Wired M-Bus (Meter-Bus), the widely used European standard for remote reading of heat network meters, has drawn fire recently from providers of alternative solutions because it doesn’t use encryption. But that doesn’t mean it’s not 100% secure, says Sam Clarke, Business Development Manager at Kurve Technologies.
In the context of billing systems, data security is paramount, for obvious reasons. Breaches or losses can pose serious risks to users, not to mention heavy financial penalties and severe reputational damage for the organisations responsible.
When it comes to heat networks, however, evolving changes in the regulatory landscape plus new technical developments can make it hard for housing providers to keep up with the latest security requirements, let alone futureproof their systems. There are numerous data tools and methodologies to choose from within a market that’s still largely unregulated. Meanwhile, a certain amount of misinformation has leaked into discussions, muddying the waters further.
All this can make ensuring the security of remote meter-reading technology seem as difficult as it is high-stakes. So how do you sort the hype from the helpful to make sure you have the best solution for each scheme?
What’s changing?
With the 2020 update to the Heat Network (Metering & Billing) Regulations (2014), individual meters for final customers providing accurate, detailed and transparent usage data became a legal requirement. Until now, however, the emphasis has been on ensuring accurate billing, rather than explicitly detailing meter-security measures.
Next year, the Government plans to launch the Heat Network Technical Assurance Scheme (HNTAS). This will hold organisations involved in the planning, construction and management of heat networks to stringent technical and service standards. It aims to increase system efficiency, reduce costs, and improve the consumer experience.
The exact contents of the HNTAS rules are not yet known, but we do know metering will be an important area of focus. While a variety of technical approaches are likely to be deemed acceptable, there will certainly be a duty of care on the heat supplier to make sure all associated data is always handled securely.
Uncertainty
Ahead of details about the new directives being available, there is understandably a degree of nervousness among local authorities and housing associations about whether their systems will be up to the mark.
One particular concern for many of our clients is whether their wired M-Bus metering architecture will be deemed insecure because it’s not encrypted. Fortunately, we’re able to reassure them on this score.
How meter data is captured and communicated
When heat meters are set up according to best-practice guidelines and installed in every property, consumption data is typically transferred from individual devices to an on-site hub or gateway. This can be done either through a hard-wired M-Bus connection or wirelessly via SIM-cards, mesh systems, or wireless M-Bus.
Once data reaches the hub, it’s sent in encrypted form to a remote billing system. Next, it’s presented to the consumer via their bills or, in the case of pay-as-you-go, via a web-app or in-home display. Finally, payment is made via a secure payment system.
Some metering and billing providers also offer additional platforms for monitoring consumption and payment data or to identify opportunities for energy-efficiency improvements.
Keeping data secure
Most data breaches occur due to a lack of strong security measures. This is often a result of third-party providers not having adequate processes in place, and/or wireless data being transmitted without encryption. It’s essential to ensure that all data transmitted wirelessly is fully encrypted using HTTPS. Cloud-based systems should operate within a virtual private cloud (VPC) and transfers between software platforms should happen through an application programming interface (API) communication with authentication, virtual private network (VPN) protection, or machine-to-machine connection.
It’s also good practice to transfer different types of data at different points in the transmission journey. For example, no information that’s collected or transmitted onsite should contain personal details like names or addresses; only individual meter serial numbers and energy consumption readings should be sent from household meters to the central hub. The hub itself should be installed in a locked cabinet within the energy centre or another secure area.
Residents’ online accounts should always be password-protected, ideally with two-factor authentication (2FA). Although this is not currently a requirement, it is advisable. Additionally, web fields for online payments should always be hosted directly by the payment provider, with credit and debit card numbers masked, so only the last four digits are displayed.
When selecting a metering system, always choose a provider with Cyber Essentials and ISO 27001 accreditations. These government-backed schemes indicate they have structured processes in place to protect against cyber security threats.
Is M-Bus secure?
The short answer is, ‘Yes’. The reason M-Bus doesn’t require encryption is because its inherent physical nature means it’s far less vulnerable to hacking and interception than wireless solutions. Cables are locked away inside a riser, making them very difficult to access. Furthermore, the data they transmit is of no use to criminals, as, when used correctly,contains zero personal information.
For all these reasons, the technology has been the preferred system for automated meter readings within the CIBSE heat network Code of Practice since 2015. I’m aware of no M-Bus data breach in the history of the technology. If used in conjunction with the measures outlined above, M-Bus allows for data transmission that is at least as safe as encrypted wireless solutions.