Trusted gateway: a smart grid use case - ETSI€¦ · ETSI M2M workshop, Sophia-Antipolis, December...
Transcript of Trusted gateway: a smart grid use case - ETSI€¦ · ETSI M2M workshop, Sophia-Antipolis, December...
Trusted gateway: a smart grid
use case
Pierre Girard / D. Tournier
ETSI M2M workshop, Sophia-Antipolis, December 10, 2014
Agenda
2
A reminder from last year
Bringing trust to the smart grid ecosystem
Implemented security mechanisms
A reminder from last year
3
How to enable trust ?
4
Security mechanisms
Security assurance
Security
life cycle mgt
Service
framework
A gateway template
5
Se
rvic
e
Se
rvic
e
Se
rvic
e
Gateway
OS / hardware layer
Services
management
API
Framework
common services
Ser vicesm anagem ent
API
Service
Service
Service
Secure
elementSer vice f ramework
O S / har dware layer
Fr am ewor kcom m on ser vices
WAN
LAN
Security mechanisms
6
Services
management
API
Se
rvic
e
Se
rvic
e
Se
rvic
e
Gateway
Service
framework
OS / hardware layer
Framework
common services
WAN
LAN
Ser vicesm anagem ent
API
Service
Service
Service
Secure
elementSer vice f ramework
O S / har dware layer
Fr am ewor kcom m on ser vices
Services
isolation
Services
communicationPolicies, permissions,
users, authentication,
crypto…
Code integrity,
secure boot
Secure com.
Secure com.
Tamper resistant
execution environment
Security assurance
Services
management
API
Se
rvic
e
Se
rvic
e
Se
rvic
e
Gateway
Service
framework
OS / hardware layer
Framework
common services
LAN
Ser vicesm anagem ent
API
Service
Service
Service
Ser vice f ramework
O S / har dware layer
Fr am ewor kcom m on ser vices
Gateway manager
Se
rvic
e
Life cycle management
8
Services
management
API
Se
rvic
e
Se
rvic
e
Se
rvic
e
Gateway
Service
framework
OS / hardware layer
Framework
common services
WAN
LAN
Ser vicesm anagem ent
API
Service
Service
Service
Secure
elementSer vice f ramework
O S / har dware layer
Fr am ewor kcom m on ser vices
Se
rvic
e
Service
Bringing trust to the smart grid
ecosystem
9
A Smart Grid use case
10
Typical security concernsPrivacy protection
Fraud
National critical infrastructure
Features
Smart
Secured• Nodes and infrastructure
• Applications
• Communications
• Autonomous
• Dynamically reconfigurable
• Smart Grid (power routing, load management)
• Smart Metering (automatic meter reading)
• Solar panel or Grid to Vehicle
Security and cryptographic requirements
12
Scalable solutionSize :From 100s to Million of devices
Time : Long term security is needed (> 10 years)
Certifications : Common Criteria / FIPS / ...
Cryptographic / security mechanism agility
Minimum cryptographic requirementsSHA-2
ECC (with curve agility)
TLS 1.2 with recent cipher suite (ECDH, ECDSA, GCM, ...)
Tamper resistant hardware
Implemented security mechanisms
14
HW architecture of a Secure Element
15
ROM
EEPROM
RAM
CPU
Crypto
UART
ISO7816
SPI…
Host
SE
6 x 5 mm
SW Architecture of a Secure Element
16
Java Card VM
Operating System
Java Card API
Ap
ple
t
1
Ap
ple
t
2
Glo
bal P
latfo
rm
APDU
Secure Element
Host
CPU
Smart grid reference design
17
Java Card VM
Operating System
Java Card API 3.0.1
PA
CE
IAS
4.2
Glo
bal P
latfo
rm
Secure Element
Infineon SLE78
TLS 1.2 support
Data signature / verification
Data encryption / decryption
Certificates storage
RSA 4096
AES 256
SHA 512
ECC 521
Our software set-up
18
Raspberry Pi
Java Card VM
Operating System
Java Card API 3.0.1
PA
CE
IAS
4.2
Glo
ba
l Pla
tform
Secure Element
Infineon SLE78
PC/SC lite
Raspbian
PKCS#11
Grid
mg
t
Me
terin
g
APDU
PKCS#11 crypto provider
Java 8 embedded API
Distributed framework
Ad
min
19
End to end secured data
Signature + encryption
Secured communication
TLS 1.2
Secured framework config
Broadcast
Self discovery of trusted nodes
and services
Our security set-up
Life cycle management
20
2 Types of TSM
22
In charge of SE content management
Issuer TSM
In charge of service deployment and
application management
Service Provider TSM
Gemalto Operation center
SP TSM 2 Issuer TSM 2
SP TSM Issuer TSM
Examples of Remote administration
23
Certificate renewal
Keys renewal
Third parties access rights
Crypto agility
Blocking / unblocking / auditing device
Java code update
Large scale campaigns
24
Standards Trust+Ecosystem with shared hardware
platforms enabling new business
models for innovative services