Keeping heat network data secure

One area currently under scrutiny is the use of wired M-Bus, a long-established European standard for metering data transmission. Because it conveys information unencrypted, some in the sector have raised concerns about the level of data security it offers and its future compliance as rules change. 

Fact or fiction?

So, how fail-safe is M-Bus, and is there any reason to believe it will be viewed as non-compliant when new technical heat network standards are rolled out nationally next year?

The first thing to understand is that encryption itself is a bit of red-herring. It’s necessary for wireless solutions precisely because they’re far more vulnerable to hacking and interception than hardwired architecture. M-Bus, on the other hand, is unencrypted by design, because its physical transmission method is inherently secure. Furthermore, the data it carries contains no personally identifiable information, the data is pseudonymised, and the cables themselves are not accessible to the public. From a cybercriminal’s point of view, it therefore offers no opportunity for exploitation. 

Given this and what we know about the current GDPR regulations (where Wired M-Bus is accepted), it seems rather unlikely that the M-Bus protocol will be deemed inadequate by Ofgem when it officially begins the role of regulator for UK heat networks next January. 

A legislative landscape in flux

The Heat Network (Metering & Billing) Regulations 2014 and its updates required any building served by a heat network to have individual meters for end-users, providing accurate consumption data for billing purposes. But until now there has been little attention paid to data security. 

Next year, however, will see the launch of the Heat Network Technical Assurance Scheme (HNTAS). This is expected to introduce performance-based technical and service standards across the entire heat network lifecycle, including design, installation, maintenance, and metering. Together with the Heat Network Consumer Protection Regulations and Heat Network Zoning, the scheme is part of the UK Government’s plan to bring heat networks in line with other regulated utilities in terms of transparency, accountability and consumer protection.

HNTAS is expected to focus on heat network performance through extensive KPIs, requiring good meter infrastructure and reliable data. But that doesn’t mean it will prescribe a specific type of metering infrastructure. Although full details have not yet been released, emerging expectations suggest that requirements will be outcomes-based. In other words, while your system must be secure, it will be up to you how you achieve that.

How metering systems work

There are many different solutions for metering in modern heat networks, the more typical variants are where consumption data from individual meters is transmitted to a central hub on site. From there, it’s processed and sent in encrypted form to remote servers or billing platforms. Finally, residents can view their usage via apps, in-home displays or web portals, and make payments through secure platforms.

The wired M-Bus versus wireless debate pertains to the first leg of this data journey, from the meter to the hub. Here, for wire M-Bus data travels down a two-wire bus structure with low frequency voltage this enables the master and slaves to communicate. These voltage signals are then translated by the master and then able to be sent on to where it is required.

Data passing along M-Bus cables doesn’t require encryption because it only travels through secure, locked risers. Plus, as it contains no personally identifiable information, only anonymised meter IDs and usage values, this solution is accepted in the GDPR legislation. 

As an added bonus, M-Bus is open protocol, which means housing providers easily retain access to their own system data. Wireless protocols, on the other hand, tend to rely on proprietary technologies and third-party cloud services. These can effectively lock data behind vendor-specific platforms, or held ransom by encryption keys, raising concerns over future interoperability and exit costs.

How do data breaches happen?

The key things to consider when assessing the vulnerability of technology used for remote reading of heat network meters are how systems are configured and what types of data they transmit. Vulnerabilities typically emerge when third-party providers have insufficient safeguards in place, or when wireless data is transferred without appropriate encryption. 

With Wired M-Bus, like with many solutions, the most likely data breach occurs when a device is connected to the internet. Here is where robust security measures are most needed. This is not a shortcoming of the wired M-Bus protocol, but rather a general risk when any device is exposed to the internet, regardless of meter communication used. To help prevent data breaches from external attack here are some examples that can be used; use of TLS communication (between master and cloud system) and the encryption of all data when it leaves the master.

For GDPR compliance, metering data, such as consumption rates and device serial numbers, should be transmitted and stored separately from identifiable personal information. Local hubs processing both types of data should always be physically secured in locked cabinets in the energy centre, these hubs should also employ their own security methods of storing and preventing unauthorised access to the data. For online payments, card entry should be hosted directly by the payment provider, ensuring sensitive information never passes through the metering system.  Resident accounts must use strong passwords, ideally reinforced with two-factor authentication.

A real-world example

One of our housing association clients recently opted to install KURVE’s M-Bus-based metering and billing technology in a new-build development, following a successful retrofit of the same platform at another scheme using a wireless encrypted system. This decision followed an exhaustive Data Protection Impact Assessment (DPIA) conducted in partnership with their internal data protection team.

The conclusion? Both systems, M-Bus and encrypted wireless, offered robust security when configured correctly. The key was ensuring data was minimised, transmission paths were secure, and access controls were properly enforced.

Preparing for 2026 and beyond

With HNTAS on the horizon, now is the right time to audit your existing metering and billing systems. If you’re commissioning a new scheme or upgrading an older one, consider the following:

• Understand your infrastructure: Know how your meter data moves, where it’s stored, and who has access to it.

• Engage your Data Protection Officer (DPO) early: If your organisation has a DPO or legal adviser, involve them in system design decisions from the outset.

• Request certifications: When selecting metering and billing providers, choose companies with Cyber Essentials and ISO 27001 certifications. These are strong indicators of a structured approach to information security management.

• Don’t assume encryption = secure: Focus on total system security, not just buzzwords.

• Plan for data access: Avoid systems that lock you into proprietary platforms or make it hard to retrieve your own network data.

• Document everything: For future audits, having a DPIA or similar documentation can be invaluable.

The right fit for your site 

Wired M-Bus may not be new or flashy, but in many residential blocks it remains the most reliable, secure and cost-effective option available. It’s been recommended in the CIBSE Heat Networks Code of Practice since 2015 and, to date, we’re aware of no recorded cases of a security breach involving M-Bus infrastructure.

However, data security isn’t ever about just one component, it’s about the system architecture as a whole. Robust security protocols must be applied consistently throughout the data transmission process, tailored to the nature of the information being handled and appropriate for the systems in use at each stage. With new standards on the way, property professionals must prepare to demonstrate due diligence and focus on outcomes, regardless of which system they choose. 

Sam Clarke is Business Development Manager for Kurve Technologies.