In December 2015, due to the malicious software attacks in Ukrainian State Grid by hackers, the power grid in many regions was attacked by hacker and 225 thousand people lost power supply    , it caused great financial loss. Therefore, it is critical to ensure the security of the State Grid, it is closely linked to the national economy and people’s livelihood. In China, DL/T645 communication protocol is mostly used in smart meter system. At the beginning of the design, the protocol only took the integrity of functions and the reliability of transmission into account, data is transmitted in plaintext form and its security was ignored. In addition, the data acquisition terminal is under unsupervised status, which is vulnerable to a physical, protocol and program attacks. When an illegal man-in-the-middle attack occurs, it will result in data tampering, network congestion and other risks. In serious cases, it will lead to misjudgment of the main station system  , which seriously threatens the communication security of smart meters.
Under such background, many researchers have proposed different solutions. Taimin Zhang, Xin Lu et al.  proposed a communication method based on the encryption of session key data in order to deal with this problem. Zhao Bing, Qi Feng et al.  proposed a two-way interactive, multi-protection communication protocol (BIMP), the number of times communication parties exchanged encryption and decryption information is 5 times, but the burden is too heavy for the smart meter with weak computing power. Wei Yong  et al. proposed an effective integration method between smart terminals and GIS/PMS systems in order to ensure efficient collection of grid data resources, but it is not effective for solutions against man-in-the-middle attacks and replay attacks.
Based on the above background, this paper successfully implemented ARP spoofing by building a real experimental environment to attack the process of meter data acquisition. It proved that the process of meter data acquisition was vulnerable to man-in-the-middle attack, which made communication data eavesdropped. To solve this problem, this paper presents a method of data security acquisition for smart meters based on RSA algorithm and bidirectional authentication and encryption. In the process of data acquisition, it prevents malicious third parties from capturing and eavesdropping communication data, avoids leakage of electricity data, and finally achieves the purpose of preventing man-in-the-middle attack, replay attack and eavesdropping.
Tests show that the scheme can effectively deal with man-in-the-middle attack, replay attack and eavesdropping. Moreover, the scheme has strict security communication mechanism. Its security depends entirely on the security of asymmetric algorithm, so this scheme has good expansibility.
2. Safety Problems in Data Acquisition of Electric Meter
Data is often transmitted in plaintext in the process of transmission. Illegal persons attack the communication network by means of man-in-the-middle attacks, obtain control rights. It can intercept measurement data, resulting in measurement data disordered and key parameter errors, leading to major safety accidents   . Once there is man-in-the-middle attack on the network, the data of both sides of the communication will be transmitted through the attacker’s machine. At this time, the attacker will easily steal and intercept the data information of the meter.
Most smart meters in China to communicate via DL/T645-2007 protocol. Since information transmission based on DL/T645-2007 protocol in plaintext forms, the attacker can sniff and analysis the data easily by means of sniffer software. In order to test this kind of risk, this paper has done a security problem detection experiment.
Safety Problem Detection
The key point of security problem detection experiment is to realize ARP deception by means of man-in-the-middle attack, deceive the local machine and intercept normal meter communication data, so that the data acquisition terminal can’t normally collect the voltage, current, forward active power and other data of smart meters. The topological structure of the experiment is shown in Figure 1.
The template is used to format your paper and style the text. All margins, column widths, line spaces, and text fonts are prescribed; please do not alter them. You may note peculiarities. For example, the head margin in this template measures proportionately more than is customary. This measurement and others are deliberate, using specifications that anticipate your paper as one part of the entire journals, and not as an independent document. Please do not revise any of the current designations.
ARP spoofing attack on target is carried out by using ettercap tool in Kali Linux system. By attacking the gateway, the attacker replaces the gateway and establishes independent connections with both sides of the communication. In this way, the conversation between the two sides of the communication is monitored. The configuration of the network environment in this experiment is shown in Table 1.
Figure 1. Topology of the experiment.
Table 1. Configuration of the network environment.
Before attack, the ARP list of the target host is queried by the “arp-a” command. As shown in Figure 2, the man-in-the-middle attack code is written in Python language to attack the target host. A screenshot of the main attack code is shown in Figure 3.
By looking at the ARP table of the target host again, it is clear that the MAC address of the gateway in the ARP cache list has been changed from 00-50-56-f1-7b-1d before the attack to 00-0c-29-12-08-cf of the attacker, the results are shown in Figure 4. The experimental results show that the attacker successfully deceived the target host and smart meter, and meanwhile forged the gateway between the target host and the meter. Under this circumstance, all the information flow between the target host and the gateway will be eavesdropped by the attacker, and the communication between the smart meter is in an unsafe environment.
3. Anti-Middleman Attack Method
The basic data acquisition system of smart meter system consists of smart meter (SM), data collector and back-end server (MDMS). Its structure is shown in Figure 5.
The whole communication line from smart meter to back-end server MDMS is in an unsafe environment. A kind of method to prevent man-in-the-middle attack was proposed in this paper, it can be divided into two parts. Firstly, RSA two-way authentication was realized between meter data center and data acquisition, effectively avoid brute force attack. Secondly, after successful authentication, RSA encryption is applied to the data transmission of the meter to ensure that the data on the whole transmission line is transmitted in ciphertext mode, thus ensuring the security of the whole communication process.
3.1. Two-Way Authentication Scheme
The two-way authentication scheme designed in this paper is combined with the main interface designed by Qt Designer. The main authentication process is as follows, the collection center uses the authorization number (unique ID) of the collector to send an authentication request to the data center. The meter data center receives the request and randomly generates a set of challenges number, it encrypts the challenge number through the local public key and generates a
Figure 2. Target host ARP cache table before spoofing.
Figure 3. Main code of python attack.
Figure 4. Target host ARP cache table after spoofing.
Figure 5. Structure of the meter system.
challenge code. Send it to the data center of the collection. The data center of the acquisition end decodes it into the challenge number and returns it to the smart meter data center which receives the challenge number before itself. The number of generated challenges is compared. If the comparison is the same, the authentication of the collector is successful, otherwise, the service is denied. After the data center successfully authenticates the collector, the authentication result is sent to the collection center. The collection center generates the random challenge number and encrypts the data into the data center of the power meter. The decryption, backhaul and comparison challenges are implemented. After the two authentications are successful, the meter data center transmits an acquisition instruction to the meter which requires the smart meter to transmit data. This method can effectively prevent eavesdropping and resist man-in-the-middle attacks. The two-way authentication diagram is shown in Figure 6.
Figure 6. Two-way authentication diagram.
3.2. Data Protection of Meter Feedback
After successful authorization between data center and collector, smarter meter begins to transmit data to collector. In order to ensure the security of data transmission line, RSA encryption is needed for the collected data of smart ammeter transmission, then avoid the interception of communication data. The overall framework of the scheme is shown in Figure 7.
The scheme of data acquisition and protection for smart meters after successful identity authentication consists of three modules. The configuration of each parameter is shown in Table 2.
1) The first module is designed for the data acquisition node of smarter meter. Its main function is to detect whether the collected smart message data P is complete or not. If the data is complete, EK (encryption key) is used to encrypt the data. If the data is incomplete, the system automatically clears the incomplete data. Its purpose is to ensure that the data is complete.
2) The second module is to further process the meter data on the basis of the first module, which is called encryption module. The module uses RSA-1024 bit algorithm to encrypt the smart meter data. The core idea of data acquisition by RSA encryption module is as follows:
a) The key pair is created by the meter data collector. The complete key pair includes two parts, public key and private key.
b) In the process of smart meter data acquisition, the sender encrypts the plaintext data after receiving the public key, and forms the ciphertext C after encrypting.
Figure 7. Structure of the anti-listening acquisition scheme.
Table 2. Encryption process input/output description.
3) On the basis of the second module, the third module transfers the processed ammeter data to the server data center, it can ensure the confidentiality of the data and effectively deal with the man-in-the-middle attack. Its core ideas are as follows.
Data collector is transferring ciphertext C to storage center or server data center. Server data center, also known as receiver, can decrypt the received ciphertext ammeter data by saving RSA private key, thus converting it into plaintext and realizing the safe transmission of ammeter data.
The data acquisition and transmission of smart meter includes 8 parts: clearing use resources, data initialization, establishing connection with meter, sending acquisition instructions, data integrity judgment, secondary processing data, transmitting meter data and decrypting data. The flow chart of the main algorithm is shown in Figure 8. Calling an encryption function RSA_SUAN in secondary processing of meter data.
4. Experimental Results and Security Analysis
In order to verify the feasibility of this scheme, a real test environment is built based on the topological structure diagram of Figure 5, it was shown in Figure 9. The experimental environment includes DTZY341 three-phase four-wire smart meter, DTZL341 three-phase four-wire smart meter and DDY102-Z single-phase smart meter.
Figure 8. Flow chart of the main algorithm.
Figure 9. Smart meter data acquisition experimental environment.
4.1. Identity Authentication Core Part Testing
The results of bidirectional authentication using symmetric encryption are shown in Figure 10.
4.2. Data Acquisition Part Testing
Smarter meter data transmission in ciphertext form, it can effectively resist the problem of eavesdropping in man-in-the-middle attack. Even if the data is intercepted during transmission, the data acquired by the intermediary is those data which processed by RSA algorithm. The attacker cannot process and apply these data, thus ensuring the security of the meter communication data on the transmission line and achieving the purpose of anti-eavesdropping. As shown in Figure 11, it is the ciphertext data collected by RSA algorithm. When this part of data is needed, the client calls the reserved RSA private key to decrypt and obtain the data information.
The data collected by smart meters include voltage, current, active power, reactive power, reverse active power, reverse reactive power and other parameters. Taking the combined active power data of 41106000037 and 411060000038 as examples, the data before and after encryption by RSA algorithm are compared in Table 3.
Figure 10. Identity authentication.
Figure 11. Smart meter communication data encrypted by RSA.
Table 3. Comparison of data before and after algorithm encryption.
4.3. Safety Analysis
Anti-eavesdrop data acquisition and transmission system is designed for the smarter meter. It realizes two-way authentication for both sides of communication and safe acquisition of meter data for transmission, then, the problem of eavesdropping against man-in-the-middle attack and attack is realized. The safety analyzes in three aspects.
1) Two-way authentication between the collection center and the meter data center. The two-way authentication is completed before the smart meter data transmission. When the attacker maliciously pretends to be the collection and the meter data center, it will not pass, which greatly improves the security of the system.
2) RSA encryption is used for the transmitted data. If the attacker wants to use the man-in-the-middle attack to achieve the purpose, the key must be known. RSA algorithm uses a public key system, so the possibility of violent cracking by attackers is minimal. By comparing the data before and after the scheme with that in Table 4, the attacker cannot parse the data according to the DLT/645 protocol, thereby preventing the leakage of information. Therefore, the confidentiality of data collection and transmission is guaranteed, and the solution can well cope with the eavesdropping problem in the middleman attack.
3) Resilience replay attack, when performing identity authentication, the number of challenges is the random number, it generated by the meter data center and the data collection center. The purpose of this method is to ensure the uniqueness and non-repeatable authentication information. Even if the attacker acquires the authentication key at a certain time, it cannot be reused and effectively defending the authentication process.
Table 4. Data comparison before and after eavesdropping.
Table 5. Security comparison.
The comparison of this security method about smart meters which presented in this paper with other methods is shown in Table 5. The data acquisition method of smart meter proposed in this paper can effectively deal with man-in-the-middle attack, replay attack, eavesdropping, it has better security. In the table, “yes” means that it can resist such attacks, and “no” means that it cannot resist such attacks.
In this paper, man-in-the-middle attack with ARP deception is used to deceive the local machine to intercept normal ammeter communication data. It is verified that there are communication security problems when smart ammeter communicates with data acquisition center, from the point of view of safe communication of smart meter. According to the risk of man-in-the-middle attack being eavesdropped and replayed in data acquisition of original smart meters, using RSA bidirectional identity authentication and data encryption technology, the wireless collection and transmission of meter data are realized. It ensures the security and integrity of the collected data, avoids man-in-the-middle attack and replay attack, achieves the purpose of anti-eavesdropping and ensures the security of communication lines.
This paper was supported by the National Natural Science Foundation of China under Grant61772327, Shanghai Municipal Natural Science Foundation under Grant 16ZR1436300, Shanghai University of Electric Power, Department of Smart Grid Center under Grant A-0009-17-002-05. Shanghai Science and Technology Committee under Grant 15110500700.
 Guo, Q.L., Xin, Y.J., Wang, J.H. and Sun, H.B. (2016) Viewing the Comprehensive Safety Assessment of Information Energy System from the Blackout Event in Ukraine. Automation of Electric Power System, 40, 145-147.
 Wei, F. (2016) Thoughts on Grid Information Security Prevention Caused by Power Outages in Ukraine. Proceedings of the International Symposium on Smart City and Informatization Construction II, Beijing, 1.
 Sha, K., Xu, C. and Wang, Z. (2014) One-Time Symmetric Key Based Cloud Supported Secure Smart Meter Reading. International Conference on Computer Communication & Networks, Shanghai, 4-7 August 2014.