Smart Meter Gateway: How an intelligent and safe measuring system should protect the climate and your wallet.
The smart meter gateway and its surroundings
© Federal Office for Information Security
It is probably not a bad idea to replace our Ferraris electricity meters, invented in the 1880s, with modern digital Internet of Things (IoT) devices. The planned exchange was not driven by technical progress, but by a political goal: The emission of climate-damaging carbon dioxide should be reduced. Each of us can help by reducing our own electricity consumption, which of course makes sense for cost reasons.
It all started with the “Law on the Digitization of the Energy Turnaround”, which was passed in September 2016. New digital and “smart” measuring systems are intended to make energy consumption more transparent. And more efficient, because consumption data will in future be automatically retrieved via the network. But this can only work if all components and the communication infrastructure are trustworthy – and demonstrably secure. Therefore, high security requirements are made.
The Federal Office for Information Security (BSI) was commissioned with the technical elaboration. The BSI has specified a comprehensive system architecture for an “intelligent measuring system (iMSys)” that is not limited to the operation of electricity meters. Instead, an iMSys network is sought, which is to collect data from all private consumers (electricity, gas, water, etc.) and decentralized (electricity) producers.
This creates a complex IoT structure whose data can be efficiently collected, distributed and evaluated. This should help energy suppliers and network operators to control their resources correctly (keyword load distribution). Other market players can also have access, for example electricity traders or housing managers. In principle, consumption data of the electricity customer is available at any time – for all authorized parties involved.
In general, it is interesting for electricity customers that they can display their electricity consumption to the minute via app or PC and also analyze historical data. In this way, he can find power guzzlers and take appropriate measures. Since iMSys also enables the remote control of electrical consumers (CLS – Controllable Local Systems), you can, for example, switch on the charging station for the car at favorable times or manage the central heating of an apartment building.
Smart meter gateway as a control center
The iMSys core is the so-called Smart Meter Gateway (SMGW), via which all other iMSys components are configured and every data exchange is controlled. In addition to strict security requirements, the BSI has identified the manufacturer-independent interoperability of system components as a basic requirement for a successful iMSys roll-out.
In practical terms, this means that, for example, the SMGW can be replaced without having to change the meters at the same time. For this purpose, the BSI formulates minimum functional requirements (device profiles), compliance with which the manufacturer must prove. The most important requirements in this context can be found in “Technical Guideline BSI TR-03109-1” and are aimed at the SMGW – central communication unit and safety anchor for the entire iMSys.
Every manufacturer must subject their product, including its production environment and the supply chain to the customer, to a so-called security evaluation, which runs according to the rules of Common Criteria (CC) and must be initiated at the BSI for this purpose. After a successful evaluation, the manufacturer and product are certified, only then may the SMGW be installed at the end customer. All technical guidelines, protection profiles and all certified SMGWs are on the BSI website
Digital Society – Smart Metering Systems
The SMGW provides four channels for different device categories:
The so-called Smart Meter Gateway (SMGW) is the heart of every iMSys measuring system. All connected devices must be known to the SMGW, every data exchange is then controlled and safe.
© Kersten Heins
The so-called Smart Meter Gateway Administrator (SMGW Admin) is of central importance for every interaction with an SMGW. He is solely responsible for the technical operation of an iMSys installation at the electricity customer, i.e. their software configuration including the registration of connected devices or the uploading of a new SMGW firmware version.
The role of the SMGW Admin is usually performed by the responsible metering point operator, who carries out the installation on site and was used to read the meter and transmit the data to the electricity supplier and network operator. For each region there is a so-called metering point operator who is responsible, but the electricity customer can change this.
The SMGW Admin is not a person, by the way, but describes the solution that is used for this task area, i.e. tools and processes. IT security plays an essential role here, which is why every SMGW admin must be certified by the BSI.
The SMGW can only be accessed from outside via the WAN. SMGWs available on the market offer various accesses for this purpose, in addition to the Internet, also GSM mobile radio. There are currently four certified SMGWs, five more are currently underway at the BSI in the CC evaluation.
Security should create trust
The spread of the new iMSys infrastructure depends to a large extent on whether everyone involved is convinced of its trustworthiness. The threat situation is diverse.
For example, someone could be interested in paralyzing individual or all iMSys installations through external sabotage. The consumption data transmitted by the SMGW could also be read or even changed. Attacks on system-relevant functions could, for example, change the firmware or the system clock or device settings – with the aim of manipulating the transmitted consumption data. Local attacks could also take place physically, i.e. by opening the housing and then accessing the electronics.
Attacks from the outside are made more difficult by the fact that ALL communication connections have to be established by the SMGW or the SMGW Admin, i.e. from the inside to the outside. All other bus systems (HAN, CLS, LMN) are physically and logically separated anyway. The only approved WAN communication partner is the SMGW Admin; requests from other external participants are not intended.
The SMGW is the linchpin for all iMSys-internal processes and for every data exchange. The basis for secure communication is the tried and tested TLS (Transport Layer Security) protocol, which first authenticates both communication partners and negotiates a shared session key, which is then used to carry out encrypted data transmission.
Every TLS implementation is based on public key cryptography (i.e. asymmetric cryptography) and a suitable public key infrastructure (PKI), via which certificates for the public keys of all parties or their “electronic identity” are managed.
In our case, the BSI is the so-called root certification authority (Root-CA) of the iMSys-PKI (SM-PKI), so it is in state hands. The daily work is then done by subordinate sub-CAs, which provide certificates for products or market participants. These are private providers, for example an SMGW manufacturer, who can record every device produced and issue the certificate themselves.
After installation by the electricity customer, the SMGW is identified and all communication is then carried out via the Internet (WAN) using the aforementioned TLS protocol. Interesting is the fact that all other internal interfaces are also secured by TLS, such as the LMN bus to the electricity meters (via RS-485 serial or M-Bus wireless). These data connections cannot be attacked from the outside, but at least by anyone who can gain access to the respective premises of the electricity customer. Technically, the use of TLS means that every SMGW and other iMSys devices need their own electronic identity. Many modern electricity meters are already equipped for TLS ex works and equipped with an SMGW-compatible key pair.
Many digital electricity meters are TLS-capable and have already been preconfigured at the factory with an SMGW-compatible key pair. By combining it with an SMGW, such a “modern measuring device” can be expanded into an “intelligent measuring system”.
© Kersten Heins
A first TLS use case on the LMN bus is the installation of a meter. The new meter must first be registered with the electricity customer’s SMGW by the responsible SMGW administrator, i.e. registered and configured. The meter must then be prepared for the secure TLS data exchange. For this purpose, existing certificates are authentically exchanged between the SMGW and the meter. If not available, the SMGW must first generate a key pair for the meter and issue a certificate. The meter is only ready for operation after the certificates have been exchanged, but must authenticate itself before every interaction at the request of the SMGW.
To support cryptographic operations and for the secure storage of key material, each SMGW has a separate security component that specializes in such tasks. These are CC-certified chip cards that did not have to be specially developed for SMGW, but – just configured slightly differently – are used, for example, for electronic passports.
All in all, the BSI has done a thorough job and created tools that ensure a high level of interoperability between iMSys components from different manufacturers. That’s good – also from the user’s point of view.
Power consumption data is personal data that can be analyzed and misused and must therefore be protected. This is all the more true if this data is transmitted every second. For this purpose, detailed security specifications have been defined for many components (SMGW, SMGW Admin, PKI) and communication channels, which are therefore very well protected against hacker attacks.
Again, this is good, but it may not be good enough because all of the potential points of attack may not have been considered. Certification is static, attackers are dynamic and creative. This means that security gaps could open up at any time that were not recorded by the BSI protection profile. For example, the digital electricity meter that provides the consumption data is not part of the security check at all. Is a meter 100 percent forgery-proof? Hardly likely.
In addition, from the user’s point of view, some security aspects are not at all part of the security considerations of the BSI. The fulfillment of safety goals is checked, i.e. the implementation of functions, but not the lack of unwanted functions or backdoors.
It is therefore not checked whether the SMGW is exclusively concerned with SMGW tasks. The SMGW could be misused to access any data in the electricity customer’s home network, which would at least theoretically be possible if the SMGW and home network use the same Internet router. Hackers could – for whatever reason – take advantage of such opportunities and cause damage.
This lack of protection of personal data gives rise to skepticism among some electricity customers. For this reason, consumer advocates are calling for the Product Liability Act to be expanded and for SMGW manufacturers to be motivated to work pro-actively and continuously on optimizing their devices.
Tolerate retrofitting – use options
On the other hand, the iMSys specification paves the way for some improvements that electricity customers would benefit from, for example current and historical consumption data via web portal or app, electricity tariffs that vary according to the time of day, monthly consumption bills instead of installments.
All those who would like to use these advantages for themselves should be told: The official roll-out has already begun and the metering point operators responsible are legally obliged to replace all electricity meters with “digital” electricity meters by 2032. A simpler variant is provided as a minimum standard: the so-called modern measuring device, which is not connected to the Internet and has to be read manually as before.
Switching to iMSys is currently only mandatory if the annual consumption is more than 6000 kWh. Or when operating heat pumps or night storage heaters or for photovoltaic systems with more than 7 kilowatts of power that are fed into the public grid. The switch is already pending for these user groups, and the electricity customers affected have to put up with it.
Every electricity customer can now convert to iMSys on a voluntary basis. However, this must always be carried out by a metering point operator, under no circumstances the electricity customer himself. If the metering point operator responsible is not (yet) prepared, the customer is free to choose another contractual partner until the end of 2020. The change of the metering point operator is independent of the choice of electricity supplier and should – similar to changing the electricity supplier – not be a problem and must not cost anything.
The company is one of these competitive metering point operators
whose offer is a good start for electricity customers interested in SMGW. Discovergy also offers a forum for customer questions. The is also recommended
Federal Network Agency website
, where under “Modern measuring devices / intelligent measuring systems” you can also find a sample letter for the termination of the measuring point operator.
The production costs of an SMGW are around ten times higher than those of a conventional electricity meter, and the additional costs are ultimately borne by the electricity customer. However, the legislator has set upper price limits – depending on the annual electricity consumption. With a consumption of 3000 to 4000 kW / h per year, the additional costs may not exceed 40 euros.
In addition to this annual fee, the meter operator’s overall package is of course also of interest. The electricity customer willing to switch should compare the offers. For example, in addition to a web portal for the visualization of electricity consumption, Discovergy offers the option of recognizing individual devices and breaking down their consumption values.
For the Internet connection there are SMGWs with different interfaces, for example also for GSM mobile radio, but additional connection costs are incurred. The connection via the electricity customer’s existing internet connection is better if the data volume booked has enough leeway anyway. For this purpose, the meter operator’s installer (!) Connects the device to the router using a regular LAN cable, which must then be configured accordingly (for example, by setting up a “static IP route” for an SMGW subnet).
This option is only practical if the meter and router are in the same room or are “under control” of the connection user, such as in a single-family house. This will probably not work for the tenant in an apartment building who has their own meter in the communal basement. In this case, the resident must find a joint solution for all tenants or owners through the responsible property management company.
In general, the connection user (this can also be the tenant) is only allowed to choose his own metering point operator until the end of 2020. From 2021 the landlord (subscriber) has a priority right to choose. For consumption values <6000 kW / h per year, the meter operator can decide (!) Whether to install an iMSys or a modern meter by 2032. The connection user must tolerate this measure. In this context, one should know that the simple digital meters can be combined with an SMGW and thus become an iMSys.
A well-functioning supply infrastructure is of great public interest and must not fall into the “wrong hands”. From a security point of view, the BSI has undoubtedly done a good job, but with all the certification effort, more attention should have been paid to the data protection concerns of the electricity customers concerned. Improvement would be desirable. Or liability of the manufacturer for damage caused by hackers.
Technically, the SMGWs offer electricity customers a number of options for optimization and savings. On the other hand, the safety regulations mean that manufacturers have to pay higher costs. It remains to be seen to what extent the electricity suppliers can use these difficult framework conditions to offer customer-friendly products and to ensure stable electricity prices.
It is also questionable whether the technical options envisaged by the BSI, such as the CLS management, can be used to control devices such as the e-car charging station in the electricity customer’s garage “remotely”. That sounds a bit awkward. Other market participants certainly have ideas on how such customer requests can be fulfilled independently of the new iMSys.
More than 50 percent of German citizens rent their apartments and as such have little influence on the retrofitting. Instead, the legislature grants the metering point operators far-reaching powers that can only be controlled by owners or landlords.
A good strategy for consumers could be to first work towards the installation of a simple digital measuring device in order to upgrade to iMSys later if the problems mentioned have been solved and convincing offer packages from competitive measuring point operators are on the table.
What you need to know about smart meters
Reduce electricity costs with smart meters