Tunnel – Meter reading via GSM data call (CSD) and IP communications (with SSL/TLS security). Incorporation of Device Manager (with SSL/TLS security) for modem management

Scenario details:

• A large pack of electric meter boxes is available. For 15 years the readings of the contractors are carried out through GSM Data Calls (CSD) made to the modems which are connected to the electric meter boxes through the RS232 port. This project aims to make an evolution of this system, going from a GSM communications system (CSD) to one of IP communications. In addition, it is intended to add a remote modem management system (Device Manager) that allows remote monitoring of modems, as well as being able to make changes to remote configurations, firmware update, certificate management, etc.
• It is necessary that the new system has high security. Therefore, both the IP data channel of the meter reading (communication between the modem and the Reading Center) and the modem monitoring control channel (that is, the communication between the modem and the Device Manager) must be performed through an IP communication with SSL/TLS security and mutual authentication
• Currently, the reading infrastructure of the electric meter boxes is carried out by means of a GSM data call (CSD). Therefore, new modems must also be compatible with this type of CSD calls until the infrastructure migrates to IP communications. Taking advantage of the modem replacement, it is intended to add an additional security layer to the current GSM data calls (CSD), and that modems should only accept CSD calls that are made from authorized telephone numbers, that is, from the numbers Telephone Counter Reading Center.

Solution:

Config.txt configuration file (master):

Configuration

Observations

COMM_baudrate: 9600 COMM_bitsperchar: 8 COMM_autorts: off COMM_autocts: off COMM_stopbits: 1 COMM_parity: none GPRS_apn: movistar.es GPRS_login: MOVISTAR GPRS_password: MOVISTAR GPRS_timeout: 0 GPRS_mode: 2g MTX_PIN: 0000 MTX_mode: serverTELNET_port: 20023 MTX_model: 199801422 MTX_ping: 35 MTX_pingIP: 8.8.8.8 MTX_ATLimited: off MTX_ATEmbedded: temporalclient MTX_temporalClientTimeout: 120 MTX_IDClient: [IMEI] MTX_clientSSL: on SMS_allPhones: off SMS_sendIP: off SMS_ATEnabled: on SMS_ATResponse: on SMS_validPhone1: +34666123456 SMS_validPhone2: +34666123457 FIREWALL_enabled: on FIREWALL_IP1: 80.1.2.3 FIREWALL_IP2: 80.4.5.6 TCP_port: 20010 TCP_IP: 80.1.2.3 MQTT_enabled: on MQTT_server: ssl://broker.cervello.io:8883 MQTT_id: yku41420t957oh8t MQTT_login: jfj1usly8ijhh9hizfr453 MQTT_password: gthhdte67y3ttes33fgg MQTT_attopic1: [IMEI]/AT MQTT_atrtopic: [IMEI]/ATR MQTT_keepalive: 300 DNS_enabled: on DNS_mode: mqtt DNS_mqttTopic: [IMEI]/dns DNS_extended: off DNS_period: 600 CSD_enabled: on CSD_validPhone1: 666333444 CSD_validPhone2: 666444555

Serial port baud rate Number of bits No flow control No flow control 1 stop bit No parity APN GPRS provided by the GSM operator GPRS Login GPRS Password Modem is always GPRS connected GPRS connection server type Pin of the SIM GPRS connection server type Modem model Ping time to oversee connection Google IP (f.e.) to ping No AT commands limitations Embedded command only for temporal TCP socket Socket closes if no traffic during x seconds Identifying chain TCP client socket Send SMS with commands from any phone Modem won’t respond to a missed call/SMS Commands can be sent to the MTX by SMS MTX responds with an SMS to a command SMS Authorized phone number 1 Authorized phone number 2 Authorized IP will be able to connect to modem IP address authorized 1 IP address authorized 2 Establish the gateway between ports Reading platform IP address MQTT service enabled Broker IP/DNS specified, including identifying port Identifier Username Password MQTT topic to send AT commands Topic to send replies to commands to Connection keep alive (300 seconds) Status data sending activated MQTT sending mode Topic where status data are sent Extended data (E/S, ADCs…) are not sent One sending every 600 secs (5 mins.) CSD calls are enabled Authorized phone number 1 Authorized phone number 2

Details:

• The IP connection between the modem and the Device Manager is permanent and secure (SSL/TLS). It is always set and at any time it is possible to send an action command (configurationchange, reset, etc.) from the Device Manager to the modem
• The connection between the modem and the reading platform is not permanent. The procedure by the reading platform to start reading an accountant safely is as follows:

1. 1. The reading platform connects to TCP port 20010 of the modem
   2. The reading platform sends the command:
      <MTXTUNNELR> AT ^ MTXTUNNEL = DEFAULTTEMPORALCLIENT </MTXTUNNELR>
      to the modem through said socket so that it opens a secure channel (SSL/TLS) of communications in TCP mode Client against the platform.
   3. The modem opens an SSL/TLS socket against the “TCP_port” port of the platform IP. Mutual authentication is performed between the reading platform and modem through digital
      certificates
   4. Once the secure socket (SSL/TLS) is established, the modem sends the value of its MTX_IDClient configuration parameter through this socket, an alphanumeric string that allows the reading platform to identify the modem that has been connected (in case you want to read several counters simultaneously)
      This socket will remain established until it is closed on the side of the reading platform or “MTX_temporalClientTimeout” seconds pass without traffic on it.
   5. The platform can start the meter reading through said socket as a transparent IP-RS232 gateway with SSL/TLS security
   6. Once the meter is read, the reading platform will close the reading socket and the modem will be ready to accept the command through the TCP_port port. To start a new meter reading, the process indicated in 1 is restarted

• You must adjust the values of the COMM_ parameters by adjusting them to the serial port configuration of the connected device
• For SSL communications, if you need to incorporate the root certificates of your servers, at the end of this document you will find an annex with the procedure
• The modem will only accept connections to the TCP_port port from the IP addresses indicated in the FIREWALL_IP1 and FIREWALL_IP2 parameters
• In this scenario, in addition to IP communications, it is allowed to connect to the meter box via GSM data call (CSD). That is why in this scenario the modem must be forced to use the 2G network (parameter GPRS_mode: 2g). If you do not need a GSM data call, you can change the GPRS_mode configuration parameter to an “auto” value, that way the modem will use the 2G/3G network according to availability