Protecting your Modbus TCP/IP meter from security risks

This document introduces users to potential security issues when either a Acuvim II series/ AcuRev 2000 series meter has its Modbus port forwarded to public for external access. Once this port is forwarded to public the meter(s) security can become vulnerable.


Protecting your Modbus TCP/IP meter from security risks

Purpose: This document introduces users to potential security issues when either a Acuvim II series/ AcuRev 2000 series meter has its Modbus port forwarded to public for external access. Once this port is forwarded to public the meter(s) security can become vulnerable. Potential risks include outside users(hackers) having the capability of tampering with meter configurations through Modbus TCP/IP. This document provides some recommendations to ensure secure data transfer.

Possible Solution:

  • Use Firewalls, Authentication& Authorization or VPN:


Unauthorized access to the meters can be prevented through the use of a firewall, authentication & authorization or through use of a Virtual Private Network(VPN).



Firewalls:
Firewalls can be used to protect a network by blocking unauthorized access whiles allowing only those with authorization to access the network. A firewall can be configured to allow, deny, encrypt or decrypt traffic to and from the meter.

Different classes of firewalls include:

Packet Filtering: Basic type of firewall where information is embedded in each packet which needs to be validated prior to being forwarded.

Application-Proxy Gateway: This gateway examines packets at a application layer and filters the traffic based on the application rules.

Inspection Firewalls: Inspection firewalls are multi-layered and are a combination of the above firewall types. This firewall filters packets at a network layer and ensures that the packets and their contents at the application layer are valid.

Authentication:
Authentication can be used to authenticate and authorize users from accessing a network. It is the process of determining a user's true identity . Once all credentials match, the process is completed and the user is authorized for access.

VPN:
Reducing the risk of outside interference can be achieved by using a VPN. The VPN would provide another level of security by enabling encryption and authentication methods by preventing access to the meter's data over the public internet.

VPN Techniques:

Internet Protocol Secuirty (IPSec): IPSec provides an IP network layered encryption in order to provide a secure and private communication over IP networks.

Secure Socket Layer: SSL provides remote access through a secure and authenticated pathway by encrypting the network traffic.