User's Manual
6
Authorization shall be supported by access control lists. It shall be possible to assign permissions on a user by user,
utility by utility (for external data distribution) and application by application basis. Thus, a user might be allowed
full access to the interactive meter reader, but no access to the network configuration manager. All ENICS
applications shall consult the access control list before performing any operation that might be forbidden by the access
control list. Applications/applets should provide a visual indication of forbidden operations (e.g., grayed out controls)
if a set of operations is not allowed for a user.
Confidentiality shall be supported through encryption of any communication between ENICS servers (for external data
distribution) or between ENICS servers and applications/applets that involved confidential data. If private key
exchange is required (e.g., to use a DES algorithm), then the private keys shall be encrypted when they are exchanged
(e.g., with a public key encryption technique).
Auditing shall be supported by the logging facility. All attempts to access (i.e., log into) the system by a user or by an
external agent shall be logged, whether they are successful or not. As much data as possible should be captured,
particularly for unsuccessful logins, including the login name and the machine name from which the login attempt is
made.
Firewalls
It is anticipated that an ENICS system will typically operate behind a firewall. The firewall is set up to deny access to
unauthorized users contacting the system from outside the local network (e.g., through the Internet). ENICS
applications, applets and servers are neither required nor encouraged to defeat firewall security using HTTP tunneling
or other techniques. This implies that it will be necessary for ENICS system administrators to explicitly allow firewall
access to outside users on specified ports. It shall be possible for an ENICS system administrator to configure the
port number(s) used to contact enics servers. This does not imply that such configuration necessarily must be done on
a server by server basis.
Attack Methods
The following potential attacks should be considered in the design of the ENICS software:
Monitoring. A cracker could monitor the data stream in an attempt to find authorized user names and passwords. A
utility competitor could attempt to monitor the stream of meter reads to determine which customers could be “cherry
picked”. Monitoring can be defeated through encryption of the data stream, including any interactions in which
passwords are passed.
Password guessing, dictionary or exhaustive scan (particularly if driven by a computer program). Password choice
rules plus the use of a reasonably large salt (to complicate reverse dictionary construction by an insider) should make
this very difficult. Note some part of the enforcement of good password choices (e.g., don’t use your wife’s maiden
name) must be addressed by internal utility processes.
A legitimate user attempts operations that he or she is not authorized to perform. This is addressed by access control
permissions.
A legitimate user attempts operations from a suspicious location (e.g., a disgruntled former employee who was a
network administrator tries to shut down the Innovatec communications network by deregistering all the meters from
the gateways and erasing them from the utility database from his home computer). This is addressed using host
identification in addition to passwords. Note that internal utility processes are responsible for making sure that only
correct hosts are identified as legitimate sources to the ENICS system.
A computer cracker attempts to gain access to the ENICS system by running an applet or application that claims to be
a standard ENICS applet. This is handled by keeping password and host identification contained on the server (any
authentication contained in a client would have been bypassed because a real ENICS client isn’t being used).
A computer cracker attempts to gain access to the ENICS system by running an applet or application that claims to be
an ENICS configuration server portal. This is handled by host identification. The cracker may attempt to defeat host
identification by assigning his machine the same host address as a legitimate ENICS server. This can be defeated by
configuring a firewall to refuse incoming packets from a host that has the same address as an internal ENICS server.
A computer cracker attempts to gain access to meter data and some alarm configuration capability by running an
applet or application that claims to be a ENICS server that is set up for external data distribution. This is handled
using host identification. The cracker may attempt to defeat host identification by assigning his machine the same host