Security risks and mitigation strategies

Review the following issues and security risks and the mitigation strategies to help minimize these risks:

Issue	Security risk	Mitigation strategies
User accounts Default account settings are often the source of unauthorized access by malicious users.	If you do not change the default password, unauthorized access can occur.	Change the default password of 0 (zero) to help reduce unauthorized access. See Changing the default password.
Unencrypted protocols ION, Modbus, DNP, DLMS, IEC 61850, BACnet/IP, and some IT protocols are unencrypted. The device does not have the capability to transmit data encrypted using these protocols.	If a malicious user gained access to your network, they could intercept communications.	Physically or logically segment the network when transmitting data over an internal network. Encrypt protocol transmissions over all external connections using an encrypted tunnel, TLS wrapper, or Secure ION. For more information, see System defense-in-depth assumptions. Turn off unused protocols. For more information, see Disabling and enabling protocols and changing port numbers.
Self-signed certificates Factory shipped meters include a self-signed SSL certificate. An SSL certificate is required to use webpages over HTTPS and Secure ION (ION over TLS).	Self-signed certificates cannot be validated. An attacker with access to the network could pose as the device to obtain credentials sent over the TLS tunnel.	Use a Certificate Authority (CA) signed SSL certificate and external network controls.

Issue

Security risk

Mitigation strategies

User accounts

Default account settings are often the source of unauthorized access by malicious users.

If you do not change the default password, unauthorized access can occur.

Change the default password of 0 (zero) to help reduce unauthorized access. See Changing the default password.

Unencrypted protocols

ION, Modbus, DNP, DLMS, IEC 61850, BACnet/IP, and some IT protocols are unencrypted.

The device does not have the capability to transmit data encrypted using these protocols.

If a malicious user gained access to your network, they could intercept communications.

Physically or logically segment the network when transmitting data over an internal network.

Encrypt protocol transmissions over all external connections using an encrypted tunnel, TLS wrapper, or Secure ION.

For more information, see System defense-in-depth assumptions.

Turn off unused protocols. For more information, see Disabling and enabling protocols and changing port numbers.

Self-signed certificates

Factory shipped meters include a self-signed SSL certificate.

An SSL certificate is required to use webpages over HTTPS and Secure ION (ION over TLS).

Self-signed certificates cannot be validated. An attacker with access to the network could pose as the device to obtain credentials sent over the TLS tunnel.

Use a Certificate Authority (CA) signed SSL certificate and external network controls.