Working with Enhanced Security Capable Endpoints

Enhanced security capable endpoints can be configured to operate with or without enhanced security enabled. When operating with enhanced security disabled, they function in much the same way as endpoints that do not support enhanced security in that they do not require the use of secure commands or keys. When operating with enhanced security enabled, they require FDM to use secure commands and/or keys for some or all Endpoint Tools functions.

A subset of Itron's ChoiceConnect 100 series endpoints, such as the 100G DLS gas ERT module and the 100W+ series water ERT module, are enhanced security capable endpoints. Additionally, some of Itron's multi-mode capable devices, such as the CENTRON R450 Advanced/Bridge meter, OpenWay Riva 500W water module, Intelis Gas Meters, and the Itron Cellular 500G and 500W Modules function as enhanced security capable endpoints while they are operating in Mobile mode. For the complete list of Itron endpoints that leverage enhanced security capabilities, see Supported Endpoint Types, Subtypes, and Action Commands).

For security purposes, Endpoint Tools functions fall into three categories:

  • Those that are involved in connecting and disconnecting service at a customer's premises. They include Valve Commands and Service Switch commands. These functions requires the use of a secure command.

  • Those that modify an endpoint's settings. They include Program Endpoint, Program With GDT, Change Mode, Reset Endpoint, Enable Rightsizing, and GeoMode Commands. Before FDM can perform these functions, it must first execute an open session command. This temporarily unlocks the endpoint for an hour or until the FSR performs a Close Session command (see Open Session. During an open session, you can perform any number of commands that modify endpoints settings.

    Note:  Unlike the Close Session command, the Open Session command is performed automatically as needed by FDM, invisible to and without direct action by the FSR.

  • Those that read or retrieve an endpoint's data. They include Read Endpoint, Check Endpoint, View Rightsizing Data, Read Tampers, Network Coverage, View Event Log, Extract Interval Data, View Secure Cmd Log, and Get Switchover Status. The endpoint may or may not require FDM to use a reading key in order to perform these functions, depending on the endpoint's security level.

Enhanced security capable endpoints can operate at any of three security levels:

  •  Ready to secure (enhanced security not enabled). At this level the endpoint does not require the use of secure commands. It responds to all commands on the endpoint's action command menu except those that connect and disconnect service at a customer's premises. All Service Switch Commands except Get Service Status on the 100W+ Endpoint Tools and CENTRON R450 Advanced/Bridge command menus are inactive at this security level on an unsecured ERT module or meter (see Service Switch Commands.
  • Command security. At this level the endpoint only responds to secure commands. This includes commands for connecting and disconnecting service to a customer's premises and open session commands. 
  •  Full security. At this level the endpoint requires the use of secure commands and/or keys for all actions on the Endpoint Tools action command menu. It requires commands for connecting and disconnecting service to a customer's premises and open session commands, and it requires the use of reading keys for reading or retrieving endpoint data.

Secure commands are issued by the Itron Security Manager (ISM). Before you can perform any Endpoint Tools functions on a secured endpoint, you must first retrieve the necessary secure commands, along with any key exchange commands sent from the ISM by your FDM system's security officer.

Before heading into the field, use FDM's Get Commands function to retrieve secure commands for any enhanced security capable endpoints you plan to work with. You can also use the Get Commands function to retrieve secure commands while you are in the field, provided your mobile device can establish a wireless connection to the FDM server. See Retrieving Secure Commands from the FDM Server