This is the title of a paper I wrote together with Michael Gröne, and which I presented at ISSE 2012. As part of my work at Sirrix we developed this security architecture for smart meter gateways and leveraged earlier work on security architectures for distributed IT systems, as we did in the EMSCB and OpenTC projects, i.e., building on the Turaya security framework.
Smart grids are a heavily discussed topic in the European Union and many other countries. Smart Meter Systems are going to be deployed worldwide. However, due to their complexity and interconnectivity, they have to deal with strict security and privacy requirements. As a result, German regulatory bodies decided a proactive approach and developed a protection profile for Common Criteria evaluation, i.e., specifying explicitly security requirements for gateway components. In this paper, we describe the challenges and requirements that have to be fulfilled to build a smart meter gateway according to the BSI protection profile in Germany. Moreover, we present and discuss a modular secu-rity framework approach that can be used to realize such gateways in order to fulfill the requirements of the protection profile. This security framework is based on a security kernel approach that has been developed within various other projects. The proposed security kernel framework offers a solution to meet these security requirements while keeping the architecture modular and flexible to be used for other implementations as well.
The figure above shows the architecture of the approach. A key feature of the security kernel framework is that it allows executing isolated application domains on top of it. Applications belonging to one domain can communicate freely with each other. A communication to other domains is prevented by default. If communication between domains (or to external systems) should be allowed, then this must be stated in the security policy of the system. In the instantiation of our framework for the smart meter gateway, we isolate the execution of all services that are used to realize the logical functions of the gateway. In particular, we de- fine four security domains, one for each of the logical main functions, and in addition one se- curity domain for the basic services of our security kernel. As other applications might be in- troduces later, we can define further security domains to separate them from the main logical functions and the basic security services. As one possible instantiation of the framework, we use type enforcement mechanism to provide mandatory access control and labeling of all data and network connections. This is enhanced by additional components (security services) that control all incoming and outgoing network connections and those that enforce the information flow control of the software com- ponents within the gateway.
More information: [Slides]