Applying a Security Kernel Framework to Smart Meter Gateways

This is the title of a paper I wrote together with Michael Gröne, and which I presented at ISSE 2012. As part of my work at Sirrix we developed this security architecture for smart meter gateways and leveraged earlier work on security architectures for distributed IT systems, as we did in the EMSCB and OpenTC projects, i.e., building on the Turaya security framework.

Smart grids are a heavily discussed topic in the European Union and many other countries. Smart Meter Systems are going to be deployed worldwide. However, due to their complexity and interconnectivity, they have to deal with strict security and privacy requirements. As a result, German regulatory bodies decided a proactive approach and developed a protection profile for Common Criteria evaluation, i.e., specifying explicitly security requirements for gateway components. In this paper, we describe the challenges and requirements that have to be fulfilled to build a smart meter gateway according to the BSI protection profile in Germany. Moreover, we present and discuss a modular secu-rity framework approach that can be used to realize such gateways in order to fulfill the requirements of the protection profile. This security framework is based on a security kernel approach that has been developed within various other projects. The proposed security kernel framework offers a solution to meet these security requirements while keeping the architecture modular and flexible to be used for other implementations as well.

The figure above shows the architecture of the approach. A key feature of the security kernel framework is that it allows executing isolated application domains on top of it. Applications belonging to one domain can communicate freely with each other. A communication to other domains is prevented by default. If communication between domains (or to external systems) should be allowed, then this must be stated in the security policy of the system. In the instantiation of our framework for the smart meter gateway, we isolate the execution of all services that are used to realize the logical functions of the gateway. In particular, we de- fine four security domains, one for each of the logical main functions, and in addition one se- curity domain for the basic services of our security kernel. As other applications might be in- troduces later, we can define further security domains to separate them from the main logical functions and the basic security services. As one possible instantiation of the framework, we use type enforcement mechanism to provide mandatory access control and labeling of all data and network connections. This is enhanced by additional components (security services) that control all incoming and outgoing network connections and those that enforce the information flow control of the software com- ponents within the gateway.

More information: [Slides]


Flexible Patient-Controlled Security for Electronic Health Records

This is a paper I wrote together with Thomas Hupperich, Hans Löhr, and Ahmad-Reza Sadeghi. I presented a poster on it at the 2nd ACM SIGHIT International Health Informatics Symposium (IHI 2012) in Florida, USA. In this paper we present a new security architecture for Electronic Health Records (EHR) systems in which we let the patients control the confidentiality of their EHR data in an easy an flexible way. Existing approaches to protect the privacy of EHRs are either insufficient with respect to strict privacy laws or they are too restrictive in their usage. For example, smartcard-based encryption systems require the patient to be always present to authorize access to medical records. In our approach, we propose a security architecture for EHR infrastructures that provides more flexibility but retains the security of patient-controlled encryption. In our proposal patients are able to authorize access to their records remotely (e.g. via phone) and time-independent for later processing by the physician. The security of our approach relies on modern cryptographic schemes, in particular Attribute-Based Encryption, and their incorporation into an EHR infrastructure.

The key idea of our approach is to avoid the use of smartcards as a direct input for encrypting and decrypting EHRs. Before medical data is to be stored on an EHR server, the patient provides his smartcard only to generate a transac- tion code (TAC) which will be used as authorization secret. The encryption key is only based on the TAC and the pa- tient’s identity. When the EHR is to be read again, the patient gives the TAC to the health professional who needs to access the EHR. The novelty in this approach is that pa- tients do not need to be present with their smartcards for decryption, but can provide the TAC via, e.g., phone.

More information: [Paper]