TIPS & BEST PRACTICE 13. JUN 2023
Market Communication 2023: Do you need a Cryptographic Module or HSM as a passive external market participant (EMT)?
In this post, we’ll explain the key terms and provide advice on how to manage private keys for SmartMetering PKI in Germany.
Switching from email to AS4 in Market Communication (Marktkommunikation or Mako) requires the use of federal SmartMetering PKI. As per the Certificate Policy der Smart Metering PKI (Version 1.1.2 – Section 6.2; available only in German), passive external market participants must create, store, and use private keys that meet at least the requirements for Security Level 1 – as specified in the Key Lifecycle Security Requirements.
What are passive external market participants (passive EMTs)?
According to the Certificate Smart Metering PKI Certificate Policy 1.3.3.4, passive external market participants (passive externe Marktteilnehmer or passive EMTs) are defined as those participants that receive or exchange data from Smart Metering Gateways (SMGWs) but do not have control over these devices.
What is a Cryptographic Module for Security Level 1?
A Cryptographic Module for Security Level 1 can function either as software or a server. To ensure safety, it requires two-factor authentication and strict physical access restrictions. It must also use a random number generator of either one of the classes NTG.1, DRG.4, or PTG.3 (as specified in AIS 20/31) to generate keys and signatures as well as to encrypt.
Unlike Security Level 2 (which is mandatory for active EMTs), Security Level 1 does not require the use of a Hardware Security Module (HSM) or an ISO/IEC 27001 certification. Furthermore, the costs associated with purchasing and maintaining a Cryptographic Module are often much lower than those of an HSM.
Other providers of Market Communication suggest using an HSM for Security Level 1. But why doesn’t Zertificon?
Energy companies that use an HSM for Smart Metering communication can also efficiently use it for their market communication. Zertificon can integrate HSMs.
However, companies classified as passive EMTs that have not implemented an HSM face a different situation. The Certificate Policy of the Smart Metering PKI 1.3.3.4 explicitly relieves passive EMTs with Security Level 1 from the obligation to use HSMs. We developed the Z1 Cryptographic Module for passive EMTs to save customers unnecessary costs and complexity. Our cryptographic module costs start in the four-digit range, while an HSM can easily reach six figures.
We recommend using our Z1 Cryptographic Module and ensure compliance with the Key Lifecycle Security Requirements (version 1.0.3 from November 17, 2021) including the random number generator according to AIS 20/31. With 20 years of expertise in cryptography and certificates, we have the knowledge to offer you this cost-effective alternative to HSM.
Other AS4 providers, for example for B2B business applications, have a different development focus than we do. As a result, they are not able to leverage the unique cost-saving opportunities the federal government has provided for passive EMT in their solutions.
Best Practice No.1: Complement your B2B applications using Z1 solution for Market Communication paired with a Cryptographic Module
For passive EMTs, we recommend using Zertificon’s Z1 Energy Market Communication solution along with the Z1 Cryptographic Module. This combination provides a cost-effective method to meet Security Level 1 requirements. As a Messaging Service Handler (MSH), our product connects to many standard applications (e.g., ERP, B2B) via an email interface. That means you can switch to AS4 without giving up your existing applications. At the same time, you will benefit from substantial cost savings compared to using HSM and enjoy the convenience of Zertificon’s automated certificate management.
Best Practice No. 2: Using Z1 SecureMail Gateway to meet regulations for Critical Infrastructures (KRITIS)
Critical infrastructure operators dealing with the EU NIS2 directive need a comprehensive solution set that includes office communication.
Our Z1 SecureMail Gateway is a trusted solution for secure email communication. And if you’re already using Zertificon’s energy products, it’s easy to extend your license to cover email encryption as well. Discuss this vital issue with your departments handling NIS2 matters and digital transformation.
Investing in a central signature and encryption solution that meets all of your use cases can provide you with long-term investment security in various areas. You won’t need extra work for integration, administration, or staff training to meet all the regulations in your sector.
Additional recommendation: Planning your security concept early
We support passive EMTs, who use our Cryptographic Module, in creating a comprehensive security concept for the roll-out of AS4 in Market Communication. We recommend getting in touch early. Each concept needs unique solutions, and we need to schedule these in time.
For more information – including HSM integration, – please join our live webinar „Z1 Energy MarketCommunication – Entwicklungsstatus AS4 mit Demo“ (in German). Don’t hesitate to ask your questions there.
Live webinar with demo:
„Z1 Energy MarketCommunication – Entwicklungsstatus AS4 mit Demo“
