User's Manual
5
Architectural Constraints
It shall be possible to distribute user interface, database and server functions over multiple machines. It shall be
possible for users to remotely access the interactive utility programs from remote desktop computers. It shall be
possible to site the WAN interface hardware on a machine that is physically separate from the machine(s) that host the
databases and are generally used for network maintenance and other functions.
Server data maintenance
To the extent that is consistent with maintaining the integrity of the various databases, user visible data shall not be
lost if a server or server machine suffers an ungraceful shutdown.
External Data Distribution
In addition to interacting with an Innovatec communications network, it shall be possible for the ENICS system to
distribute data to and/or receive data from another ENICS system. This will allow a utility that does not actually own
the meters for a particular customer to gather data about a meter from the utility that does own the meter. The
interactions supported in this mode are limited to scheduled reads, on demand reads, informational alarms,
informational alarm configuration and basic meter status information. Informational alarms include low flow threshold,
prepay alarms and other alarms that indicate usage violations but that are not associated with a possible physical
failure. Alarms that do indicate a physical failure (such as runaway alarms), shall not be configurable by an external
utility and shall not be distributed to an external utility. It shall be possible to configure access permission for an
external utility on a meter by meter basis. It shall be possible to configure which alarms may be distributed to or
configured by an external utility on an alarm by alarm and meter by meter basis. If an external utility has been granted
configuration permission for a particular alarm on a particular meter, then the utility that grants that permission will no
longer be able to configure or receive that alarm for that meter. Note that the owner utility will still need to keep track
of the alarms that have been configured by an external utility, in case the meters associated with the external utility or
the gateways associated with those meters are physically modified, reconfigured or replaced. Both the hosting and
receiving ENICS servers shall keep track of the number and types of data sent/received to/from the remote distribution
server for billing purposes.
Security
Security considerations for the ENICS system fall into the following four areas:
Authentication (is the user or utility really who he, she or it says they are)
Authorization (is the user or utility allowed to perform the operation they are requesting)
Confidentiality (prevent an outside observer from viewing data that the utility doesn’t want them to view)
Auditing (leave a trail so that attempts to compromise the system are tracked for later analysis)
The other two areas that are often of concern for browser users in a networked environment, containment and
nonrepudiation, are not of much concern to users who may run ENICS applets or applications since all such applets,
applications and servers come from a trusted source. Authentication is a concern in two areas. The first is that only
people authorized by the utility run the ENICS applets/applications, such as the interactive meter reader, the field
service application or the network configuration manager. The second is that data distributed to an outside utility is
sent only to systems that have been explicitly authorized to receive such data. Authentication in the ENICS system
consists of two elements. The first is password authentication. All users shall be required to enter a password before
using any ENICS application/applet with a user interface. Passwords shall be stored internally in a form that is
cryptographically secure. The second is host identification. It shall be possible for system administrators to allow
access to the ENICS system from an application/applet or a third party using the external data distribution capability
only from some designated set of hosts. Thus a user attempting to log in using a valid password from a host that is not
in the designated set of hosts would be denied access to the system (with an appropriate reason given). There shall be
a means to indicate that access from any host are allowed.