To fight global warming and lower the dependency on fossil energy resources, smart grids will be deployed. Smart grids will transform the power grids into intelligent networks that need a solid security foundation. The German government has understood the need for security in this application and has initiated the development of a protection profile for the “smart meter gateway” a communications unit that will be installed in German homes in the future as a portal for the domestic meters and devices to the smart grid. This protection profile is based on Common Criteria and expected to be released end of 2011(1).
The Smart Grid will become an integrated network, with network nodes using unified protocols and communication stacks. Once a critical mass of devices is installed, a Smart Grid will be an attractive target for various attackers as diverse as cyber criminals, terrorists and even hostile nation states. The main motivations are privacy breaches of the personal data within the network, payment fraud, and vandalism or cyber attacks such as a “denial of service” attack on the delivery of energy across part or all of a smart grid.
A fully operating smart grid will be vital to the overall economy of a country and is thus regarded as a critical national infrastructure requiring assurance of continuity and integrity as much as the phone network, or food distribution. In addition the privacy of personal information and behavior adds a further dimension seen in few other networks. Therefore discussions on statutory security certification have started. Regulators around the world have recognized that it may not be the right approach, as it happened in the internet, to implement security in a market driven reactive, disjointed, and proprietary approach. In the USA the Energy Independence Security Act 2007 via the standards groups NIST has defined the specification NIST 7628 for the security of their smart grids. The European Union has published the M/490 directive on smart grids in conjunction with its M/441 mandate on smart meters to outline the security of future solutions. However the development of relevant security profiles will take time but is an essential step in the rollout of smart grids.
Situation in Germany
Up to now the deployment of smart meter technology in Germany has been quite small. The German Government has however realized that without regulatory incentives and related laws Germany will not be able to fulfill its commitments to the European 20-20-20 targets (2). Therefore the government is working intensively on an updated energy bill which among other measures enforces the deployment of smart meter technology.
The German Government is aware that law making requires an extensive public relations program that explains the benefits of the technology to the population but which also addresses the fears associated with the its introduction. It is a common understanding that the protection of personal data and privacy is of major importance. Governmental officials also have also noticed the situation in the Netherland in year 2009 where the introduction of the smart grid was stopped because of privacy concerns and lacking security measures.
Therefore the BMWi, the ministry for economy and technology, has asked the BSI, the federal agency for IT security, to develop a security concept for the smart meter gateway. The conceptual work for this was started in autumn 2010 and will be finalized by the end of 2011. From the beginning there was an intensive discussion between the various stakeholders in the industry and the BFDI – the federal commissioner for data protection and freedom of Information.
Deployment of common criteria
Technically the BSI decided to implement the protection profile according to the Common Criteria standard. This standard is internationally acknowledged and therefore eases the adoption in other countries. The protection profile is describing the function of the device on an abstract level and is not a detailed device specification. This leaves room for differentiation and adoption to various market requirements.
For the device manufacturers the Common Criteria certification of their products offers added value to smart grid stakeholders and implies that such products will also be attractive in international markets. In the past, protection profiles for products developed by the BSI for products such as ePassports and smart cards have provided the basis of globally accepted certified products which have found their way into the hands millions of people.
The Common Criteria are based on an international framework, but certificates are controlled by the state governments. This sends a strong message to consumers and the industry. It implies the importance of security measures and the related quality of the smart grid system. As a result privacy protection and security will not only be mandated by laws but actively enforced. This clearly underlines the commitment of the German Government to respect civil rights without compromises which could be of benefit to consumers across the world.
Critical in the deployments of smart grids are devices that will be deployed in large numbers and will have to remain working for perhaps 15 years or more. This is true for the smart meter, the smart meter gateway in the home and to a lesser extent for the network data concentrators in the smart grid. Maintenance of this infrastructure is expensive. A replacement of smart meters due to security flaws would be prohibitive in cost and additionally the reaction times would be long leaving the network subject for attacks for some time. This was the motivation for the BSI to start the work on those devices with the highest priorities first. It is clear that this program can only be a beginning and that also other parts of the overall system e.g. the central office need solid security measures.
The proposed domestic German smart meter system consists of smart meters that are connected to a smart meter gateway with the metrology network (MAN). The gateway establishes the connection to the outside world the so called wide area network (WAN). In addition there are the controllable logical functions (CLS) so that domestic appliances e.g. air conditions, washing machines, electric vehicle charging or solar panels can be remotely managed via a separate interface to the gateway using the Home Area Network (HAN). The HAN will also transmit to the consumer energy consumption data and messaging from the energy provider such as payment data via an in-home display.
To enforce data protection and the obligation to minimize centrally stored data, the Gateway becomes the entity that stores meter data. The consequence is that the various stakeholders who have different access rights will retrieve their data from the gateway. The Gateway therefore must verify that the stakeholders are authentic and then processes the data according to the access rights profile and then signs and encrypts the data. Discussions have taken place as to whether software or hardware security can provide the sufficient basis for the management of this private data and associated access rights. Balancing the requirements for a 15 year lifetime, the difficulty of assuring the security of embedded software, and the likely variety of designs has driven the need for separate high security function which would easier to certify. As a result within the gateway a security controller called a Security Module has been mandated. This device will have a dedicated security profile which is currently under development. It is expected that it will resemble the requirements that are typically needed for a smart card security controller most noticeable it must have measures to protect against physical tampering.
Security controllers in the smart meter gateway
The BSI picked a security controller as an essential component for its protection profile because such devices have been proven to protect other security critical IT infrastructures like e- passports, PC networks and credit cards. Additionally this technology is available today and adoption to the smart meter gateway application can be quickly developed. Likewise certified gateways can easily be developed to incorporate smart card controllers. Consequently the implementation of the BSI protection profile will not delay the introduction of secure smart meter network.
Benefits of security controller
In the profile the BSI assumes a skilled attacker is trying to attack the smart meter gateway by attacking the external communication. Such an attacker should never get hold on the keys that have been distributed in the smart meter network. Therefore the protection of keys had priority and the security module was picked to store the keys and execute the critical authentication and signing procedures. Special care therefore must be taken against so call insider attacker stealing keys in large numbers during the manufacturing or shipment processes.
Personalization is the process in which secrets (e.g. keys) are incorporated in a system. In the case in which security controllers are used, this process is done in a security certified manufacturing location. Secrets can then be bound securely into the security controller. Security can then be achieved throughout the meter production or installation processes. As a result meter supply chains can be easier to manage with respect to security. If security controllers were not used the smart meter gateway vendor would have to perform the personalization within his normal production. This process is subject to internal attacks e.g. stealing a large number of keys from the personalization system. Without a security controller this would lead either to higher risk or much higher security cost in device manufacturing. Also manufacturing flexibility is restricted because related measures would have to be put in place and validated if a new manufacturing site is created or transferred to another location.
This cost driven security reasoning is not particularly new. Years before this has driven the very cost focused PC industry to deploy the TPM – the trusted platform module. The TPM – like the security module – is also a security controller mainly used within PCs. Even today the TPM is still a discrete component that was never integrated into the PC chipset or was never replaced by a software only solution. And presently it looks like that this will not happen any time soon.
Additionally the deployment of security controllers offers the following advantages: By separating the security critical development from the metrology orientated development the risk for security flaws is greatly reduced. The cost of building up the respective security related skills across the whole the smart meter development team is reduced. Furthermore the smart meter application developers can concentrate on implementing the functionality of the device and have to worry about the security to a much lesser extent. Last but not least the security related quality assurance processes can be shortened and so reduce overall costs. It is considered that to accredit a smart meter to a high level of security certification would be at best uneconomic and possibly technologically impossible. The same security profile and therefore the same security hardware solution can be applied to various smart meter gateways that are tailored to specific market requirements.
A smart meter gateway’s life time may easily exceed 15 years. In such a timeframe, a vast variety of threats against the integrated security controller will emerge. Uncertainties concerning these upcoming attacks can be greatly reduced by a security architecture that offers some elements of future-proofing. Such a solution was firstly introduced and implemented by Infineon with the Integrity Guard (3). Infineon therefore will provide security controllers for the smart meter gateway using this technology.
Smart Grid security is not just an issue for energy providers who wish to protect their investments, or the privacy of the consumer, or the governments need to offer a safe society. It is a combination of all of these issues and more besides. The threats to the infrastructure of a country cannot be left to “market forces” as such a reactive approach will at least cost more in the long term and at worst may lead to smart grid failures with huge implications for consumers and the economy. A protection profile provides a benchmark against which designs can be judged. It is important to use a security technology which has not only a proven background but can provide a root of trust for future developments. Hardware based security already protects our everyday lives in many ways and can provide a basis for strengthen the integrity of smart grids in the future.
1 BSI: Smart Meter Gateway protection profile: https://www.bsi.bund.de/DE/Themen/SmartMeter/smartmeter_node.html
2 European 20-20-20 target: http://ec.europa.eu/clima/policies/package/index_en.htm