Hydro-Québec mesh network

Notes below are bits of information that I found about Landis+Gyr Gridstream RF electric counters. All of it is public information and mostly obvious, I just needed somewhere to document it (unfortunately, the specification itself of the counters is not free, so I have not published any information about that). The above image is from a Hydro-Québec report to the Commission d’accès à l’information, linked below.

NB: I have zero interest in the health concerns of the counters. Those claims have been debunked multiple times. If you’re so worried about your health, perhaps start with the excessive amounts of automobile pollution in and around Montreal. I was interested by the privacy of the counters. The initial claims from Hydro-Québec were very vague and they somehow thought industry standards should be secret, which is never a good sign in security, even (or perhaps especially) for large scale data monitoring. Here’s a a great 31c3 presentation on an unrelated topic: SCADA StrangeLove: Too Smart Grid in da Cloud (this does not affect HQ smart meters, just food for thought regarding often poor security practices of grid devices).

tl;dr: The counters do use encryption. The communication protocols do use standards that are documented (IDIS/DLMS-UA). Unfortunately, to read those standards, one must pay a fair amount of money. I personally do not have an opinion on whether we should or should not use these specific counters. I agree on the need for such counters. I would however require to have open and freely accessible standards, since implementing good cryptography is difficult and audit by (academic or private) researchers should be welcomed.

Model:

  • Landis+Gyr Gridstream RF, Type: FOCUS AXR-SD, module model 26-1552
  • Includes: FCC ID: TEB-HUNTSU864, IC: 5931A-HUNTSU864 (RF module)
  • According to FCC, range is 902-928 mHz, output watts: 0.56. http://transition.fcc.gov/oet/ea/fccid/ (enter: TEB, then: “-HUNTSU864”)

According to Landis+Gyr public documentation:

  • “The Gridstream RF solution provides NSA Suite B approved non-proprietary cryptographic algorithms and proven RSA key management appliances for key storage, generation and scalable encryption/decryption processing capabilities. Additionally, the FIPS 140-2 validated SafeNet Hardware Security Module allows Landis+Gyr customers to securely store cryptographic keys used to digitally sign downstream messages and commands in order to provide a strong root of trust among the head-end system and the RF devices in the network.” Reference

  • “Landis+Gyr strongly believes in establishing an open and mature security process. The Gridstream security solution is based on industry accepted security protocols and standards. It is built on the premise of openness: open architecture, open collaboration and open standards to bring the strongest security mechanisms for protecting the interests of utilities and end users.” Reference (page 5)

  • “Gridstream offers the ability to add third-party components to the IT infrastructure, including a Key Manager from RSA Laboratories and SafeNet’s Hardware Security Module (HSM).” (ibid, page 4)

  • “Iskraemeco, Itron and Landis+Gyr today announced a significant initiative in the development of interoperable smart meters supporting utility applications. The three companies expect the new offering will promote faster and broader deployment of advanced metering management (AMM) devices and services based on open standards, thereby responding to a compelling customer demand. […] This is achieved by incorporating interoperable device interface specifications (IDIS) that are based on existing open international standards as defined and maintained by the DLMS-UA.” Reference

Québec: Régie de l’énergie:

Commission d’accès à l’information:

Selon ce rapport, il est indiqué que:

  • Les compteurs communiquent par sans-fil (wifi maillé, 900 mHz, bande publique) au routeur le plus près (grosses boites que l’on peut voir sur certains poteaux d’Hydro-Québec), qui les acheminera à un collecteur (ça ressemble à quoi?), pour ensuite les retransmettre au frontal d’acquisition via le réseau étendu (Rogers Communications).

  • Les compteurs transmettent leurs données six fois par jour.

  • “Les compteurs […] enregistrent la valeur affichée au compteur à chaque intervalle de 15 minutes. Chacun de ces intervalles est ensuite regroupé en paquets de 16 enregistrements, pour un total de quatre heures de consommation. Ces paquets sont appelés « profil de consommation ». Une fois le profil de consommation complété, il est transmis, via le réseau, vers le frontal d’acquisition. La transmission des profils de consommation est donc effectuée six fois par jour, soit environ toutes les quatre heures.” – selon la page 8, section 10, il semblerait que le “profil de consommation” soit composé des lectures enregistrées aux 15 minutes.

  • “Les données transmises sont conservées pour une période moyenne de 45 jours sur le compteur et pendant 100 jours une fois parvenus au frontal d’acquisition. Une fois ces délais opérationnels expirés (lecture, facturation, etc.), les données sont archivées pour des motifs comptables pour une période de 5 ans.”

TEB-HUNTSU864 RF module

c.f. specs Régie de l’énergie du Québec, 2012-03-19

Focus counters have the RF module placed at the front of the counter. c.f. Régie de l’énergie du Québec, 2012-03-28, page 40.

According to a Hydro-Quebec expert, they estimate that 77% of counters send their data directly to a collector, and 23% will relay using an average of 4.4 relays on the mesh network. Of that 23%, 3% will relay through 19 counters. (ibid, page 79, F. Robichaud).

Unconfirmed

  • “Focus AXR” is the same as “Focus AXR-SD”, but it does not have a built in disconnect switch ref

Types of RF meters

  • AMR “bubble up” meter (Itron/Schlumberger C1SR) - usually transmit every 30 to 60 seconds, read by passing trucks.
  • ERT (http://en.wikipedia.org/wiki/Encoder_receiver_transmitter) “wake up” meter (Elster AB1R) - only transmits when queried by passing truck. Mostly obsolete, since does not implement a “smart grid”, i.e. live status of consumption and failures.
  • AMI mesh smart meter (Landis+Gyr Focus AXR and RXRS4e)

References

NB: I do not support “hyper-sensitivity” theories. I reference some of those articles only because they often have good tech details on RF counters.