SUCCESS STORY
Landis+Gyr cares for security in Smart Metering Safety modules for Smart-Meter Gateways according to Common Criteria The fabrication of intelligent power meters, the so called Smart Meters, is subject to legal provisions while fulfilling strong security requirements, and their compliance has to be checked and certified. Landis+Gyr, a Smart Meter pioneer, with the support of Sidler Information Security GmbH, has conceived a conforming information security concept, clearing the path towards secure Smart-Meter solutions. The first Smart-Meter-Gateway produced according to the latest standard could be registered for certification by Landis+Gyr in July 2013. Landis+Gyr, with headquarters in Zug and subsidiaries all around the globe, is a worldwide leader in the field of smart metering and a leading provider of integrated energy-management solutions. The company does not only enable energy providers and final customers to improve their energy efficiency and reduce their energy costs, therefore contributing with its effort to a sustainable resource exploitation. Creating and developing sustainable values and solutions and matching them with the challenges of energy policies are also part of the daily business of an industry leader. Implementation of legal requirements The deployment of intelligent power meters -that is, Smart Meters- is a basic prerequisite for the implementation of the Action Plan for the Energy Efficiency in Europe. It proposes that at least 80 percent of all consumers within the EU-member states are to be equipped with intelligent power meters before the year 2020. Within this frame, Germany has played a pioneering role and released, through the Bundesamt für Sich erheit in der Informationstechnik (BSI) a safety profile (BSI-CC-0073) for a Smart Metering Gateway and its appertaining safety modules conformed to the Common Criteria. Manufacturers like Landis+Gyr faced new challenges with these extensive requirements contained in the BSI-safety module and its legal provisions and to be implemented in electronic meters and Smart-Meter-Gateways. Not only the product itself will have to be submitted to certification in order to establish the compliance with these security requirements, there are also certain minimal requirements during the development process, the documentation, the support during the lifecycle of the product, testing and weak point checks that have to be met. The product will get its certification only if the whole framing environment passes this audit. Thomas Mosel, Head of Information Security EMEA at Landis+Gyr comments on this subject: «The safety module according to the internationally recognized IT-security guidelines of the Common Criteria includes a high number of security requirements. Very soon it was clear to us that we had to take in someone with the necessary know-how in order to implement this comprehensive catalogue of requirements, especially in the field of IT-security. Looking for an expert we came across Wolfgang Sidler of Sidler Information Security. His enormous knowledge in security questions matched perfectly with the forthcoming project. This way, we started to talk and eventually engaged him for the implementation of the project».
Cross GAP-analysis from A to Z In April 2012, Thomas Mosel und Wolfgang Sidler began with an in-depth survey with GAP analysis, in which the already existing information security was collated with the current requirement catalogue at hand. not to work under an enormous time pressure. We could take us enough time both for the establishment of the GAP-analysis and the security concept that was to follow in order to test each point for every detail and prepare ourselves intensively and very precisely for the BSI-certification». More than just an information security concept The Assurance Requirements of the Common Criteria are an important part of it. They define the minimum requirements of the development process, the documentation, the support during the product lifecycle, of tests and weak point checks that have to be necessarily observed and the way how the evaluator has to check these requirements. Based on the catalogue, it was later established which of these requirements already existed on an organizational level and which ones were required to be accomplished, which points had to be complemented in what way or even needed to be newly developed. And finally, how the final catalogue of measures would look like. The derived concept of information security established by Wolfgang Sidler on hand of the analysis he had worked out has been inserted in all areas of Landis+Gyr and is now applied on all levels, from the soft and hardware development through the configuration management to the production and quality assurance. It took around 12 months until this concept of information security could be presented to the management for clearance Thomas Mosel explains: «We had the privilege With the now released information security concept, Landis+Gyr has set the first decisive step on the way to a secure intelligent metering system for power and gas according to the new legal provisions. In July 2013, it could register the first Smart-Meter Gateway compliant with the Common Criteria and Safety Profile (BSI-CC-PP-0073) at the Bundesamt für Sicherheit in the Informationstechnik (BSI) for certification. The current development is now being aligned with the requirements of the Common Criteria Certification process. «A product certification is, except for certain limitations, valid on an international level. This is why we have displayed the security concept internationally, to enable its use regardless of the country or place where it is going to be used» explains Mosel, adding: «The experience in the field of security that Thomas Sidler brought us from an international level was also very helpful to us in this matter».mosel specifically mentions the ISO-27001 certification project of Landis+Gyr in England, that was realized simultaneously to the Common Criteria project and defines all safety relevant functions derived from the implementation and operation within the company of an Information-Safety Management System (ISMS) «Both projects have profited from each other within the frame of their respective analyses and concept developments, with information flowing in both directions». Here, Wolfgang Sidler worked with internal departments in England, actively supported the security audit and also was present from his assessing position during the successful certification in England in July».
Security awareness for employees Technical security measures do not only need organizational decisions but also -and very specially- personal measures in order to be effective. On the basis of the established information security scheme, a complementary training-concept related to the implementation of the security guidelines was put in place. On the initiative of Wolfgang Sidler, an awareness-training for employees took place for the first time in June 2012. A further security training based on the results obtained from the Common Criteria project and aimed to those employees engaged in the project followed in 2013. «It wasn t only the very positive response among the employees being useful, it also provided us with a constructive discussion and a good feedback» according to Thomas Mosel. «Especially the review and the resulting proposals for improvements that were subsequently produced by Wolfgang Sidler on behalf of the training records were extremely helpful. The awareness training conforms with current standards today and we will be able to perform, on demand and at any time, more of these trainings by our own». The bottom line The course for the future of intelligent metering systems has been set at Landis+Gyr, the final results of the project met the expectations and are in line to guarantee the security of the information, the data protection and the safety of Smart Grids. It is now only waiting for its certification. Once it has been granted, the industry will soon be offered sustainable solutions.
Project Details Smart Meter Gateway Common Criteria EAL4+ Product Certification Performing an information security gap analysis based on the ISO 27001 Elaborate special security concepts and policies for development, project management and production processes. Conduct ISO 27001 audit in England and France in Smart Meter production plants ISMS Framework coaching based on ISO 27001 and ISO 27002 Project Category www.sidler-security.ch info@sidler-security.ch Holzhäusernstrasse 5a CH-6331 Hünenberg - Switzerland