With the progressive adoption of smart meters, a large amount of consumption data will be stored and transmitted online. It is crucial to ensure that no unauthorized individual can access this data – or worse, manipulate entire power grids. In this context, the German Federal Office for Information Security (BSI) issued the Technical Guideline BSI TR-03109 and related Certificate Policy of the Smart Metering PKI (German only). They specify the requirements that IT components in smart metering environments must fulfill regarding functionality, interoperability and security.
Parts 3 and 4 of this Technical Guideline define “cryptographic specifications for the infrastructure of smart metering systems“ and specifications related to the “Smart Metering PKI”. A PKI ensures the integrity, confidentiality and authenticity of data circulating around the smart metering gateway (SMGW), the central communication unit of the smart grid architecture.
Utimaco HSMs are particularly suited in this context. The Utimaco CryptoServer CSe has been successfully evaluated and found to fulfill the requirements of the Certificate Policy.
BSI TR-03109 and the Certificate Policy of the Smart Metering PKI require that specialized Hardware Security Modules (HSMs) are used to securely generate, store and use cryptographic keys. Chapter 6.2 of the Certificate Policy states that HSMs for smart metering must be certified according to referenced Common Criteria protection profiles. The security of the HSM may alternatively be assessed by an accredited evaluation laboratory, proving
A yearly update of BSI TR-03116, Part 3 (German only) on cryptographic requirements for smart metering projects of the German Federal Government complements the Technical Guideline BSI TR-03109. It defines mandatory cryptographic procedures and key lengths to use.
Utimaco CryptoServer CSe has been evaluated and found to fulfill the requirements of the Certificate Policy:
The evaluation certificate for Utimaco CryptoServer CSe is available here.
This evaluation has been performed by a Common Criteria (CC) evaluation facility based on the German BSI Technical Guideline BSI TR-03109 and Certificate Policy. It gives utility companies and their customers the certainty that deployed IT components and devices – such as Utimaco HSMs – fulfill the requested security requirements.
The German Federal Office for Information Security (BSI) aims at establishing appropriate IT-security standards with the publication of technical guidelines, among others. They basically address every company developing, setting up or securing IT systems. They “provide criteria and practices for conformity evaluations ensuring the interoperability of IT-security components as well as the implementation of defined IT-security requirements”. Technical guidelines, which could be considered simple recommendations or best practices, reference or complement existing standards such as the CC Protection Profiles. Once laws or regulations refer to them, however, they can become mandatory. The same applies to public tenders which require the bidder to conform to such technical guidelines.
Manufacturers and distributors can ask the BSI to confirm and certify the conformity of their IT-products or -systems with specific technical guidelines.