Side by side

The energy transition in Germany will not be possible without digitalisation and intelligent measurement systems. For certification purposes, however, the smart meter gateways must meet extremely strict security requirements to see off hacker attacks and exclude violations of data protection law. TÜViT’s IT security experts have joined forces with EMH metering, the world’s leading provider of meters and measuring instruments, to shepherd such a device through the certification process. We look back on seven years of teamwork.

“At the end of the day, what you have here is the coming into close alignment of two companies which didn’t have much in common before,” says René Giebel, product manager at EMH metering GmbH & Co. KG, adding: “Also because both firms have always had to trust in the expertise and commitment of the other: TÜViT is a professional provider of IT security, testing and certification procedures – and our expertise lies in measurement and communication technology.”

The cooperation already goes back a good while: it was back in 2011, when the German government launched the “Energienetze” (Energy Grids) platform, that the move toward digitalising the energy transition¹ first gained some serious momentum. Its aim is to work with the actors in the energy turnaround – grid operators, administrations and associations – to develop solutions for the smart grid of the future. These, in turn, must meet some very high security requirements. EMH was already involved at that time; the company has been on the market for almost 30 years and offers digital systems for the collection, transmission, storage and distribution of energy measurement data. “That was when we first came into contact with the IT security experts at TÜViT, at least in respect of this particular theme,” Mr. Giebel recalls. A year later, in 2012, the manufacturer finally decided to enter the race, to invest and develop a smart meter gateway (SMGW). The signing of the contract with TÜViT, and, with it, the green light for seven full-on years, followed shortly afterwards.

² The Federal Office for Security in Information Technology is Germany’s cyber security authority and is responsible for designing information security in the digitalisation process for the state, economy and society through prevention, detection and response.

³ The protection profile pools the security requirements for a specific IT product and is used for security certification in accordance with ISO / IEC 15408 (Common Criteria): The manufacturer explains and implements the safety functions of its product along the profile, testing bodies carry out inspections, and the BSI issues certifications in line with the requirements.

⁴ Manufacturers of SMGWs are obliged to implement their own safety measures along the entire supply chain and also to define appropriate specifications for the measuring station operators. The aim is to prevent any manipulation of the device and the smuggling in under the radar of uncertified devices.

From the beginning

“I’m convinced that we’ve been so successful because we’ve worked very closely together at all levels – management, project manage­ment and experts,” emphasises Stephan Slabihoud, project manager at TÜViT and the member of staff responsible for the cooperation with EMH. This is also to some extent inherent in the product itself: “For certification,” the IT specialist explains, “smart meter gateways need to satisfy some very stringent security requirements that are based primarily on privacy and data security considerations.” The requirements are issued by the Federal Office for Information Security (BSI)², which has taken this approach as a means of enforcing EU law and is also supported and advised by TÜViT: Mr. Slabihoud is one of the co-authors of the Protection Profile³, which describes the requirements that the gateway has to meet. The crucial principle here is that of security or privacy by design. “By taking full account of the security and data protection requirements for software and hardware at an early stage,” explains Markus Wagner, the member of staff responsible for software evaluations at TÜViT and consultant in the SMGW projects, “we’re eliminating potential vulnerabilities and interfaces for hacker attacks during the development phase.” With good reason: If someone were to hack into a smart meter, measurement and personal data could fall into the wrong hands. It’s for this reason that, in addition to IT security, other features such as supply chain security⁴ and a highly secure production environment must also be adhered to. Casa 1.0, as EMH’s Smart Meter Gateway is currently known, is, for this and other reasons, particularly securely packaged.

“Of course, we had to start by putting our heads together to work out these numerous and sometimes very complex framework conditions – and they’ve constantly changed in the meantime,” René Giebel says by way of recollection of the beginnings of the collaboration. TÜViT’s initial role was to support EMH metering as a critical consultant: in preliminary discussions with the BSI and in workshops in which the teams of EMH and TÜViT formulated the milestones involved in the certification process. “Only later, during development, did we prepare the prescribed documentation for the certification procedure, so that all the security-related aspects could be evaluated by our testing laboratory in the second half of the project,” says Mr. Slabihoud. This includes regular vulnerability analyses of the source code and test cases specially developed for Casa 1.0. Not many testing labs are capable of ­carrying the procedure out; TÜViT is currently the only one to have successfully tested several smart meter gateways in accordance with the “Common Criteria”. In the end, there were well over 1,000 pages of documentation and some incredibly long test reports.

On the home straight

Things became particularly fraught at the end of 2018: “When we found out how long the certification process would take, we were pretty dismayed to start with,” recalls Dr. Peter Heuell, Managing Director of EMH metering. The manufacturer was worried that the product would only arrive on the market very late. This major goal of getting Casa 1.0 through certification as quickly as possible had a number of implications for both partners: teamwork is much more than a simple question of duty. Not only was the project the most expensive in EMH’s corporate history, but it was also coming under significant political and time pressure: To avoid risk, the nationwide rollout of the smart measuring system in Germany was predicated on the provision of three certified smart meter gateways from three manufacturers with no links to one another. “You can only handle the pressure if you have the long-term goal squarely in view. And if you’re convinced that it’s the right thing to do; that Germany can’t initiate an energy transition without smart grids and intelligent measuring systems,” emphasises Dr. Heuell, who, before joining EMH, was an advisor to the Federal Government’s Economics Committee and also supported the government in its development of the law on the digitalisation of the energy transition⁵.

So the partners decided to really get things moving. Every six weeks, meetings were held at managing director level, and the teams worked intensively on timing, identifying any sticking points and clearing obstacles out of the way. In this way, the partner got the most out of the next 9 months. “One of the key experiences during this time,” recalls Markus Wagner, “was the crypto workshop at the BSI.” This milestone on the agenda was concerned with introducing cryptographic implementation. “If a manufacturer isn’t well prepared, this can have a serious impact on the testing.” The EMH team, however, had mobilised all their resources in the preparation and achieved a very good result. And, as Mr. Wagner emphasises, they also gained the required trust of the inspectors and the BSI: “Thanks to the close cooperation and dedi­cation of the EMH employees, we were able to prove that EMH is a manufacturer that can be relied on to develop secure software.” Dr. Heuell adds: “Of course, things didn’t always go smoothly, partly because the requirements were constantly being added to as a result of ongoing new insights into internationally identified vulnerabilities. But during this year we developed very robust confidence in each other. The confidence that we’re serious, that we’re in the same boat and can rely on one another.”

⁶ Future generations of devices will be used not only for more complex measurements, but also to control electrical devices, among other things.

The time after certification is the time before recertification

After two other manufacturers had already successfully completed the certification of their smart meter gateways, Casa 1.0 was the next to cross the finish line: Once the BSI had handed over the certificate to EMH metering on 19 December 2019, there were no further obstacles to announcing the market launch. This duly came at the end of January 2020. Since then, the mandatory rollout of the intelligent measurement system has been underway in Germany. However, this doesn’t mean the end of the cooperation between EMH and TÜViT: “The time after certification is the time before recertification,” says René Giebel with a laugh. All security-relevant adaptations that follow from now on will need be scrutinised and certified afresh. The roadmap provides for a gradual expansion into other applications, including tariff applications, but also the integration of gas, heat and water as well as charging stations for electric cars. “We’re already developing new scenarios, and further implementations will follow in the foreseeable future,” he explains, before Mr. Slabihoud adds: “To be specific, Mr. Giebel, Mr. Wagner and I are in intensive dialogue about the next generation of the Smart Meter Gateway⁶ – there’s absolutely no time to sit around.”