DLMS/COSEM (IEC 62056) - the smart metering protocol
DLMS/COSEM per IEC 62056 - the standard for communication with electricity, gas and water meters. Port 4059, COSEM application layer, HLS security.
DLMS/COSEM is a two-part standard for communication with smart meters for electricity, gas and water. DLMS (Device Language Message Specification) defines the device object model and the application layer; COSEM (Companion Specification for Energy Metering) defines the set of objects representing meter data and functions.
The standard is maintained by the DLMS User Association and formally standardized as the IEC 62056 series (parts 3-1, 4-7, 5-3, 6-1, 6-2, 7-3, 7-5, 8-3, 8-4, 9-7, 47 and others - each part defines a different aspect from the physical layer to object mapping).
DLMS/COSEM is the dominant standard for AMI (Advanced Metering Infrastructure) in Europe, present in millions of electricity meters and, increasingly, in gas and water meters. In Poland, AMI deployments by Distribution System Operators (Tauron, Energa, PGE, Enea) rely on DLMS/COSEM as the communication layer.
Layered model
COSEM is independent of the physical medium - the same set of objects and services can be transported over:
| Medium | Transport |
|---|---|
| Serial (RS-485, optical IEC 62056-21) | HDLC (IEC 62056-46) |
| PLC (Power Line Communication) | G3-PLC, PRIME |
| RF/LoRaWAN | Wireless layers |
| IP network | TCP/UDP Wrapper (IEC 62056-47) |
TCP/UDP Wrapper (IANA port 4059 - TCP and UDP) is the encapsulation layer for DLMS/COSEM on IP networks. It dominates communication between data concentrators (DC - Data Concentrator) and the DSO’s head-end system (HES).
COSEM object model
COSEM defines objects as instances of COSEM classes identified by OBIS (Object Identification System) - a structured six-group code:
A.B.C.D.E.FWhere:
- A - medium (1 = electricity, 7 = gas, 8 = water)
- B - channel (0 = no specificity)
- C - physical quantity (1 = +active power, 21 = instantaneous active phase power, 96 = service data)
- D - measurement type
- E - tariff value
- F - billing state
Example: 1.0.1.8.0.255 = total imported active energy, no tariff differentiation, current value.
Key object classes:
| Class | Name | Purpose |
|---|---|---|
| 1 | Data | Single static value (configuration) |
| 3 | Register | Measurement value with a scale attribute |
| 4 | Extended Register | Register with a timestamp |
| 7 | Profile Generic | Historical register (load profile) |
| 8 | Clock | Meter clock |
| 15 | Association LN | Access control, permissions |
| 70 | Disconnect Control | Disconnect control (pilot circuit) |
DLMS services
A DLMS client (HES or DC) can perform:
| Service | Function |
|---|---|
| GET | Read a COSEM object attribute |
| SET | Write an attribute (e.g. parameterization, clock setting) |
| ACTION | Invoke an object method (e.g. reset of billing registers, disconnection) |
Each service can be executed in the following modes: no-reply, response-or-indicate, response-only.
DLMS/COSEM security
DLMS/COSEM, unlike many other OT protocols, has built-in security mechanisms - the DLMS User Association designed the protocol with hundreds of millions of meters installed at end consumers in mind.
Security levels:
| Level | Designation | Mechanism |
|---|---|---|
| Lowest (LLS) | Low Level Security | Cleartext password - a formal minimum that provides no real protection |
| High (HLS) | High Level Security | Challenge-response with a symmetric or asymmetric key |
| HLS_SHA | HLS_SHA1, HLS_SHA256 | Challenge-response with an SHA hash function |
| HLS_GMAC | HLS with GMAC | Challenge-response with AES-GMAC |
Cryptographic frame protection:
- Authenticated Encryption - AES-128-GCM provides confidentiality and integrity
- Authentication only - AES-128-GCM with an empty encrypted payload (integrity only)
- Encryption only - AES-128-GCM without verification
Keys:
- Authentication Key (AK) - key for HLS and authentication
- Global Unicast Encryption Key (GUEK) - unicast encryption key
- Global Broadcast Encryption Key (GBEK) - broadcast key
- Master Key (MK) - master key, used for transporting other keys
Attack vectors and incidents
WARNING
Despite sound cryptographic design, DLMS/COSEM has a broad attack surface due to mass deployment. Vulnerabilities typically arise from poor implementation in specific meter models, key management, or the architecture of the overall AMI system - not from the protocol itself.
Historical vectors:
- Default keys - some meter models shipped with global, identical keys for an entire production batch. Obtaining a single key = compromise of the whole batch.
- Disconnect Control (class 70) - remote consumer disconnection. A mass attack across many meters can cut power to large areas (a state-level sabotage vector).
- Billing register manipulation - attacks on class 3/4 allow falsification of readings to reduce or increase the bill.
- Firmware persistence - malicious meter firmware delivered through DLMS upgrade services.
The Ukraine 2015-2016 incident (BlackEnergy and Industroyer attacks) affected distribution infrastructure, including metering systems - although the main attacks focused on substation SCADA, the AMI component was also disrupted through compromise of the DSO’s IT area.
AMI architecture in Poland
Typical architecture:
Smart meter <-- G3-PLC / RF / GPRS --> Data Concentrator (DC) <-- TCP/IP (DLMS Wrapper 4059) --> Head-End System (HES)
|
v
MDMS (Meter Data Management)
|
v
Billing, CISThe DLMS/COSEM layer is present on both the “last mile” medium (between the meter and the DC) and in IP transport (between the DC and the HES).
Deployment recommendations
- Unique per-meter keys - do not use global keys (AK, GUEK, MK) shared across an entire batch. Keys generated per device at production or commissioning.
- HLS or higher for all connections - LLS (cleartext password) should not be acceptable outside of a test phase
- Authenticated Encryption for data in transit - AES-128-GCM enabled for both directions
- Segmentation of HES-DC-meters - each layer with its own firewall, inheriting Zero Trust principles
- Control of class 70 (Disconnect) - permissions for the disconnect control should be separately governed, with two-person authorization (two-person rule) for mass operations
- HES monitoring - detection of unusual patterns: mass SET operations, repeated authentications, sessions from unknown IPs
- Firmware signing - DLMS upgrades only for signed firmware images, signature verification on the meter
Analysis tools
Wireshark decodes DLMS/COSEM (filter: dlms).
Open source:
- Gurux DLMS - open source libraries (C#, Java, Python, C++) for meter communication
- automayt/ICS-pcap - PCAP samples with DLMS traffic
Production monitoring:
- Nozomi Guardian, Claroty CTD/xDome - DLMS support within AMI monitoring
- Dragos Platform - detection of operational anomalies in metering systems
Summary
DLMS/COSEM is a rare example in the OT world of a protocol designed with security in mind from the start - AES-128-GCM, HLS, key management. In practice, AMI security problems stem not from the protocol but from the ecosystem architecture: default keys, weak segregation of HES/DC/meters, and a lack of monitoring of unusual operations. In audits of a DSO, attention focuses on key management and control of mass operations - especially consumer disconnection (class 70).
Sources
- DLMS User Association - official standards organization
- IEC 62056 series - IEC standards
- IEC 62056 on Wikipedia - general overview of the standards series
- Gurux DLMS - reference open source implementation
- Analysis of DLMS Protocol - Technical Report (VUT Brno) - technical analysis
Need help in this area?
Our experts will help you assess the risk and plan next steps.