Authentication on high critical infrastructures using interoperable federated identities

The technical guideline TR-03109 divides between the roles of the SMGW technician and the Gateway administrator whereas the Gateway administrator gains full access to the SMGW and the service technician has only very limited access rights. In many scenarios the service technician will also need full access to the Smart Meter Gateway which means that he must be able to change its role. Federated identities can help to create a solution that keeps the strict role enforcement between service technician and Gateway Administrator. This article presents an approach on the background of the current Smart Grid development and identity technology adopting approaches used for the German national ID card. A short discussion pertaining threats and risks completes the discussion. 1 Smart Grid Infrastructures – German approach Based on the European Directive 2003/54/EG the EU member states are required to introduce intelligent measurement devices for electricity. The German government regulates this requirement in the law on energy industry (Energiewirtschaftsgesetz – EnWG), especially in §21c, §21d and §21e. The ministry of economics (BMWi) requested the Federal Agency for Security in Information Technology (Bundesamt für Sicherheit in der Informationstechnik BSI) to set up a technical guideline [3109-1] and Common Criteria protection profile [PP] addressing security and interoperability. The German smart grid approach requires a gateway component for data collection, consumption displaying and secure communication with meters, users and external entities. This component is called “Smart Meter Gateway (SMGW)”. The Smart Meter Gateway itself is not a measurement device; it is a data aggregation and communication unit that protects the privacy, integrity and authenticity of the consumer data during local storage and network communication. A hardware security module is built into the Smart Meter Gateway for protection of key material and cryptographic operations. Three logical and physical distinct networks are defined for the Smart Meter Gateway: • The Wide Area Network (WAN)