Security risks and mitigation strategies

Review the following issues and security risks and the mitigation strategies to help minimize the risks:

Issue	Security risk	Mitigation strategies
User accounts Default account settings are often the source of unauthorized access by malicious users.	If you do not change the default password, unauthorized access can occur.	Change the default password of 0 (zero) to help reduce unauthorized access. See Changing the default password.
Secure protocols ION, Modbus, DNP, DLMS, IEC 61850 and some IT protocols are unsecure. The device does not have the capability to transmit data encrypted using these protocols.	If a malicious user gained access to your network, they could intercept communications.	For transmitting data over an internal network, physically or logically segment the network. For transmitting data over an external network, encrypt protocol transmissions over all external connections using an encrypted tunnel, TLS wrapper, or Secure ION. See System defense-in-depth assumptions. Disable unused protocols
Self-signed certificates Factory shipped meters include a self-signed SSL certificate. An SSL certificate is required to use webpages over HTTPS and Secure ION (ION over TLS).	Self-signed certificates can't be validated. An attacker with access to the network could pose as the device to obtain credentials sent over the TLS tunnel.	Use a Certificate Authority (CA) signed SSL certificate and external network controls.

Issue

Security risk

Mitigation strategies

User accounts

Default account settings are often the source of unauthorized access by malicious users.

If you do not change the default password, unauthorized access can occur.

Change the default password of 0 (zero) to help reduce unauthorized access. See Changing the default password.

Secure protocols

ION, Modbus, DNP, DLMS, IEC 61850 and some IT protocols are unsecure.

The device does not have the capability to transmit data encrypted using these protocols.

If a malicious user gained access to your network, they could intercept communications.

For transmitting data over an internal network, physically or logically segment the network.

For transmitting data over an external network, encrypt protocol transmissions over all external connections using an encrypted tunnel, TLS wrapper, or Secure ION.

See System defense-in-depth assumptions.

Disable unused protocols

Self-signed certificates

Factory shipped meters include a self-signed SSL certificate.

An SSL certificate is required to use webpages over HTTPS and Secure ION (ION over TLS).

Self-signed certificates can't be validated. An attacker with access to the network could pose as the device to obtain credentials sent over the TLS tunnel.

Use a Certificate Authority (CA) signed SSL certificate and external network controls.