Enhancements to Security Wizard in ION Setup around Configuration for Time Synchronization with Advanced Security

Goals and Symptoms

It is possible to set up an ION meter with advanced security to simultaneously accept broadcast clock synchronizations but reject time sync packets sent by specific users.  This constitutes an obscure logical inconsistency between the general meter time synchronization settings and time synchronization settings per user when the meter is set to Advanced Security mode.  Note that the Advanced Security feature is only available on the ION 7650, ION 7550, and ION 8xxx Series Meters.  Meters set up using ION Setup versions 2.0 and 2.1 (up to build 662) will have a greater chance of containing this inconsistency due to the facts detailed below.  This article outlines the enhancements to the functionality of ION Setup 2.1 (build 663 and greater) to help avoid this issue. 
With the introduction of ION Setup 2.0, the default setting for the meter in general  for time synchronization was Allow Broadcasting Time Synchronization = Yes, as illustrated in the screen shot below (Fig 1).

Fig 1. Advanced Options (Setup Assistant > Security > Security Mode > Edit > Advanced)
When the meter is configured for Advanced Security, there are individual user settings for time synchronization which can be set to be in logical conflict with the general Allow Broadcasting Time Synchronization meter setting mentioned above as show in Figure 2 below.

Fig 2. Individual Security Settings in Advanced Security Mode (Setup Assistant > Security > Security Mode > Edit > Advanced > Next)

Facts and Changes

Causes and Fixes

The logical inconsistency which is currently allowed by ION Setup without any intervention is the following:
Even though USER02 would be unable to issue a time synchronization when logged in as USER02, they would be able to time synchronize the meter by triggering an anonymous broadcast time synchronization.
Meters configured using ION Setup are more likely to contain this logical inconsistency in their settings if ION Setup 2.0 or ION Setup 2.1 (up to and including build 662) was used because the default setting for time synchronization is set to Allow Broadcasting Time Synchronization = Yes in this range of builds.

    • (1)  The default setting for Allow Broadcasting Time Synchronization is now set to No for meters on which Advanced Security is enabled.
      (2)  If the user chooses to over-ride the default setting for Allow Broadcasting Time Synchronization and set it to Yes while, at the same time configuring certain individual users to Time Sync Access = No, ION Setup will generate the following pop-up message to highlight this inconsistency and give the opportunity to fix it:

Text of message is above screen shot:
WARNING: Allowing broadcast time synchronization contradicts having users without time sync access.
Do you wish to turn off Broadcast Time Syncs?
<Yes>  <No>  <Cancel>
More Information
Note that this resolution does not absolutely preclude the possibility that the meters settings still be allowed to include this logical inconsistency.  The user still has the freedom to set Allow Broadcasting Time Synchronization to Yes while, at the same time, configuring certain individual users to Time Sync Access = No.  The key advancement is that this inconsistency is now less likely because of better default settings and because inconsistency is clearly highlighted to the user in a pop-up message box.
This problem was brought to Schneider Electrics attention by the Independent Electricity Market Operator (IMO) for Ontario.
