Privacy and Security in Smart Grids

Transcription

1 Faculty of Computer Science, Institute of Systems Architecture, Chair for Privacy and Data Security Privacy and Security in Smart Grids The German Approach Sebastian Clauß, Stefan Köpsell Dresden,

2 Outline General regulations regarding privacy and security Protection Profiles German Approach to Smart Metering (v0.5) Smart Grids: German Approach 2

3 Laws & Regulations German Energy Act (in German: Energiewirtschaftsgesetz, EnWG) first version: 13th December 1935 current version: 7th July 2005 last revision: 16th January 2012 main act with respect to energy/gas supply German Renewable Energy Act (in German: Erneuerbare-Energien-Gesetz, EEG) date: 25 October 2008 last revision: 22nd December 2011 special focus on renewable energy: wind, water, solar bio gas, landfill gas, sewer gas geothermy Note: both laws allow to regulate many details by means of regulations hard to get an comprehensive overview 3

4 German Energy Act 21c Installation of Measurement Systems Smart Meters have to be installed (if available): new buildings larger renovations if consumption > 6000 kw/year if newly installed renewable energy production >7 kw Smart Meters have to be installed anywhere, if economically acceptable economically acceptable : - not more expensive than current meters - can be declared by regulation Customers have to accept Smart Meters Smart Grids: German Approach 4

5 German Energy Act 21d Measurement System is a measurement facility connected to a communication network measures the consumption of electricity 21e, f General Requirements on Measurement Systems for Electricity / Gas Consumption Measurement Systems must fulfil the requirements of a Protection Profile must fulfil the Interoperability requirements must use state-of-the-art techniques for protecting security and privacy must be certified Measurement Systems according to 21 d, e, f can be seen as Smart Meters Smart Grids: German Approach 5

6 German Energy Act 21g Inquiring, processing and using of personal data regulates who is allowed to process which data for which purposes data has to be anonymised or pseudonymised if possible remote measurement and remote control: consumer must be informed consumer must give consent consumer must have control Smart Grids: German Approach 6

7 Basic Architecture Smart Grids: German Approach

8 Common Criteria Protection Profiles Protection Profile for the Gateway of a Smart Metering System Gateway/schutzprofil_smart_meter_gateway_node.html status: final draft version: date: 26th August 2011 Protection Profile for the Security Module of a Smart Metering System Security/security_module_node.html status: draft version: date: 25th November Smart Grids: German Approach 8

9 Protection Profile for the Gateway of a Smart Metering System defined security functionality / goal: protection of confidentiality, authenticity, integrity of data information flow control protection of privacy of consumers preservation of privacy of the consumer is an essential aspect Gateway shall provide the consumer with transparent information about the information flows reliable billing process protection of Smart Grid infrastructure not addressed: availability rationale: Smart Grid has to function properly even if Smart Meter Gateway fails fail-safe design that specifically ensures that any malfunction can not impact the delivery of a commodity, e.g. energy, gas or water Smart Grids: German Approach 9

10 Protection Profile for the Gateway of a Smart Metering System Access Control Policies: stored within the Gateway specify: how Meter Data must be processed, which processed Meter Data must be sent in which intervals, to which component or external entity, signed using which key material, encrypted using which key material, whether processed Meter Data shall be pseudonymized or not, and which pseudonym shall be used to send the data Smart Grids: German Approach 10

11 Technical Guideline TR (version 0.50) Title: (unofficial) SMART ENERGY responsible: German Federal Office for Information Security (BSI) [German: Bundesamt für Sicherheit in der Informationstechnik] current status: Draft version: 0.50 date: 25 th May tml [BSI 0.5] Smart Grids: German Approach 11

12 Technical Guideline TR (version 0.50) Drafts available Part 1: Requirements on Interoperability of the communication unit of an intelligent metering system: functional and security requirements related protocols and techniques Part 2: Requirements on Interoperability of the Security Module Part 3: Cryptographic requirements on the Infrastructure of Measurement Systems elliptic curves, AES, SHA-2 hash functions Part 4: Public Key Infrastructure for Smart Meter Gateways based on X.509, max. certificate chain length: 3 [BSI 0.5] Smart Grids: German Approach 12

13 Technical Guideline TR (version 0.50) Major updates/enhancements compared to prior public draft 0.2 (2011) Detailed specification of the major processes to be executed with respect to the Smart meter Gateway Installation and Initialization Measurement Process Data Transmission Administration Calibration Specification of Protocol Stacks for Communication between Gateway and WAN Network layer: TCP/IP (optional, other protocols possible) Application layer: Web Services using XML data structures Specification of Evaluation Profiles: Tariff Profiles Status Data Profiles Communication Profiles Smart Grids: German Approach 13

14 Basic Architecture Smart Grids: German Approach

15 Local Metrological Network Gateway: acquires measured values timestamps those values appends current tariff rate stores the resulting record v 0.50 Communication wired or wireless Network layer: Meter-BUS (M-BUS, EN13757) TCP/IP Application layer: Open Metering System Specification (OMS), Part 2, Chapter 4 Security: TCP/IP Transport Layer Security (TLS 1.2) M-BUS symmetric encryption & MAC counter to prevent replay attacks Otherwise: Physical Security in case of plain communication

16 LMN Protocol Stack - Details v 0.50 Application Presentation Session Transport Network Link Physical [BSI 0.5] Smart Grids: German Approach 16

17 Basic Architecture Smart Grids: German Approach

18 Home Area Network Gateway: allows access to measured consumption data support communication of controllable local systems (CLS) with each other with WAN entities v 0.50 Communication Network layer TCP/IP Application layer: HTTP (for access to measured consumption data) Security: TLS mutual authentication using certificates or username/password Controllable Local Systems (CLS) are considered to be evil physical separation of communication interface with respect to WAN, LMN, HAN resistance against DoS or other attacks by CLS - restriction of resources (CPU, RAM) for CLS communication

19 HAN Display for Consumers Display must show: v 0.50 Data relevant for calibration Current energy consumption Energy consumption per tariff Additional tariff information (last days, week, month, year etc.) Log of communications with external participants Fine-granular consumption data Information shown must be correct Detailed specification by XML Schemas Smart Grids: German Approach 19

20 Basic Architecture Smart Grids: German Approach

21 WAN / Internet Gateway: allows access to: measured consumption data network status data (frequency, usage, etc.) allows administration: software updates policy updates tariff rate updates controlling of CLS time synchronisation Wake-Up-Service v 0.50 Communication Network layer TCP/IP (optional, other protocols possible) Application layer: Web Services using XML data structures Data modelling according to specified Interface Classes - COSEM Smart Grids: German Approach 21

22 WAN Protocol Stack - Details v 0.50 Application Presentation Session Transport Network Link [BSI 0.5] Physical

23 WAN / Internet Security: TLS mutual authentication based on certificates direct trust, i.e. certificates preinstalled on the device v 0.50 Gateway is invisible from the WAN / Internet no way to establish connections from WAN to Gateway Administrator can request connection by sending Wake-Up packets Administrator can disable Wake-Up Service Application data: symmetric encrypted MAC digital signed Smart Grids: German Approach 23

24 WAN / Internet Wake-Up Packet: contains: header (packet type, version) recipient id - prevents spoofing timestamp - validity: 15s - prevents replay v 0.50 digital signed by administrator signature verification rate is limited - prevents DoS attacks no reaction to faulty Wake-Up packets prevents probing for Gateway makes some attacks (e.g. timing attacks) harder valid Wake-Up packet TLS connection to preconfigured Gateway administrator no additional reaction 24

25 WAN / Internet Pseudonymisation of measured data: done if required by policy data sent to third parties quite simple approach: substitution of meter ID with pseudonym different static pseudonym for each third party data is sent using measurement operator as proxy end-to-end encrypted no end-to-end integrity protection v kw xyz: 3 kw xyz: 3 kw Meter ID Recipient Pseudonym 123 ANEEL xyz Policy 25

26 WAN / Internet Firewall-like rules are specified in an Evaluation Profile, detailed by Tariff Profiles XML-Specification governs aggregation and transmission of accounting-relevant data v 0.50 Status Data Profiles XML-Specification governs aggregation and transmission of SMGW status data Communication Profiles Specifies, for which purpose a given WAN participant may be contacted in which way Specifies keys and certificates to be used XML specifications currently under work Smart Grids: German Approach 26

27 Technical Guideline TR (version 0.50) Major updates/enhancements compared to prior public draft 0.2 Detailed specification of the major processes to be executed with respect to the Smart meter Gateway Installation and Initialization Measurement Process Data Transmission Administration Calibration Specification of Protocol Stacks for Communication between Gateway and WAN Network layer: TCP/IP (optional, other protocols possible) Application layer: Web Services using XML data structures Specification of Evaluation Profiles: Tariff Profiles Status Data Profiles Communication Profiles Smart Grids: German Approach 27

28 Process: SMGW Initialization SMGW has no initial configuration (but Security Module knows initial root certificate) v 0.50 Installation Service uses HAN interface to load preliminary configuration: Initial administrator WAN-address keys and certificates needed for TLS connection to administrator On first boot: SMGW opens TLS connection to administrator and gets first working configuration Working Configuration consists of Mandatory: Addresses, keys and certificates, communication profiles for further communication with the administrator Optional: evaluation, tariff, status data profiles and additional communication profiles SMGW Reset to initial values enables a new first boot Keys and Certificates for getting working configuration can be updated (i.e. are not reset on an SMGW Reset to initial values ) Smart Grids: German Approach 28

29 General Requirements Gateway device offers some physical protection, e.g. sealed v 0.50 physically separated interfaces for different networks stored data which is no longer needed has to be securely erased management of the Gateway shall only be possible from the WAN logging: especially for transparency for the costumer events: security relevant incidents WAN connections WAN data transmissions modification of policies modification of configuration / software involved entities timestamp Smart Grids: German Approach 29

30 Comments & Questions