Panoramic Power Security Overview
Table of Contents
To download this in a PDF form - click here
About us
Panoramic Power provides innovative, end-to-end distributed energy solutions to organizations enabling them to improve operational efficiency, increase resilience and drive their business vision forward.
Panoramic Power is the brand name for our energy insight solution powered by our hardware sensors and Bridges and facilitated by our cloud platform.
Our solution lets our customers see exactly how their business uses energy – right down to device level. It gives our customers the energy intelligence they need to reduce wasted power and improve their operational efficiency.
We understand the sensitivity and criticality of data and network security. Therefore, we have taken relevant measures to secure our devices that are deployed to your network and around your critical assets. We secure, manage and monitor account access and activities across the entire deployment process.
Basic Network Connectivity Requirements for Bridges
This section is dedicated to summarizing what is required on Ethernet and Wi-Fi networks in order for Bridges to connect to the cloud-based platform. The rest of the document goes into more details on how the system works and the requirements themselves.
For either Ethernet or Wi-Fi:
Ensure the URL "bridges.powerradar.energy" on Port 443 over TLS protocol is enabled
Confirm your DNS server can successfully resolve the URL above
Ensure Local NTP server is accessible via outbound Port 123 (A public NTP server available is 8.8.8.8 if local isn't available)
If the network uses IP/MAC authentication, make sure the Bridge(s) IP address/Ethernet MAC address are whitelisted (Bridge has both Ethernet and Wi-Fi MAC addresses: use the right one)
Ensure there are no network/firewall rules that will block the Bridge from accessing the internet
Configure the Bridge to the applicable network settings (I.E. DHCP or Static IP)
Additional Wi-Fi Requirements:
Ensure the testing is done at a physical spot where there is at least 2 bars of Wi-Fi network strength
Confirm the Wi-Fi/SSID password does not contain the following characters: % or &
Configure the Bridge to the applicable network settings (I.E. DHCP or Static IP)
If still not connecting, reconfigure the Bridge as a DHCP Ethernet connection type and physically connect the Bridge to the Wi-Fi network's router and see if it connects
Bridge is only compatible with b/g/n protocols
Bridge is only compatible with 2.4GHz networks
Bridge does not support Token/Certificate Based authentication
Bridge does not support public networks that require a manual browser acceptance
Wi-Fi Boosters/Extenders may interfere with Bridge connectivity so if there is one physically present, move a few feet away from this device and try again
Our sensor security principles
To achieve a secure environment to our customers, we have adopted a few security guidelines:
Data sensitivity classification - The Panoramic Power sensors measure and transmit energy readings at a predefined interval. The coded information only contains the sensor ID and the electrical measurements (current, voltage, power, etc.). Any machine or device-specific information such as the type and name of the monitored devices, site name etc. is maintained separately in the secured cloud servers. By enforcing this separation between business data and real-time energy measurements, we eliminate information disclosure or leakage in the unlikely event that the outbound transmission of the data packet is intercepted.
Non-intrusive sensors - Panoramic Power’s current sensors (PAN-10, 12 & 14) use the electromagnetic field generated by the wire to self-power, measure and transmit the current reading. Due to their non-intrusive nature, the sensors do not interact or affect the performance of the devices they are monitoring.
Outbound data flow - The data flow of our sensors and Bridges in the installed facility is outbound, decreasing the attack surface of the system.
The rest of this document describes the data flow and the security measures we employ.
Sensor to Bridge data flow
Panoramic Power sensors transmit small unidirectional packets over a proprietary protocol in the ISM 915MHz (US) or 434 MHz (EU) band. Transmissions are sent 5 to 6 times a minute to a Bridge unit.
Sensors cannot receive any incoming communication from the Bridge or from any other device. Sensor to Bridge transmissions include the sensor ID and the circuit current (Amp) reading and do not include any customer information such as circuit name and type, site name, etc. The effective distance between the sensor and the Bridge is typically 16 feet (5 meters) but may be shorter depending on the installed environment.
Bridge to Cloud data flow
The Bridge collects the sensor transmissions and conveys them to the cloud-based server. The Bridge can convey the sensors’ transmissions using one of the following options:
- Wi-Fi (802.11b/g/n, 2.4GHz)
- Ethernet
- Cellular (GSM/UMTS/LTE)
When using Wi-Fi, the following security protocols are supported: WPA, WPA2, WPA2 Enterprise (username-password mode), WEP64 and WEP128.
WPA2 Enterprise using client-certificate authentication is currently not supported.
The protocol used for Bridge-cloud communications depends on Bridge hardware and firmware version. As shown in the table below:
Bridge Hardware Version |
Firmware Version |
Bridge-Cloud Protocol Used |
| Gen4 or Gen4+ |
4xx 6xx |
TLS V1.2 over port 443 |
During normal operations, the Bridge communicates with the server using outbound communications. A dedicated configuration mode, switched by pressing a designated button on the Bridge, enables Bridge configuration via browser and a built-in web server.
Bridge firmware upgrades are done via physical connection, inserting a USB stick with the latest firmware into the Bridge USB port. Bridges with firmware version V470 and above also support secure over-the-air firmware updates but this functionality can be turned off in the Bridge.
Choosing a secure location for the Bridge is imperative to preventing unauthorized access to physical ports on the Bridge.
Choosing the right cloud connectivity mode
Ethernet, Wi-Fi, or Cellular connectivity
We provide flexibility for Bridge-cloud connectivity. It is ultimately the customer’s decision which method to use.
For maximum security, many IT organizations prefer to completely isolate sensor and Bridge traffic from the corporate IT network. This can be done using the built-in cellular modem and creates a clear ‘air gap’ barrier between the Panoramic Solution and the corporate IT network. Choosing this option also frees the IT organization from managing the connection (e.g. managing firewall rules, managing Wi-Fi password updates, etc).
TLS connectivity to the cloud
Our Bridge firmware versions (V409 and above) support the following cloud connectivity mode:
Protocol |
Address to use in the Bridge |
Port |
TLS |
bridges.powerradar.energy[2] |
443 |
IT organizations that use the corporate Wi-Fi or Ethernet networks must ensure adequate outbound firewall access.
TLS for communications with the cloud-based software:
Outbound TCP port 443
From: any on-premises Panoramic Power Bridge
To: bridges.powerradar.energy (Both IP addresses: 50.17.231.3 and 54.163.225.201)
To operate properly, the Bridge must use accurate time-of-day. The Bridge acquires the time via usage of the NTP protocol using public NTP servers. If the NTP port (outbound UDP port 123) is closed, the Bridge will acquire the time from the cloud-based software.
Outbound UDP port 123
From: Any on-premises Panoramic Power bridge
To: The relevant public NTP server
It is also possible to provide a custom NTP server address. This should be used when connecting to an NTP server located within the private network.
If Wi-Fi is the selected connection type, make sure the Wi-Fi password does not include the special characters & or %. Change your network’s Wi-Fi password to exclude either of those special characters or create a dedicated network for the Bridges.
Confirming the Bridge-cloud connection security
Gen3/4 Bridges running firmware version V409 and above, encrypt all Bridge-to-cloud communications by default using TLS. Settings > Bridges page now contains an indication of the security level of the connection in the model column.
The Bridge-cloud connection is authenticated[3] and encrypted (using TLS).
For 3rd Party Apps, you can setup Automatic Export Jobs on the platform to deliver the energy data externally by two methods: CSV over SFTP, CSV over FTPs, and/or JSON over HTTPs.
For CSV over SFTP or FTPs, submit a support ticket to request the FTP username and password created for your account. Once received, you can use these credentials to login to an FTP client that supports SFTP or FTPs, such as FileZilla. Also, make sure the following details are in place on your client to properly receive this data:
SFTP
Define the host as ftp.panpwrws.com
Define the port as 22 (Control Channel)
FTPs
Define the host as: ftp.panpwrws.com
Define the port as 21 (Control Channel)
Use FTP over TLS
Add a firewall rule for outbound connections on port range 8192-8200 (Data Channel)
The URL “ftp.panpwrws.com” can be resolved to one of the two Static IPs listed below:
107.20.219.37
54.146.253.167
For JSON over HTTPs, you will need to provide a destination URL to your REST service. The server used must have a valid SSL certificate installed. For additional security, whitelist the following static IP addresses to restrict internet traffic attempts into your server:
34.237.64.143
54.205.225.22
When configuring on the platform, the HTTPs Method field will have three options: POST, PUT, and POST (multipart). Upon successfully receiving the JSON data over REST, your program should return the 200 OK HTTP status. A 200 OK HTTP status is expected per transaction.
Our cloud security principles
Panoramic Power software solution is hosted at Amazon AWS and utilizes the shared security model enforced by Amazon. Under this model:
AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
Panoramic Power is responsible for management of the guest operating system (including updates and security patches), all application software and utilities installed on the instances, and the configuration of the AWS-provided firewall.
For more information about Amazon AWS security and compliance, please refer to : http://aws.amazon.com/compliance/
Our implementation adheres to strict security standards, covered and audited by our IT security. This includes but is not limited to:
Encrypting all web traffic - All web traffic is encrypted using HTTPS.
Web Application Firewall (WAF) - WAF is used to protect incoming web traffic.
Virtual Private Cloud (VPC) - Hosting all production services in a Virtual Private Cloud (VPC) with strict access controls.
Minimal Access Privileges - Our web and mobile applications were designed for least-privileges access, where users are assigned with privileges to the minimal set of sites or accounts necessary to perform their job, as defined by their account administrator.
Optimized Amazon OS - All of our systems use Amazon’s optimized flavor of Linux, which is dedicated and optimized for use with AWS. The AWS security team constantly tests and provides hotfixes which we upgrade regularly.
Automated Intrusion Detection & Prevention - We constantly monitor suspicious activity via automatic access and activity log analysis.
Periodical Penetration Testing and Hardening - We proactively test our system for vulnerabilities and continuously harden the system as new threats appear
Inbound Bridge servers
Communications with the cloud-based software is out-bound only. The Bridge does implement a few (inbound) internal services. All of them are disabled by default when in normal (non config) operating mode.
Service |
Port |
When enabled |
Web UI Server |
HTTP, Port 80 |
Default: Only in config mode Optional: Can be extended to always available |
Telnet |
Telnet, Port 20 |
Only in config mode |
| Modbus Server | Modbus, Port 502 |
Disabled by default. Only when stand-alone mode (Modbus TCP or Modbus RTU) is enabled |
Our privacy policy
We know that you care how your data and information is used and shared, and we appreciate your trust that we will do so carefully and sensibly.
Our full privacy policy can read in the article below:
Privacy Notice
1. Panoramic Power LTD (a Centrica Group Company), and your personal information
The protection of personal information is important to us. We respect your privacy and want you to understand what we do with the personal information we hold about you.
This privacy notice explains how we collect, share and use personal information.
2. Personal information we collect
We may collect the following types of personal information for the purposes of providing our services and products (including the Data Services and Products, as further described in our terms and conditions:
- Contact details: information that allows us to contact you directly such as your name, job title, email address, telephone number and address associated with the relevant account.
- Account details: when you access and use our services through our online interface or mobile app, you will be asked to register with us and create an account (alternatively, your details may have already been provided to us, so we (or other Centrica Group Companies) can provide Data Services and Products to our corporate customers (for example, a reseller of our Data Services and Products, or a company who we provide our Data Services and Products to). Your account details include your email, password and your contact details.
- How you use our services and products: we will collect information about the performance of our Data Services and Products including the Usage Data (as defined in our terms and conditions) and other information used to provide services to you, and to enable us (or other Centrica Group Companies) to provide Data Services and Products to our corporate customers.
- Electrical details: we collect details of the relevant electrical systems including device names, model numbers, set points, electricity tariff, electrical hierarchy and usage information.
- Payment information: where applicable, bank account and other details such as credit/debit card information and any other details you provide to make payment for the services and/or products purchased from us or through our online interface or mobile app.
- Delivery information: information relating to the delivery of our products to you.
- Responses to surveys and market research: we keep records of any surveys and any other customer market research you respond to.
- Records of your discussions with our customer support teams: when you share comments and opinions with us, ask us questions or make a complaint we will keep a record of this. This includes when you send us emails or phone our support team.
- How you use websites and mobile applications: when you access our services via our website or applications we collect information about the pages you look at and how you use them, Analytic Data as further explained in our terms and conditions. The type of browser you use and the URL of pages you visit whilst using our website. Our services also use cookies – to find out more about this please refer to our cookies policy.
- Location information: your smartphone or computer's IP address may tell us an approximate location when you connect to our services but this will be no more precise than the city, state or country you are using your device in.
You are not required to provide any of the personal information described above to us, however, if you do not do so, you may not be able to use our services or the functionality of our services and products may be reduced.
3. What we use your personal information for
We process some of your personal information to provide you with services, including:
| Purpose | Personal information used |
| Provide our services and products to you and maintain your account | All the personal information we collect |
| Provide corrections and updates to our services and products | All the personal information we collect |
| Take payment for our products and services | - Contact details - PP account details - Payment information - How you use our products and services |
| Deliver products and services to you | - Delivery information - Contact details - Account details |
| Perform credit checks | - Contact details - Payment information |
We process some of your personal information to enable other Centrica Group Companies to supply services to you, or to enable our partners to provide their services, including:
| Purpose | Personal information used |
| Provide our Data Services and Products to Centrica Group Companies and our (or their) corporate customers to enable them to provide services to you | All the personal information we collect |
| Provide corrections and updates to our services and products | All the personal information we collect |
| Take or process payment for our products and services or those products and services provided to you through our online interface or mobile app | - Contact details - Account details - Payment information - How you use our products and services |
We process some of your personal information because we have a legal obligation to, including:
| Purpose | Personal information used |
| Investigating misuse of your account, fraud and debt collection | All the personal information we collect |
We process some of your personal information because we have a legitimate interest to improve the services we provide to you or to identify new services you might be interested in, including:
| Purpose | Personal information used |
| Maintain and update our products and services | All the personal information we collect |
| Data analytics and statistical research to help us provide our services | - How you use our services and products - Electrical details - How you use websites and mobile applications - Records of your discussions with our customer support teams - Responses to surveys and market research |
| Develop new products and services | All the personal information we collect |
| Determine products and services that may be of interest to you | All personal information we collect (but not your payment information) |
| Direct Marketing (where you do not trade on your own behalf) | All the personal information we collect |
We process some of your personal information because you have provided your consent to the processing, you may revoke your consent at any point:
| Purpose | Personal information used |
| Direct marketing | - Contact details - Products and services that we have determined may be of interest to you |
We may anonymise, de-personalise and aggregate any of the personal information we hold (so that it does not directly identify you). We may use anonymised, de-personalised and aggregated information for purposes that include testing our IT systems, research, data analysis, improving our site, apps and developing new products and services.
4. Sources we collect your personal information from
We will collect personal information from a number of sources. These include the following:
- Directly from you: when you create, manage or amend your account with us, use our Data Services and the Products, purchase other products or services from us, complete forms we provide to you, make a complaint, contact us by phone, email or communicate with us directly in some other way. This includes where you have provided such information to other Centrica Group Companies or our corporate customers to enable them to provide services to you.
- Our Products, websites and apps: provide us with information about how you use them in connection with our Data Services and/or mobile app.
-
Other companies we work with:
-
FullStory Session Recordings (Full Story, Inc)
Our service uses the FullStory web analytics service. FullStory may record mouse clicks, mouse movements, scrolling activity as well as text you type in this website. FullStory does not track your browsing habits across web sites and we use the data collected in order to improve our services. FullStory may use limited information regarding your use of our service for their own purposes. FullStory data is generally only retained for a period of three months.
To opt out of being tracked by FullStory across all websites visit https://www.fullstory.com/optout/. -
Zendesk Customer service software and support ticketing system (Zendesk, Inc.)
Our service uses the ‘Zendesk customer service and support software’ to improve our customer support experience. Data sent to Zendesk includes your email and account details (account name, site name, etc.). This customer service and support software helps us to resolve support related issues and provide support related services to our customers. -
Intercom: Customer Messaging Platform (Intercom, Inc)
Our service uses the Intercom customer messaging platform.
Intercom’s platform empowers our customer messaging and support process. Data sent to Intercom include your email, account details (account name, site name, etc.) conversation history, and product usage history. Intercom's widget uses these attributes to trigger personalized, automated marketing emails and in-app messages. Based on Intercom data we create and send targeted in-app messages to customers while they’re logged into our app.
To opt out from Intercom communications, please contact Intercom help service https://www.intercom.com/help/. Please note that this will impact your ability to receive product news and updates from us. -
Coralogix log analytics (Coralogix, Ltd.)
Our service uses the Coralogix log analytics platform to improve our backend server monitoring. Part of the system logs may contain your user identifier (email). This log analysis tool helps us provide better monitoring and up time for our back-end systems.
-
FullStory Session Recordings (Full Story, Inc)
More details on cookie usage for the above services can be found in the PowerRadar Cookie Policy.
5. Who we share your personal information with
We share personal information with the following parties:
- Companies in the Centrica group: for the purpose of providing a service to you. These include: British Gas, Bord Gáis Energy, Centrica Business Services, and Centrica Storage.
-
3rd Party Companies:
-
FullStory Session Recordings (Full Story Ltd.)
FullStory is a session recording and heat mapping service provided by FullStory Ltd. -
Intercom: Customer Messaging Platform (Intercom Ltd.)
Intercom is a customer messaging platform service provided by Intercom Ltd -
Coralogix - machine learning powered log analytics (Coralogix, Ltd.)
Coralogix is a machine learning powered log analytics platform service provided by Coralogix Ltd. -
Zendesk: Customer service software and support ticketing system (Zendesk, Inc.)
Zendesk is a customer service and support software provided by Zendesk Inc.
-
FullStory Session Recordings (Full Story Ltd.)
More details can be found in the PowerRadar Cookie Policy
- Any party approved by you, or to whom we provide services that are used by you (for example, your employer and/or the provider of Products that you use).
- Delivery companies: to deliver products that you have ordered from us.
- Other service providers and advisors: such as companies that support our IT, help us analyse the data we hold, process payments, send communications to our customers, provide us with legal or financial advice and generally help us deliver our services to you.
- Purchasers of our business: buyers or perspective buyers who we sell or negotiate to sell our business or assets to.
- The Government or our regulators: where we are required to do so by law or to assist with their investigations.
- Police and law enforcement: to assist with the investigation and prevention of crime or where we believe there to be a potential threat to the physical safety of a person or property.
We do not disclose personal information to anyone else except as set out above. We may provide third parties (including other users of our services) with aggregate statistical information and analytics about users of our products and services but we will make sure no one can be identified from this information before we disclose it.
6. Direct Marketing
Email, post and SMS marketing: from time to time, we may contact you by email, post or SMS with information about products and services we believe you may be interested in. We will always communicate to you in advance of inclusion in marketing activity and give an opportunity to object to such processing. You can also unsubscribe anytime from our marketing by clicking on the unsubscribe link in the marketing messages we send you.
7. Transferring your personal information internationally
The personal information we collect may be transferred to and stored in countries outside of the European Union including the United States of America. Some of these jurisdictions require different levels of protection in respect of personal information and, in certain instances, the laws in those countries may be less protective than the jurisdiction you are typically resident in. We will take all reasonable steps to ensure that your personal information is only used in accordance with this privacy policy and applicable European data protection laws and is respected and kept secure. Panoramic Power LTD is incorporated in Israel, a country which the European Commission has found to have appropriate and adequate levels of data protection. You can find more information about this here: Adequacy of the protection of personal data in non-EU countries.
8. How long do we keep personal information for
We will keep your personal information for as long as you have an account with us, or for as long as an account is kept with us on your behalf (for example, in respect of Products that you use). After you close your account with us, or after an account opened on your behalf is closed, we will keep your personal information for a reasonable period to maintain our records and legal obligations to you. You can find further information about how long we keep your details in the PowerRadar Terms and Conditions.
9. Your rights in relation to your personal information
You have the following rights in relation to your personal information:
- the right to be informed about how your personal information is being used;
- the right to access the personal information we hold about you;
- the right to opt-out of receiving direct marketing messages;
- the right to request the correction of inaccurate personal information we hold about you;
- the right to request the blocking or deletion of your personal information where the processing does not comply with applicable data protection laws and;
- the right to request that we port elements of your data either to you or another service provider.
To exercise any of the above rights, or if you have any questions relating to your rights, please contact us by using the details set out in the "Contacting us" section below. If you are unhappy with the way we are using your personal information you can also complain to the UK Information Commissioner’s Office (details of which can be found here: www.ico.org.uk) or your local data protection regulator. We are here to help and encourage to contact us to resolve your complaint first.
10. Changes to this notice
We may update this privacy notice from time to time. When we change this notice in a material way, we will update the version date at the bottom of this page. For significant changes to this notice we will try to give you reasonable notice unless we are prevented from doing so. Where required by law we will seek your consent to changes in the way we use your personal information.
11. Contacting us
In the event of any query or complaint in connection with the information we hold about you, please email privacy@centrica.com. or write to us at: Privacy Unit – Legal, Centrica plc, Millstream, Maidenhead Road, Windsor, Berkshire, SL4 5GD.
Version dated July 2021.
Frequently Asked Questions
This section contains answers to some frequent questions we get related to our sensors, cloud and security.
What is the wireless communications protocol used with the sensors?
Our sensors transmit small unidirectional data packets via a proprietary protocol in the ISM 915MHz (US) or 434 MHz (EU) band.
What is the range of the sensor to the Bridge?
For reliable communication between the sensors and Bridge, the Bridge should not be more than 16 feet (5 meters) away from the panel. Bridge Wi-Fi range is up to about 150 feet (45 meters) but is subject to local Wi-Fi conditions.
Are the sensor transmission one-way out or two-way? What are the polling rates?
Sensor transmission is one-way. Sensors cannot receive any incoming communication from the Bridge or from any other device. Transmissions are sent 5 to 6 times per minute to a Bridge unit.
How does the Bridge get updated if the various protocols change?
Firmware updates to the Bridge are done using a USB stick with the latest version.
Our latest Bridge firmware version (V470 and above) added the ability to receive over-the-air firmware updates from the server. This is an optional feature that can be turned off.
How do you secure over the air firmware updates ?
Over-the-air firmware update is an optional feature added to Bridge firmware version V470 and above. When turned on, the Bridge checks periodically if a new firmware version is available, downloads and installs it.
This process is done over a secure TLS channel where the Bridge verifies the server certificate. Further, the firmware version itself is cryptographically signed and the signature is verified by the Bridge prior to the installation.
How do the sensors connect/authenticate with the Bridge?
Sensors broadcast their measurements to the Bridge using a proprietary protocol. No authentication/connection is needed due to the low power, the close proximity of the communications and the restricted scope of data being transmitted.
Can the sensors receive firmware updates, and if so, what is the frequency?
The sensors do not need firmware updates.
Is the Bridge a proprietary device?
Yes, the Bridge is a proprietary device that receives data transmission from Panoramic Power sensors. However, the Bridge uses standard Wi-Fi/LAN/Cellular communication to send sensor transmissions to the cloud.
What data elements are sent to the web for analysis?
The sensor ID, the measurement data and internal Bridge statistics (such as number of reconnects, noise level, etc).
How is Bridge configuration done?
Bridge configuration is done via a dedicated web interface, which is enabled by default only when the Bridge is in ‘config mode’. It is possible to enable the web UI also in normal operating mode. The web interface is protected by a password. It is important to change the Bridge password periodically to increase its security.