Add Grup Protects Smart Meters With Secure Key Management From Thales

How an Energy Integrator Fast-Tracked Implementation Of a Key Management Solution To Meet New Business Requirements In a Quickly Changing Energy Industry.

The Challenge: Develop And Implement a More Secure Key Management Solution – Fast

ADD Grup develops and manufactures advanced smart grid and smart metering solutions that provide utility companies with the tools to efficiently manage resources and consumers with the information to use energy more responsibly.

With smart meters increasingly in use to remotely control the energy supply, utility companies recently adopted new requirements to secure the supply chain and prevent a malevolent attacker from seizing control of energy sources and causing catastrophic disruption to businesses and governments. To win business by successfully developing products to meet these new requirements, ADD Grup needed to develop a solution that would create a secure system-wide root of trust. With that in place, the entire supply chain from design to field operation would be protected, with a key management system (KMS) securing communication between each layer, including the smart meters, data concentrator (DC) field units, in-home displays (IHD), and the central system.

To win the trust of utility companies, ADD Grup knew it would need a solution that would allow for rapid development and fast implementation – it was critical to find a solution that was compliant with FIPS 140-2 Level 3. To ensure adoption, the solution would need to be easy to use, allowing end-users to automatically secure massive numbers of end devices without human errors. To be competitive, ADD also needed a solution with a low cost of deployment, scaling, personnel training, operation and maintenance. And to deliver greater security, the solution would need to protect confidentiality of information exchanged by devices and prevent spoofing or fraud by insertion of non-authorized devices.

The Solution: Thales Keyauthority Key Management System

To fulfil these new requirements, ADD chose keyAuthority to manage keys for its SIMS (Head-End System) product. keyAuthority gives ADD the ability to store keys and associated security information with high assurance FIPS 140-2 Level 3 protection and make them accessible via the widely-accepted industry KMIP standard. With keyAuthority, keys can be easily delivered to meters, DCs and IHDs in the field. Coupled with certificate provisioning from Microsoft PKI, the SIMS product was enabled with a full complement of communications security, lifecycle key management, and strong authentication capabilities.

As a hardware-based solution, keyAuthority provides the highest level of security that ADD Grup needed. keyAuthority also provides important functionality for key management including secure storage, key generation and high availability, enabled by replication of security materials between several hardware instances. And keyAuthority has the capacity to handle the estimated 10 million keys that ADD will need to store to serve its projected client base.

Key Benefits

  • Automates key lifecycle management across all layers of the energy supply chain
  • Lowers risk of breaches with high assurance, reliable hardware
  • Centralizes policy using a single approach to control and audit keys

With keyAuthority, ADD Grup’s SIMS solution provides all needed functionality to properly configure meters and DCs, including:

  • Importing of meter, DC and IHD master keys
  • Generating, storing, and registering of operational keys
  • Delivering of wrapped operational keys to the meters
  • Configuring meter and IHD security settings
  • Delivering of wrapped meter and IHD operational keys to DCs and directly to meters
  • Delivering of meter security settings to DCs

The first instance of ADD Grup’s solution is under deployment in a Smart Metering project in Eastern Europe and features more than 100,000 smart meters and more than 1,000 DCs.

Why Thales?

ADD Grup chose Thales keyAuthority based on several key considerations.

  • Key storage. keyAuthority is able to store up to 20 million keys per KMS instance.
  • Hardware solution. As a hardware-based solution, keyAuthority is inherently more stable and secure than software solutions for key management, providing the heightened security ADD needed to assure its utility customers.
  • Compliance. keyAuthority is FIPS 140-2 Level 3 compliant, dramatically shortening development and implementation of this new solution.
  • KMIP-protocol accessible. keyAuthority is a leading implementor of this industry standard protocol.
  • Fast deployment. keyAuthority provides out-of-the-box support for replication and backups.

About Thales keyAuthority

keyAuthority is a hardened cryptographic appliance that provides high assurance key management to users of storage applications and systems with embedded encryption. keyAuthority supports the widely-accepted industry standard KMIP (Key Management Interoperability Protocol) to allow comprehensive endpoint interoperability. Centralized administration combines consistent key lifecycle policy enforcement and access controls with reliable auditing to help ensure data recovery and long-term business continuity. keyAuthority scales to support millions of keys, and its tamper- resistant and evident security boundary (which includes the entire chassis for higher assurance protection) has been designed to FIPS 140-2 Level 3.

With KeyAuthority You Can:

  • Minimize the complexity of key management by automating key lifecycle policies from generation to destruction.
  • Reduce risk of abuse and theft by vaulting keys in a FIPS 140-2 Level 3 designed high-assurance, reliable appliance and by preventing and notifying on tampering events.
  • Accelerate solution adoption by pre-qualifying integration with leading encryption products and supporting standard key management protocols.
  • Reduce management overhead and costs.