By Martin Klimke and Chris Shire, Infineon Technologies
To fight global warming and lower the dependency of fossil energy resource, smart grids will be deployed. Smart grids will transform the power grids into intelligent networks that need a solid security foundation. The article gives an overview on the role of security controllers in smart grids.
Motivation for the smart grid
The demand for energy worldwide is growing at an ever increasing rate. The old model of installing more and more large centrally located power generation is not able to address these needs without a severe negative impact on the environment. Already today effects on the global warming caused by increased carbon dioxide emissions can be noticed. It is clear that fossil energy resources are limited and the exploration costs and risks are rising, thus the unit price will increase significantly during this century. That is why there is a need to substantially increase the use of energy from renewable energy sources (green energy).
The European Union has stated the 20-20-20 goals which are: a 20 % cut in emissions of greenhouse gases by 2020, compared with 1990 levels; a 20 % increase in the share of renewables in the energy mix; and a 20 % cut in energy consumption.
To maximize energy efficiency, utilities and governments must, besides investing into the disparate energy sources, ensure the distribution network can handle this transition. Intelligent load balancing and grid management is necessary (Figure 1). The smart grid demand planning enabled by smart meter networks is one of the key technology drivers supporting this transition.
The European Union has acknowledged the need for smart grid and smart meter networks. Standards are needed to foster interoperability, to improve data management and ultimately lower the cost for smart meter networks. In 2009 the EU therefore has kicked off the M441 mandate asking the European Standard Organization to create a common European standard for smart metering. There are now several CEN working groups and many standards in development to support this mandate. Similar activities have been launched world-wide, most noticeably in the US under the umbrella of NIST.
Security threats and security certifications
The smart grid will become an integrated network, with network nodes using unified protocols and communication stacks. Once a critical mass of devices is installed, the smart grid will be an attractive target for attackers, criminals, and cyber terrorists. The main motivations are large scale privacy breaches of the personal data within the network, payment fraud, vandalism or even cyber attacks on the delivery of energy across part or all of a smart grid.
A fully operating smart grid is vital to the overall economy of a country and is thus regarded as a critical national infrastructure requiring assurance of continuity and integrity as much as the phone network, or food distribution. Therefore discussions on statutory security certification have started. Regulators around the world have recognized that it may not be the right approach, as happened in the internet, to implement security in a reactive, disjointed, and proprietary approach. The development of security profiles will take time but are an essential step in the rollout of smart grids.
Security for smart meters
Security-critical elements of the smart grid are the smart meters and the respective communication hubs. These devices will be deployed in large numbers; a recall of these devices due to security weakness would be a very expensive undertaking. Additionally, physical access to those devices cannot be 100 % controlled because they are installed within private homes or even outside buildings. Therefore information assurance regulators and privacy watchdogs will assume that physical attacks on such meters will indeed be performed and will demand security measures against this.
Security controllers in the smart grid
Security controllers have proven in other security-critical IT infrastructures like e-passports or credit cards that the required security level can be met here. In the domestic environment security controllers in Pay-TV systems and mobile phone GSM SIMs ensure the consumers rights whilst protecting the service providers’ delivery process.
In a smart meter system a security controller, sometimes called a Hardware Security Module (HSM), can be embedded into various units of the system. HSM can be used to implement security functions like mutual authentication between the smart meter and the central system or between one smart meter unit and another in the same household network. It is conceivable that each unit of a domestic smart energy network would have its own security controller, so that whether the unit is a local communications con-centrator, the in-house display, a gas, or electric meter together – they can provide a meshed mutually protective security network. In case of software upgrades, security controllers are the secure anchor that assures the integrity of the upgrade software before allowing its installation. Likewise, integrity of commands and data received from the central system or across the local concentrator hub can be verified and responses and data from the smart meter units authenticated before transmission back to the central system (see Figure 2). Finally, the integrity of the smart meter units can be provided to the central system upon initial installation of the meter in the household.
Benefits of security controller
Security controllers contain dedicated hardware measures to detect attacks and to protect against reverse engineering. Additionally the development, product and delivery process is security audited and in compliance to security certifications. Finally the security controller firmware is created by dedicated, skilled security specialists who regard security as their core competence.
This approach provides the following advantages.
• Substantially better security than a tamperproof enclosure
As pointed out before it must be assumed that an attacker will open a smart meter system unit or its enclosure. Although there are technologies existing to protect the box against opening, they must be regarded as inferior with respect to the security which can be provided by a security controller and they are likely to be overcome. So the attack scenario must include also attacks on PCB and even on component level. It has been repeatedly shown that off the shelf microcontrollers can be attacked and basically provide no protection against attacks. Therefore, there is a need to use a tamperproof security controller in this application.
• Less risk of security flaws in development
By separating the security-critical development from the metrology-orientated development, the risk for security flaws is greatly reduced. Also the cost of building up the respective security-related skills across the whole the smart meter development team is avoided. Last but not least the security related quality assurance processes can be shortened and costs can be saved here as well. It is considered that to accredit a smart meter to a high level of security certification would be at best uneconomic and possibly technologically impossible.
• Fast development time for derivates
The smart meter application developers can concentrate on implementing the functionality of the device while not having to worry about the security. The same security profile and therefore the same security hardware solution could be applied to various smart meters, units such as electric, gas, heat and different use cases such as credit, pre-pay, or token payment meters.
• Reduced certification time and cost
Certification cost and time is reduced because the security function is encapsulated in a security controller which is already a certified component. When creating smart meter derivatives certification cost is lower because it must only be shown that the security functions within the meter system component are unchanged in the derivative.
• Less security investment costs during manufacturing
Personalization is the process in which secrets (keys, algorithms) are incorporated in the system. In the case where security controllers are used, this process is done in a security certified manufacturing location. Keys and secrets can then be bound securely into the security controller. Security can then be ensured throughout the meter production or installation processes. As a result meter supply chains can be easier to manage with respect to security. If security controllers are not used the smart meter vendor needs to perform the personalization within his normal production. This process might be subject to internal attacks e. g. stealing a large number of keys from the personalization system. Consequently, the smart meter vendor has to invest in security measures that protect this process and may need to pass a factory-wide audit to become security certified. If personalization is done even later the risk now passes on to each stage and each person in the supply chain, with the consequence of multiplying the risk.
• Security concept for long life time
Smart meter life time may easily exceed 8 years. In such a timeframe, a vast variety of new attack threats against the integrated security controller will emerge. Uncertainties concerning these upcoming attacks can be greatly reduced by a comprehensive digital security architecture, like the one first introduced and implemented by Infineon with the Integrity Guard Concept.
The smart grid turns the energy grid into a security-dependant, critical infrastructure. As standardization programs are kicked off worldwide to reduce cost and foster interoperability, the smart grid will become an integrated network, with network nodes using unified protocols and communication stacks. Once a critical mass of devices is installed, the smart grid will be an attractive target for individual attackers, criminal gangs, and even cyber terrorists.
Access to smart meters and concentrators cannot be effectively controlled, leaving the devices subject to physical attacks. Security Controllers can substantially increase the security of smart meter units and smart grid components. By providing a security certified “root of trust” for smart meters, security controllers provide benefits in both time-to-market and cost to the manufacturers and peace of mind to the service providers, the regulators and consumers.