Smart boxes for smart gateways

SMART-METER-ROLLOUT | At the end of 2017, when the certification of smart Meter Gateways (SMGW) was approaching its final spurt, the requirements of the German Federal Office for Information Security (BSI) for the transport of devices from manufacturers to end customers came to the fore. The task here was to set up secure processes to be certified. How the SMGW manufacturer Power Plus Communications AG (PPC) in Mannheim mastered this challenge is described in an interview by BWK with Eugen Mayer, member of the Management Board responsible for operations and product development.

Mr. Mayer, as an SMGW manufacturer, you are in close contact with the BSI during the certification process. How did the topic "safe delivery process" get on the agenda? At the end of 2017, the certification procedure revealed that the existing processes did not meet the security requirements for the SMGW delivery. It had been recognized that the transport route between the production site of the devices in the protected environment of the manufacturers and their installation in the meter cabinet at the end customers had to be protected by additional measures.

Why is the aspect of safe transport so important? An SMGW can also be attacked in the meter cabinet.

A single SMGW installed in the basement is protected by the building infrastructure and less interesting for physical attack. An attack during transport, on the other hand, could manipulate many SMGWs at once. And as during transport there is no physical protection by the building infrastructure, additional security measures must be implemented.

“Protection against the installation of manipulated devices."

So you've set out to find a solution. What were the requirements to be met?

First of all, the solution should integrate itself as well as possible into the existing processes of our customers. It should also continue to be possible to transport the SMGWs with normal freight forwarders and no structural measures should become necessary at existing interim storage facilities. The aim of this solution is not so much to prevent device theft but rather to ensure that in no way any manipulated devices are channeled into the roll-out process and installed in the field. That is to say, it was a matter of making sure that if a device gets lost, this circumstance must be reliably detected and it must be possible to prevent such device from being re-entrained into the installation process. We have found that there is no ready-made solution on the market that covers these requirements at the required level.

This means that security transports, for example, were excluded as a solution from the outset?

“Requirement: Recognize if someone wanted to violently open the transport box."

You then came across a company that specializes in secure locking systems. What is so special about the solution?

This company has a locking system for critical infrastructures that has already been tested by the BSI in another project. The most important requirement for a transport box is that you must be able to recognize when someone has tried to violently open it. If this happens, we can clearly identify and lock the devices that were or are inside the respective container, so that the installation of any manipulated devices is safely prevented. The transport box is opened and closed using an electronic key with an individual code combination.

Are standard boxes from the manufacturer used for the SMGW transport?

The boxes had to be adapted according to the specifications of the BSI so that manipulation attempts could be detected more reliably. For example, the hinges for the lid were moved from the outside to the inside, and the closing mechanism was also adapted.

“Secure process for SMGW delivery"

The boxes are one thing, but it also needs handling processes, right?

The reliable process for use is even much more important than the transport container itself. The box alone does not make a safe solution. Based on the box as a transport tool, we were able to develop a safe process for the SMGW delivery. This process was developed in close coordination and cooperation with the BSI.

Is PPC responsible for the entire transport route from the production plant to the field?

As SMGW manufacturers, we are responsible for providing our customers with reliable transport solutions. Our manuals describe how the SMGW can be safely transported. The interface at which the responsibility for the devices is transferred from us to our customers can take place at different points. This depends entirely on whether the customer wants to handle the transport themselves or buys transport from us as a service. Here we can react flexibly to all customer wishes.

“Two containers of different sizes are available."

This means that the SMGWs have to leave the factory in the transport boxes. How many devices will fit into it?

We work with two containers of different sizes. Up to 1,600 gateways fit into the large model and up to 60 devices into the small model. We have purchased enough boxes to be able to offer them to our customers. But of course, every customer can own their own boxes. In the first phase of the roll-out, however, most PPC customers will probably make use of the option of using transport as a service because it is the easiest way. We and our customers now want to get into the roll-out phase as quickly as possible, and this should not fail because of this process.

The transport boxes are obviously also intended as storage for the SMGWs?

Correct, the transport boxes are also considered a safe storage location for the SMGWs. It was important to us that no costly conversions or special safety precautions were necessary in the material warehouses of the municipal utilities and energy suppliers. If the energy supplier places the transport box in the warehouse, where it also keeps its meters, and locks the door, everything is fine. The repackaging of the SMGW from a large to a small transport box is also a defined process.

“Key management similar to online banking."

How can one imagine the key management for the transport box?

The key management described in the process is digitalized and functions similarly to online banking. This means that the fitter receives a specific one-time code for each opening and closing process. This loses its validity after use and is therefore worthless for a potential attacker.

Has the BSI approved the delivery process from A to Z and has PPC reached its certification goal?  1)

We're almost done with this. All BSI change requests have already been incorporated into the process and there are no more open questions. We assume that the transport process in its existing form will become part of the SMGW certificate. Meanwhile, we systematically conduct training and workshops with our customers, which they need for the application of this process.

Mr. Mayer, thank you very much for the interview.

1) The interview was conducted on 16 November, 2018.