Smart Meter PKI - Make or Buy?

Transcription

1 ID WORLD Frankfurt :15 11:45 Uhr Smart Meter PKI - Make or Buy? Dr.-Ing. Lutz Martiny achelos GmbH Paderborn

2 Why PKI? Legal Background: Energiewirtschaftsgesetz Technical Background: Technical Directive Bundesamt für Sicherheit in der Informationstechnik Communication must be cyphered and the communication participants, (smart meter, smart meter gateway, smart meter gateway administrator, external market participants) have to identify one another 2

3 What is PKI good for? A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and information through the use of matched key pairs where one key is used to encrypt data and the other matching key is used to decrypt the data. The keys are obtained and shared through a trusted authority (Trustcenter). The basic concept is that one key (the public key) can be published (public key) while the other key (private key) is maintained in secrecy. 3

4 Components of PKI CA - Certification Authority (Trust Center) RA Registration Authority Directory Service (LDAP) Revocation Service Validation Service Ca Certification Authority MT Market Participant Z(TLS) TLS Certificate between Gateway and Market Participant Z(Enc) Encryption Certificate end-to-end encryption between participants Z(Sign) Signature Certificate to prove authenticity of signatures Source: BSI TR page 9 4

5 Market Roles Sub - CA End-User Certification TLS Certificates Encryption Certificates Signature Certificates GWA Gateway Administration Equipment Mngmnt Client Administration Administration of Profiles Key-/Certificate Management Firmware Updates Wake-Up configuration Monitoring SMGW Security Updates Application Software EMP External Market Participants Energy Supplier Distribution Network Operator Meter Operators Metering Service Operators Source: mtg Smart Meter Gateway(s) 5

6 Certificates: who gets what Certificate User (Smart Meter Gateway) Gateway Administrator GWA External Market Participant TLS - Certificates Encryption - Certificates Signature - Certificates ev. additional certificates, if GWA has the role of EMP Encryption - Certificates Signature - Certificates ev. TLS Certificate if EMP is allowed to use SMGW 6

7 Building related Security Measures Root CA and Sub-CAs MUST have ISO/IEC certification Sub-CA MUST have redundant energy supply, air conditioning, water supply, fire protection according to standard BSI regulations It is recommended to build a cage around the hardware used in order to only certify this part of the data center to comply with ISO/IEC Source: Telekom Access control has to comply with the Certification Practice Statement of the Root CA. 7

8 Communication Security Real dual routing required: - Fixed network AND wireless communication - Dual switch link-up Service technicians installing a smart meter gateway need to have communication security as the smart meter gateway will send the certificate data immediately to the Sub-CA to obtain the necessary authorization certificates. If the PKI cannot be contacted the technicians have to remain on-site until the process can be done, or they have to return a second time, the latter being very costly and raises doubts regarding the profitability. Also: SMGW - Administrator has to prove through a valid certificate ISO/IEC TR that all requirements of an Information Security Management System (ISMS) according to ISO/IEC are met. 8

9 Make Create Certificate Policy (CP) according to Root CA Create Certification Practice Statement (CPS) Monitoring and archive of transactions technical security measures to create keys, storing, activation, back-up, computer security, network security Hardware investments ( ) Software and Certification, Licenses, LDAP, CA-Software ) Project Time and Costs (ca. 120 persondays ~ Recurrent Costs - 3 P/Y personal costs ( ) - Software Updates and Support ( ) - Audits and Re-Certifications ( ) - Archives ( ) - Certificates( with estimated: Certificates, renewal every second year= /year, 3 certificates/gateway = 1.2 Mio certificates/year * est. 0,10 /certificate = /year) - Implementation time estimated 12 month One time investment average: Recurrent annual costs:

10 or Buy Min - Max Im Mittel Pro Jahr implementation Informative: implementation multiple clients not applicable Initial Installation Costs: Jährlicher Betrieb der Sub-CA Informative: operation for another client not applicable Certificate costs/ certificate 1.2 Mio. Stück Cent 45 Cent Head of CA 1 day / month Control of service provider 1 day / month Costs / Year Implementation Time Preparing RFP 10 days Tender period 28 days Parallel: choosing head of CA 10 days Evaluation of tenders, bidders meetings Parallel: certificate application at Root-CA application Implementation of Sub-CA Integration tests 20 days Service transition 10 days 15 days 90 days Total: 6-7-Months 10

11 Risks: Make or Buy Sub-CA Risk low medium high Total costs Make Initial costs (average) X Annual costs X Beta Tester X 1.) scalability X 2.) certification high plus X 3.) BSI-conformity Technically correct X 4.) futureproof X 5.) manageability X 6.) Interoperable with X 7.) other systems (X 509) Risk low medium high Total costs Outsourcing Annual costs X Annual costs X 8.) Beta Tester X 9.) scalability X 10.) certification high plus X 11.) BSI-conformity Technically correct X 12.) futureproof X 13.) manageablity X 14.) 1.) risk high: because this means being one of the first users of a product where the boundary conditions are not clearly defined 2.) risk medium: turn-key soluton, scalability depending on the manufacturer of the solution. 3.) risk medium: solution is BSI certified 4.) risk medium: BSI Certificate does not say that the solution does not have bugs 5.) risk medium: additional requirements must be coordinated with the manufacturer and implemented by oneself 6.) risk medium: depending on the supplier s solution 7.) risk high: there will be more than one Sub-CA supplier having interpreted the specs differently 8.) risk high: higher volume requirements may change profitability considerations in respect to the make solution. 9.) risk medium: external supplier has the risk, however error situations have to be monitored and communicated to the service provider. 10.) risk low: changes in the market must be implemented by the service provider, he will, however, only supply standard changes and not implement special features, which might be a differentiating characteristic. 11.) risk low: because of BSI - certificate 12.) risk low: external supplier has the risk. In addition, technical problems will be identified by and solved for multiple clients. 13.) risk low: see 10.) 14.) risk low: administration is outsourced. 11

12 Dr.-Ing. Lutz Martiny achelos GmbH Vattmannstraße Paderborn Tel.: Mobil: lutz.martiny@achelos.de 12