Collection of SANS standards in electronic format (PDF)

1. Copyright

This standard is available to staff members of companies that have subscribed to the
complete collection of SANS standards in accordance with a formal copyright
agreement. This document may reside on a CENTRAL FILE SERVER or INTRANET
SYSTEM only. Unless specific permission has been granted, this document MAY NOT
be sent or given to staff members from other companies or organizations. Doing so
would constitute a VIOLATION of SABS copyright rules.

2. Indemnity

The South African Bureau of Standards accepts no liability for any damage whatsoever
than may result from the use of this material or the information contain therein,
irrespective of the cause and quantum thereof.

I agree with the above

 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

ICS 29.120.01; 91.140.50

NRS 009-8:2005
ISBN 0-626-17711-1 Edition 1

ELECTRICITY SALES SYSTEMS

Part 8: The management of secure modules

N R S
 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

NRS 009-8:2005

This rationalized user specification is issued by

the Technology Standardization Department (TSD), Eskom,
on behalf of the
User Group given in the foreword
and is not a standard as contemplated in the Standards Act, 1993 (Act No. 29 of 1993).

Table of changes
Change No. Date Text affected

Correspondence to be directed to Printed copies obtainable from

The NRS Projects Manager Standards South Africa

The Technology Standardization Department (TSD) Private Bag X191
Eskom Pretoria 0001
PO Box 1091
Johannesburg 2000 Telephone: (012) 428-7911
Fax : (012) 344-1568
E-mail : [email protected]
Website: http://www.nrs.eskom.co.za Website : http://www.stansa.co.za

COPYRIGHT RESERVED

Printed in the Republic of South Africa

by Standards South Africa
1 Dr Lategan Road, Groenkloof, Pretoria
 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

NRS 009-8:2005

Foreword
This part of NRS 009 was prepared on behalf of the Electricity Suppliers Liaison Committee (ESLC)
and approved by it for use by supply authorities.

This part of NRS 009 was approved by a working group which, at the time of publication, comprised
the following members:

S J van den Berg (Chairman) Mangaung Municipality

N Ballantyne City of Cape Town
R Devparsad eThekwini Electricity
P A Johnson (Project Leader) Technology Standardization, Eskom
W L Mathers eKurhuleni Metropolitan Municipality
TL Naidoo City Power Johannesburg
J O'Kennedy Eskom
M Singh eThekwini Electricity
K Subramoney Eskom
D van Rooi Eskom
K Venketiah Eskom
P Watkins eThekwini Electricity

In preparing this part of NRS 009, the working group consulted with a Manufacturers' Interest
Group, which comprised the following members:

W Berkinshaw Kwikpay
G Coetzee Infrotrans
NR Ebdon Metertec
M Evans Syntell
A Geva Intelligent Metering Systems
C Handley Nam/Tech Limited
RB Hill Circuit Breaker Industries Ltd
CS Jones VCA
S Leigh Contour Technology (Pty) Ltd
B Lomas PN Energy Services
FG Pucci Conlog
E Raubenheimer Smarttec Technologies (Pty) Ltd
K Setzin V60 (Pty) Ltd
I Steyn Prism TranSwitch Services
R Stone Application Framework
DM Taylor Actaris Measurement
C van den Berg Sun Microsystems
H van der Bijl ADO
C van der Merwe Eason Electronic
H Waker iPay
R Wilson bWYZ Distribution Ltd
J Wright Energy Measurements Ltd

NRS 009 is based on Eskom specification MC114, Requirements specification for a common
vending system for electricity dispensing systems, and consists of the following parts, under the
general title Electricity sales systems:

Part 1: Not used; superseded by SANS 1524-0 and SANS 1524-1.

Part 2: Functional and performance requirements.

Section 1: System master stations.
Section 2: Credit dispensing units.
Section 3: Security modules.
Section 4: Standard token translators.
Section 5: Error handling.
 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

NRS 009-8:2005

Foreword (concluded)
Part 3: Database format.

Part 4: National prepayment electricity meter cards.

Part 5: Testing of subsystems.

Part 6: Interface standards

Section 1: Credit dispensing unit – Standard token translator interface.
Section 2: Not used
Section 3: System master station – Credit dispensing unit.
Section 4: Data transfer by physical media – System master station – Credit
dispensing unit.
Section 5: Not allocated
1)
Section 6 : Standard transfer specification/Credit dispensing unit – Electricity dispenser
– Categories of token and transaction data fields.
Section 71): Standard transfer specification/Credit dispensing unit – Electricity dispenser
– Token encoding and data encryption and decryption.
Section 81): Standard transfer specification/Disposable magnetic token technology –
Token encoding format and physical token definition.
Section 91): Standard transfer specification/Numeric token technology – Token encoding
format and physical token definition.

Part 71): Standard transfer specification/The management of cryptographic keys.

Part 8: The management of secure modules.

Annexes A and B are for information only.

Introduction
A secure module is an electronic hardware device that is used for the creation of encrypted credit
tokens for use in prepayment meters. The device is most commonly used in credit dispensing units
(CDUs) that are installed at vendor premises.

The secure module can pose significant risk to the user if the device is not properly managed and
controlled. Essentially, the device could be used fraudulently to vend electricity leading to the loss
of revenue streams to the user.

With the promulgation of online vending systems, the use of secure modules will be limited to the
server and therefore the risk that these devices pose will reduce. In addition, the quantity of
modules required will be significantly reduced due to the processing capabilities of the server unit.
The decommissioning of CDUs will result in excess capacity of modules in the field. It is therefore
critical that these be adequately managed.

This part of NRS 009 proposes procedures that should be adopted by the users of these secure
modules to ensure that their risk will be minimized.

Keywords
CDUs, credit dispensing units, electricity sales systems, prepayment metering, secure modules,
vending equipment.

1) Parts and sections of NRS 009 which specify the Standard Transfer specification have been published by the IEC
as IEC/PAS 62055-41, Electricity metering – Payment metering systems – Standard transfer specification.
 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

1 NRS 009-8:2005

Contents

Page

1 Scope ................................................................................................................................ 3

2 Normative references ....................................................................................................... 3

3 Terms, definitions and abbreviations ................................................................................ 3

4 Code of practice ................................................................................................................ 4

4.1 Identification of secure modules ............................................................................. 4

4.2 Asset register .......................................................................................................... 4
4.3 Acquisition .............................................................................................................. 4
4.4 Coding of secure modules ...................................................................................... 4
4.5 Keyload files ........................................................................................................... 5
4.6 Storage ................................................................................................................... 5
4.7 Installation .............................................................................................................. 5
4.8 Repair/replacement ................................................................................................ 5
4.9 Disposal .................................................................................................................. 5
4.10 Decoding ................................................................................................................ 6
4.11 Associated activities in the KMC ............................................................................ 6

Annex A (informative) Pictures of secure modules ................................................................ 7

Annex B (informative) Sample secure module coding request form ....................................... 8

 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

NRS 009-8:2005 2

This page intentionally left blank

 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

3 NRS 009-8:2005

ELECTRICITY SALES SYSTEMS

Part 8: The management of secure modules

1 Scope
This part of NRS 009 sets out the practices to be implemented by users of electricity sales systems
for the management of secure modules.

NOTE 1 Pictures of secure modules are given in annex A.

NOTE 2 A sample secure module coding request form is shown in annex B.

2 Normative references

Not applicable.

3 Terms, definitions and abbreviations

For the purposes of this part of NRS 009, the following terms, definitions and abbreviations apply.

3.1 Terms and definitions

blank module
new secure module that has not been registered at the Eskom key management centre
NOTE A blank module has not been loaded with master keys or vending keys.

initialized module
secure module loaded with master keys, registered at the Eskom key management centre
NOTE An initialized module has been loaded with master keys but not with vending keys.

coded module
secure module initialized and loaded with the vending keys of specific supply group codes
NOTE A coded module has been loaded both with master keys and vending keys.

recycling
process of reusing a previously coded secure module, involving recoding under authorization, at the
KMC

3.2 Abbreviations
CDU: credit dispensing unit

KMC: key management centre

 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

NRS 009-8:2005 4

4 Code of practice
4.1 Identification of secure modules

Secure modules are defined by the firmware version that has been loaded onto the device. There
are several firmware versions that are registered at the KMC. A list of firmware versions can be
viewed on the NRS website, in the index of NRS specifications, under “NRS 009”.

NOTE See the inside cover of this part of NRS 009 for the NRS website.

To aid operators of electricity sales systems identify secure modules, pictures of secure modules2)
are provided in annex A.

4.2 Asset register

4.2.1 Each utility that operates electricity sales systems shall maintain an asset register of secure
modules. The register shall contain at least the following information about each secure module:
a) serial numbers, secure module type, CDU identification number;

b) firmware version;

c) installed location, date and time of installation;

d) keys loaded, date and time of loading of keys;

e) location area vendor name; and

f) current status, for example:

1) active, date and time activated;

2) spare, date and time;

3) disposed of, date and time disposed of; and

4) sent for repairs, date and time.

4.2.2 This information shall be recorded when a CDU or CDUs is (are) being purchased.

4.3 Acquisition
When CDUs are purchased by a utility, the supplier shall be asked to provide the utility with the
serial number of each secure module that will be installed in each of the CDUs supplied.

4.4 Coding of secure modules

4.4.1 Written authorization shall be required from the utility to code any secure module. In some
instances, the utility may authorize the supplier, in writing, to request coding to be done on his
behalf. The utility shall ensure that the KMC is informed of any changes to this permission. The
KMC will not be held responsible for any agreement reached between suppliers and utilities.

2) Secure models are examples of suitable products available commercially. They are given for the convenience of
users of this part of NRS 009 and do not constitute an endorsement by the ESLC of these products.
 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

5 NRS 009-8:2005

4.4.2 All modules that have been coded at the KMC shall be returned to the sender, unless
otherwise specified on the coding request form (see annex B). Secure modules shall be couriered
from the KMC as initialized modules only. The requested vending keys will be contained in the
keyload files (see 4.5).

4.5 Keyload files

4.5.1 The creation of keyload files (also known as keyfiles) is a separate process performed at the
KMC. A keyfile is a text file that contains the specified vending keys that can be loaded onto secure
modules and can be conveniently emailed to the requester. A keyfile can only be created for a
module that has been initialized at the KMC. In addition, it can only be successfully loaded for the
specified module.

4.5.2 Keyfiles shall be sent via email or diskette to the requesting party only. Wherever possible,
the KMC shall, in the case of each utility, maintain a record of contact persons who are authorized
to receive keyfiles. It is the utilities’ responsibility to ensure that the KMC is informed of any changes
in this regard.

4.5.3 The loading of keyfiles onto a secure module shall be performed by authorized utility
personnel, the CDU supplier or third party agents. The utility shall assess the risk associated with
each of these methods and ensure that control mechanisms are put in place.

4.5.4 All keyfiles shall be retained by the utility for record purposes.

4.6 Storage

Secure modules not installed in CDUs shall be stored at room temperature, under controlled
conditions with access restricted to authorized personnel only. The device has an internal battery
which has a limited shelf life. Storage of these devices for extended periods is therefore not
recommended. More detail about the secure module specifications or storage conditions should be
sourced from the secure module supplier.

4.7 Installation
It is recommended that a visual check of the secure module serial number be undertaken on site
and the information verified against that which has been provided by the supplier, or against the
asset register.

4.8 Repair/replacement

4.8.1 A secure module is typically identified to be faulty by the CDU software indicating a secure
module error (code 01: device failure), or by the LED indicator indicating “OFF” when the secure
module is powered-up. If this should occur, the secure module shall be returned to the supplier who
provided it, either the CDU supplier or the secure module supplier, for further checks and
evaluation.

4.8.2 After evaluation, the module shall be returned to the utility for reuse if repaired, or for
disposal. The disposal of faulty modules shall remain the responsibility of the utility (see 4.9).

4.8.3 Where a replacement secure module is to be installed and coded, the procedure for
installation and coding of a new module shall be followed (see 4.4 and 4.5).

4.9 Disposal

4.9.1 If advised by the supplier that a returned secure module is irreparable, the module shall be
returned to the utility. The utility shall be responsible for the disposal of secure modules by
physically destroying faulty modules under controlled conditions (e.g. centrally by a nominated
responsible person). The utility shall not rely on the supplier to dispose of faulty modules.
 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

NRS 009-8:2005 6

4.9.2 An internal audit process shall be established to verify that the disposal of faulty secure
modules is carried out. This should include the witnessing of the physical destruction of the
modules.

4.9.3 The utility shall advise the KMC in writing of any secure modules that have been disposed of
as soon as possible after disposal.

4.10 Decoding
The utility shall be responsible for clearing or removal of vending keys from secure modules that
have been coded by the KMC. A software tool that can be used for this purpose is available from
the secure module supplier at a minimal fee.

Alternatively, the modules may be forwarded to the KMC and decoding requested.

4.11 Associated activities in the KMC

4.11.1 Where available, the KMC shall maintain a record of the status of all secure modules which
have passed through the KMC, indicating whether they are “active” or “scrapped”. It shall be the
responsibility of the utility to inform the KMC of the status of secure modules. The default status will
remain as “active”.

4.11.2 If requested, the KMC shall provide a list of secure modules that have been assigned to a
utility using the relevant supply group code(s) as the search criterium/criteria.
This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

7 NRS 009-8:2005

Annex A
(informative)

Pictures of secure modules

Figure A.1 – TSM210/220-STA

Figure A.2 – TSM2xx-RSA

Figure A.3 – TSM200/210- XP3

(enclosure removed)
 This standard may only be used and printed by approved subscription and freemailing clients of the SABS.

NRS 009-8:2005 8

Annex B
(informative)

Sample secure module coding request form

NOTE For the latest version of this form, contact the key management centre, email: [email protected]

SECURE MODULE
CODING REQUEST FORM

Rev 04

1. Secure modules for coding

Secure module Area Keyfile Reason for
Supply group codes
ID number description version 1/2 coding request

2. Requester’s details

Name:................................................................. Company: ...................................................... ........................................

Telephone No.: .................................................. Fax: .................................................................... ............................................
Cell: ....................................................................
Email: .................................................................
Return address: (physical)........................................................................................................................................................
.................................................................................................................................................................................................
Date: Signature:

3. Authorization (for Eskom codes only)

Name:.................................................................... Eskom region: ............................................................................................

(Prepayment Manager)

Approved (Yes/No): ............................................... Signature: ......................................................................................

.............................................................................. Date: ..........................................................................................................

4. Comments:........................................................................................................................................................................

.................................................................................................................................................................................................

© Standards South Africa