Smart Meter PKI - Make or Buy?

Similar documents
Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

TeleTrusT European Bridge CA Status and Outlook

Certification Practice Statement

Danske Bank Group Certificate Policy

Public Key Infrastructure for a Higher Education Environment

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Egypt s E-Signature & PKInfrastructure

Version 2.4 of April 25, 2008

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

Comodo Certification Practice Statement

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

HKUST CA. Certification Practice Statement

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

Fraunhofer Corporate PKI. Certification Practice Statement

Security-Product by IT SOLUTIONS. security at the highest level JULIA. Security. Cloud Security

REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

Bangladesh Bank Certification Authority (BBCA) Certification Practice Statement (CPS)

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

The Costs of Managed PKI:

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

- X.509 PKI SECURITY GATEWAY. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.1

Neutralus Certification Practices Statement

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

How To Understand And Understand The Security Of A Key Infrastructure

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium , Miami Beach FL / USA

Siemens PKI Certificate Authority (CA) Hierarchy

CERTIFICATION PRACTICE STATEMENT UPDATE

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Securing Distribution Automation

How much do you pay for your PKI solution?

TC TrustCenter GmbH. Certification Practice Statement

Symantec Managed PKI Service Deployment Options

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

Secure in times of rising mobile communication

BSI TR : Secure Transport. Requirements for Service Providers (EMSP) regarding a secure Transport of s

Trust Service Principles and Criteria for Certification Authorities

CMS Illinois Department of Central Management Services

Ericsson Group Certificate Value Statement

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

E-TUGRA INFORMATIC TECHNOLOGIES AND SERVICES CORP (E-TUGRA)

SAUDI NATIONAL ROOT-CA CERTIFICATE POLICY

Threat Modeling Smart Metering Gateways

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Class 3 Registration Authority Charter

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Symantec Managed PKI Service for Windows Service Description

DigiCert Certification Practice Statement

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

Business Issues in the implementation of Digital signatures

Concept of Electronic Approvals

Security Solutions

VeriSign Trust Network Certificate Policies

ING Public Key Infrastructure Certificate Practice Statement. Version June 2015

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

ETSI TS : Electronic Signatures and Infrastructures (ESI): Policy

Egyptian Best Practices Securing E-Services

Exchanging Medical Records Online with Direct

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Government CA Government AA. Certification Practice Statement

What Are They, and What Are They Doing in My Browser?

Thai Digital ID Co.,Ltd.

TELSTRA RSS CA Subscriber Agreement (SA)

Concept for a cryptographic infrastructure for measurement components in smart grids

CA & PKI Certificate Authority s Perspective. FOO Jong Ai Chief Executive Officer Netrust Pte Ltd jongai.foo@netrust.net

Symantec Trust Network (STN) Certificate Policy

X.509 Certificate Policy for India PKI

Security concept for gateway integrity protection within German smart grids

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

Deploying and Managing a Public Key Infrastructure

Case Study for Layer 3 Authentication and Encryption

RSA Digital Certificate Solution

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

KIBS Certification Practice Statement for non-qualified Certificates

Why SAAS makes sense: The benefits of Cloud Computing for Archiving

Advantage Security Certification Practice Statement

The Challenge Handling a lot of paper documents

Certification Practice Statement

RESPONSES TO CLARIFICATIONS REQUEST FOR PROPOSAL FOR FOR IMPLEMENTATION OF A HUB STATION AND BROADBAND VSAT WAN CONNECTIVITY ADB/ICB/CGSP/2013/0157

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

e-mudhra CPS e-mudhra CERTIFICATION PRACTICE STATEMENT VERSION 2.1 (emcsl/e-mudhra/doc/cps/2.1) Date of Publication: 11 February 2013

Configure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows

Transcription:

ID WORLD Frankfurt 20.11.2014 11:15 11:45 Uhr Smart Meter PKI - Make or Buy? Dr.-Ing. Lutz Martiny achelos GmbH Paderborn

Why PKI? Legal Background: Energiewirtschaftsgesetz Technical Background: Technical Directive 03109 Bundesamt für Sicherheit in der Informationstechnik Communication must be cyphered and the communication participants, (smart meter, smart meter gateway, smart meter gateway administrator, external market participants) have to identify one another 2

What is PKI good for? A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and information through the use of matched key pairs where one key is used to encrypt data and the other matching key is used to decrypt the data. The keys are obtained and shared through a trusted authority (Trustcenter). The basic concept is that one key (the public key) can be published (public key) while the other key (private key) is maintained in secrecy. 3

Components of PKI CA - Certification Authority (Trust Center) RA Registration Authority Directory Service (LDAP) Revocation Service Validation Service Ca Certification Authority MT Market Participant Z(TLS) TLS Certificate between Gateway and Market Participant Z(Enc) Encryption Certificate end-to-end encryption between participants Z(Sign) Signature Certificate to prove authenticity of signatures Source: BSI TR-030109 page 9 4

Market Roles Sub - CA End-User Certification TLS Certificates Encryption Certificates Signature Certificates GWA Gateway Administration Equipment Mngmnt Client Administration Administration of Profiles Key-/Certificate Management Firmware Updates Wake-Up configuration Monitoring SMGW Security Updates Application Software EMP External Market Participants Energy Supplier Distribution Network Operator Meter Operators Metering Service Operators Source: mtg Smart Meter Gateway(s) 5

Certificates: who gets what Certificate User (Smart Meter Gateway) Gateway Administrator GWA External Market Participant TLS - Certificates Encryption - Certificates Signature - Certificates ev. additional certificates, if GWA has the role of EMP Encryption - Certificates Signature - Certificates ev. TLS Certificate if EMP is allowed to use SMGW 6

Building related Security Measures Root CA and Sub-CAs MUST have ISO/IEC 27001 certification Sub-CA MUST have redundant energy supply, air conditioning, water supply, fire protection according to standard BSI regulations It is recommended to build a cage around the hardware used in order to only certify this part of the data center to comply with ISO/IEC 27001 Source: Telekom Access control has to comply with the Certification Practice Statement of the Root CA. 7

Communication Security Real dual routing required: - Fixed network AND wireless communication - Dual switch link-up Service technicians installing a smart meter gateway need to have communication security as the smart meter gateway will send the certificate data immediately to the Sub-CA to obtain the necessary authorization certificates. If the PKI cannot be contacted the technicians have to remain on-site until the process can be done, or they have to return a second time, the latter being very costly and raises doubts regarding the profitability. Also: SMGW - Administrator has to prove through a valid certificate ISO/IEC TR 27019 that all requirements of an Information Security Management System (ISMS) according to ISO/IEC 27001 are met. 8

Make Create Certificate Policy (CP) according to Root CA Create Certification Practice Statement (CPS) Monitoring and archive of transactions technical security measures to create keys, storing, activation, back-up, computer security, network security Hardware investments ( 200.000-250.000) Software and Certification, Licenses, LDAP, CA-Software 420.000-690.000) Project Time and Costs (ca. 120 persondays ~ 110.000 Recurrent Costs - 3 P/Y personal costs ( 270.000) - Software Updates and Support ( 40.000) - Audits and Re-Certifications ( 20.000) - Archives ( 20.000) - Certificates( 120.000 with estimated: 800.000 Certificates, renewal every second year=400.000/year, 3 certificates/gateway = 1.2 Mio certificates/year * est. 0,10 /certificate = 120.000/year) - Implementation time estimated 12 month One time investment average: 935.000 Recurrent annual costs: 470.000 9

or Buy Min - Max Im Mittel Pro Jahr implementation 150.000-200.000 175.000 Informative: implementation multiple clients 15.000 not applicable Initial Installation Costs: 175.000 Jährlicher Betrieb der Sub-CA 15.000 15.000 Informative: operation for another client 3.000 not applicable Certificate costs/ certificate 1.2 Mio. Stück 40-50 Cent 45 Cent 540.000 Head of CA 1 day / month 4.500 Control of service provider 1 day / month 4.500 Costs / Year 564.000 Implementation Time Preparing RFP 10 days Tender period 28 days Parallel: choosing head of CA 10 days Evaluation of tenders, bidders meetings Parallel: certificate application at Root-CA application Implementation of Sub-CA Integration tests 20 days Service transition 10 days 15 days 90 days Total: 6-7-Months 10

Risks: Make or Buy Sub-CA Risk low medium high Total costs Make Initial costs (average) X 935.000 Annual costs X 470.000 Beta Tester X 1.) scalability X 2.) certification high plus X 3.) BSI-conformity Technically correct X 4.) futureproof X 5.) manageability X 6.) Interoperable with X 7.) other systems (X 509) Risk low medium high Total costs Outsourcing Annual costs X 564.000 Annual costs X 8.) Beta Tester X 9.) scalability X 10.) certification high plus X 11.) BSI-conformity Technically correct X 12.) futureproof X 13.) manageablity X 14.) 1.) risk high: because this means being one of the first users of a product where the boundary conditions are not clearly defined 2.) risk medium: turn-key soluton, scalability depending on the manufacturer of the solution. 3.) risk medium: solution is BSI certified 4.) risk medium: BSI Certificate does not say that the solution does not have bugs 5.) risk medium: additional requirements must be coordinated with the manufacturer and implemented by oneself 6.) risk medium: depending on the supplier s solution 7.) risk high: there will be more than one Sub-CA supplier having interpreted the specs differently 8.) risk high: higher volume requirements may change profitability considerations in respect to the make solution. 9.) risk medium: external supplier has the risk, however error situations have to be monitored and communicated to the service provider. 10.) risk low: changes in the market must be implemented by the service provider, he will, however, only supply standard changes and not implement special features, which might be a differentiating characteristic. 11.) risk low: because of BSI - certificate 12.) risk low: external supplier has the risk. In addition, technical problems will be identified by and solved for multiple clients. 13.) risk low: see 10.) 14.) risk low: administration is outsourced. 11

Dr.-Ing. Lutz Martiny achelos GmbH Vattmannstraße 1 33100 Paderborn Tel.: +49 5251 14212-310 Mobil: +49 171 5031791 lutz.martiny@achelos.de www.achelos.de 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information