How KURVE guarantees data security for heat network metering

With smarter technology comes a natural concern about data security. We’ve all seen stories of privacy concerns, from voice-activated devices listening in on our conversations to new regulations ensuring internet-connected gadgets, like baby monitors, are secure against cyber threats.

Now, you may wonder, “how is this relevant to heat networks?”.

Given that there are at least 500,000 heat network consumers in the UK, with the majority legally required to have a heat meter accurately recording their energy usage, a significant volume of data is handled and processed. While this data holds the key to fair billing and efficiency improvements, as with everything, priority should be made to ensure data security at every step.

As such, we wanted to break down exactly how data is transferred throughout the KURVE system, from the heat meter through to the web-app in the customer’s hands.

The importance of meter data security

Meter data collection within the utility sector allows for consumption data to be transmitted from energy meters into metering and billing systems for further analysis and processing.

As a minimum, and per the Heat Network (Metering & Billing) Regulations 2014, most properties should have their own heat meter. This allows each household to only pay for the energy they’ve consumed. Billing based on actual usage makes customers more conscious of what they’re consuming and, in turn, has proven to save energy by up to 20%.

Meter data can also be used to identify heat network optimisation opportunities. Most existing networks currently only operate at a 35-45% efficiency. To achieve the goal and design expectations of 65-70%, meters should be installed throughout the network to help identify inefficiencies easily.

With this level of data collection comes responsibility. Under the General Data Protection Regulation (GDPR), utility meter data is considered personal information, but only when linked to a specific individual.

So, in short, to ensure GDPR compliance, keeping the amount of personally identifiable data to a minimum is a must, just like we do at KURVE.

How is meter data collected and transferred?

Where meters are installed in every property, you typically see three key points at which data is transmitted:

1. The data is transferred from the individual heat meters to an on-site hub or gateway.  
2. The meter data package is then encrypted and sent from this hub to the remote billing system.
3. Lastly, the meter data, now within the billing system, is presented to the consumer via their bills or, where they’re on a pay-as-you-go system, via a web-app or in-home display.

KURVE is designed around this structure with additional security and data storage measures in place to ensure compliance and protection at every stage.

How KURVE protects metering data at every step

At KURVE, we don’t just meet security requirements, we exceed them. Our systems are subject to regular penetration testing to identify and eliminate vulnerabilities. We also carry out continuous security updates to stay ahead of evolving cyber threats.

The below measures mean that KURVE is Cyber Essentials and ISO 27001 accredited, providing independent verification of our industry-leading security standards.

On-site meter to datalogger

The meter data package, including meter reads and serial numbers, is securely collected via wired M-Bus and sent to an onsite datalogger. No personally identifiable data is contained in this package.

Security measures:

• Kamstrup Master datalogger stored in a locked cabinet within a restricted-access area.
• No exposure of personally identifiable information – only meter serial numbers and associated data package available. Property information not known to identify location of data.
• Wired M-Bus network permits only one datalogger to be installed at any time, restricting unauthorised access to the cable network.

On-site datalogger to Kamstrup READy

Meter data from the Kamstrup Master datalogger is transferred from the site into the cloud solution, Kamstrup READy.

Security measures:

• Secure Transport Layer Security (TLS) communication between the Kamstrup Master and READy server.
• Dual connection/IP addresses through a Fixed Internet Connection (FIC) line and 4G network failover gives flexibility in the event of cyber-attacks.
• Kamstrup datalogger encrypts the data before being sent to READy.

Kamstrup READy to KURVE

Meter data and thermal disconnect instructions are securely stored and transferred between Kamstrup READy and KURVE.

Security measures:

• Secure HTTPS REST application programming interface (API) ensures encrypted communication between the systems.
• AES-128 bit encryption through Kamstrup encryption keys ensures advanced data security and confidentiality with end-to-end meter data protection.
• Kamstrup is ISAE3000 and ISO27001:2022 certified, and works in alignment with relevant aspects of CIS18 and the IEC62443 security standards.
• In line with our commitment to security, Kamstrup implements access control, network security, and regular security audits in READy to ensure GDPR compliance.

Between metering & billing system & KURVE

Customer account details, including contact details and vulnerability information, are securely shared between Insite’s metering & billing system, Gentrack Velocity (GTV), and KURVE through direct API communication.

Security measures:

• KURVE and GTV operate inside their own individually protected virtual private cloud (VPC) environments, which are secure, firewall-protected data centres.
• These KURVE and GTV VPCs can only be accessed via a secure virtual private network (VPN) established between specific servers through strictly defined communication ports.

Between PayPoint & KURVE

Payment requests are handled through direct API communication with PayPoint, ensuring KURVE has limited sight of residents’ payment card details.

Security measures:

• Secure HTTP connection between the two systems.
• Payment card details are handled directly by PayPoint for Payment Card Industry Data Security Standard (PCI DSS) compliance.
• Only the last four digits of payment cards and the expiry date are visible in KURVE.

Are wired M-Bus networks secure?

Wired M-Bus has been a trusted metering standard for decades, offering secure, reliable, and GDPR-compliant data collection for heat networks across the UK and Europe. Its inherent physical nature means that it is far less vulnerable to hacking and interception.

The Open Metering System (OMS) Group has further strengthened M-Bus security with authentication and integrity checks, ensuring compliance with industry security standards like BS-EN-13757 and GDPR:

• Data is transmitted through physical cables, meaning it is shielded from hacking, remote interception, and replay attacks.  
• Only the authorised M-Bus master can request data from meters, preventing unauthorised access.
• Only meter readings and serial numbers are transmitted, and only when necessary. As no personally identifiable information is sent across wired M-Bus, it is GDPR compliant.
• Wired M-Bus meets European and British security standards, ensuring that multi-vendor smart meters implement authentication and integrity checks to protect against cyber threats and tampering.

Wired M-Bus is a robust solution that meets industry standards as confirmed by KURVE’s Cyber Essentials and ISO 27001 accreditations.

Your security responsibilities

As a landlord or property manager, you have a duty of care to protect your residents’ personal information. So, you must choose a metering system that prioritises security at every level.

By choosing KURVE, landlords, property managers, and residents, can have complete confidence in the security of their heat network metering data.