Stephan Beirer of GAI Netconsult briefs the S4 audience on the Smart Meter Gateway Protection Profile being developed in Germany. The effort was funded by the German Government and developed by utilities, vendors and consultants.
(Note – last ten minutes are audio only)
For those new to the Common Criteria, Stephan provides some information on a Protection Profile – including the Security Functional Requirements and Security Assurance Requirements. He then discusses the key points in the Protection Profile. Some of the essential threats considered:
- an attacker (local or remote) tries to gain access to the metering data or smart meter configuration/firmware
- an attacker may try to intercept meter data or configuration/firmware during data transmission
- an attacker may try to gain control of the gateway, meter or controllable local system
The Protection Profile is written to EAL4+. This is actually quite ambitious with EAL4 requiring security assurance requirements during the development process, meaning existing products cannot reach this. The + indicates there are two additional requirements: flaw reporting requirements and vulnerability assessments.