenticator is integrated on the secure device in a form of biometric scanner/sensor.
6. The secure device of Claim 3, wherein the admin authenticator is deployed remotely from the secure device.
7. A power grid metering network having a plurality of power grid meters connected to a power grid metering backend system via a communication network, wherein the communication network can be wired or wireless network, the power grid metering network comprising: a secure device of any one of the Claims 1- 6, wherein the secure device is connected locally and directly to the power grid meter such that data passes through the secure device before transmitting to the communication network, and another secure device connected directly before the power grid metering backend system.
8. A method for providing additional encryption/decryption for a power grid metering network over a communication network, the method comprising: adding secured devices to the power grid metering network having power grid meters and power grid metering backend system connected through a communication network; activating secured elements of the secured devices; encrypting data from power grid meter through the secured devices; transmitting the encrypted data to the EV charging backend system through the communication network, and decrypting the encrypted by the secured devices for processing by the EV charging backend system, wherein data transmitted through the communication network is end-to-end encrypted by the secure devices. These devices offer enhanced protection against unauthorized access by employing advanced encryption standards.
9. The method of Claim 8, wherein the end-to-end encryption is done by the security device in accordance with any one of claim 1-6.
PCT/SG2024/050675 2023-10-25 2024-10-23 Security system and method for data communication concerning power grid Pending WO2025090021A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
SG10202303025Q 2023-10-25
SG10202303025Q 2023-10-25
SG10202400727T 2024-03-15
SG10202400727T 2024-03-15

Publications (1)

Publication Number Publication Date
WO2025090021A1 true WO2025090021A1 (en) 2025-05-01

Family

ID=95516721

Family Applications (3)

Application Number Title Priority Date Filing Date
PCT/SG2024/050676 Pending WO2025090022A1 (en) 2023-10-25 2024-10-23 Security system and method for data communication concerning internet of things (iot)
PCT/SG2024/050675 Pending WO2025090021A1 (en) 2023-10-25 2024-10-23 Security system and method for data communication concerning power grid
PCT/SG2024/050674 Pending WO2025090020A1 (en) 2023-10-25 2024-10-23 Security system and method for ev charger

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/SG2024/050676 Pending WO2025090022A1 (en) 2023-10-25 2024-10-23 Security system and method for data communication concerning internet of things (iot)

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/SG2024/050674 Pending WO2025090020A1 (en) 2023-10-25 2024-10-23 Security system and method for ev charger

Country Status (1)

Country Link
WO (3) WO2025090022A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11338985A (en) * 1998-05-26 1999-12-10 Nippon Telegr & Teleph Corp <Ntt> Security level setting determination method, IC card and method of using the same
JP2005269187A (en) * 2004-03-18 2005-09-29 Nec Infrontia Corp Cipher processing communication system
JP2018081352A (en) * 2016-11-14 2018-05-24 Necプラットフォームズ株式会社 Meter reading system, meter reading method and meter reading program
US20210400040A1 (en) * 2019-03-04 2021-12-23 Kabushiki Kaisha Toshiba Communication control device and communication system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102016223633A1 (en) * 2016-11-29 2018-05-30 Siemens Aktiengesellschaft Method and devices for providing at least one service, in particular in the automotive environment
EP3981105A4 (en) * 2019-06-07 2023-06-28 Ohio State Innovation Foundation Systems and methods using hybrid boolean networks as physically unclonable functions

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11338985A (en) * 1998-05-26 1999-12-10 Nippon Telegr & Teleph Corp <Ntt> Security level setting determination method, IC card and method of using the same
JP2005269187A (en) * 2004-03-18 2005-09-29 Nec Infrontia Corp Cipher processing communication system
JP2018081352A (en) * 2016-11-14 2018-05-24 Necプラットフォームズ株式会社 Meter reading system, meter reading method and meter reading program
US20210400040A1 (en) * 2019-03-04 2021-12-23 Kabushiki Kaisha Toshiba Communication control device and communication system

Also Published As

Publication number Publication date
WO2025090022A1 (en) 2025-05-01
WO2025090020A1 (en) 2025-05-01

Similar Documents

Publication Publication Date Title
US9935954B2 (en) System and method for securing machine-to-machine communications
Shapsough et al. Smart grid cyber security: Challenges and solutions
US8438631B1 (en) Security enclave device to extend a virtual secure processing environment to a client device
Xue et al. Private blockchain-based secure access control for smart home systems
Liu et al. Cyber security and privacy issues in smart grids
CN102685093B (en) A kind of identity authorization system based on mobile terminal and method
US7761910B2 (en) System and method for assigning an identity to an intelligent electronic device
CN102497581B (en) Digital-certificate-based video monitoring data transmission method and system
US10650023B2 (en) Process for establishing trust between multiple autonomous systems for the purposes of command and control
WO2014105914A1 (en) Security enclave device to extend a virtual secure processing environment to a client device
CN110972136A (en) Internet of things safety communication module, terminal, safety control system and authentication method
Maerien et al. Access control in multi-party wireless sensor networks
WO2025090021A1 (en) Security system and method for data communication concerning power grid
Jerald et al. Algorithmic approach to security architecture for integrated IoT smart services environment
Nikiforov et al. Structure of information security subsystem in the systems of commercial energy resources accounting
Shanmukesh et al. Secure DLMS/COSEM communication for next generation advanced metering infrastructure
Burmester et al. Towards a secure electricity grid
Li et al. Security and vulnerability in the Internet of Things
CN113922961A (en) Data encryption and decryption transmission method in intelligent security community platform data issuing and gathering
Singh et al. Security domain, threats, privacy issues in the internet of things (IoT): a survey
Marksteiner et al. Towards a secure smart grid storage communications gateway
Rull Aixa Analysis and study of data security in the Internet of Things paradigm from a Blockchain technology approach
Sundar et al. Security and vulnerabilities in LPWAN systems for advanced IoT devices
Saed et al. Approaches for Securing Smart Meters in Smart Grid Networks
Yodthong et al. Lightweight Authentication and Communication Protocol for IoT Devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24882997

Country of ref document: EP

Kind code of ref document: A1