TIPS & BEST PRACTICE 13. JUN 2023
Market Communication 2023: Do you need a Cryptographic Module or HSM as a passive external market participant (EMT)?
In this post, we’ll explain the key terms and provide advice on how to manage private keys for SmartMetering PKI in Germany.
Switching from email to AS4 in Market Communication (Marktkommunikation or Mako) requires the use of federal SmartMetering PKI. As per the Certificate Policy der Smart Metering PKI (Version 1.1.2 – Section 6.2; available only in German), passive external market participants must create, store, and use private keys that meet at least the requirements for Security Level 1 – as specified in the Key Lifecycle Security Requirements.
What are passive external market participants (passive EMTs)?
According to the Certificate Smart Metering PKI Certificate Policy 220.127.116.11, passive external market participants (passive externe Marktteilnehmer or passive EMTs) are defined as those participants that receive or exchange data from Smart Metering Gateways (SMGWs) but do not have control over these devices.
What is a Cryptographic Module for Security Level 1?
A Cryptographic Module for Security Level 1 can function either as software or a server. To ensure safety, it requires two-factor authentication and strict physical access restrictions. It must also use a random number generator of either one of the classes NTG.1, DRG.4, or PTG.3 (as specified in AIS 20/31) to generate keys and signatures as well as to encrypt.
Unlike Security Level 2 (which is mandatory for active EMTs), Security Level 1 does not require the use of a Hardware Security Module (HSM) or an ISO/IEC 27001 certification. Furthermore, the costs associated with purchasing and maintaining a Cryptographic Module are often much lower than those of an HSM.
Other providers of Market Communication suggest using an HSM for Security Level 1. But why doesn’t Zertificon?
Companies in the energy sector that are currently using a Hardware Security Module (HSM) for their Smart Metering Communication might find it beneficial to extend its use to Market Communication. However, if your company is classified as a passive EMT and has not yet integrated an HSM into its operations, this approach might not be the best fit. Therefore, it’s crucial to carefully weigh the advantages and disadvantages of both solutions before making a decision.
While Zertificon can integrate HSMs, we have also developed a cost-effective alternative for passive external market participants: our Z1 Cryptographic Module. We guarantee its conformity with the Key Lifecycle Security Requirements (Version 1.0.3 from 17.11.2021), which includes a random number generator as per AIS 20/31.
Zertificon has a deep market understanding and two decades of experience in cryptography and certificate management. We’re fully equipped to offer a cost-effective alternative to HSM. Other Market Communication providers, such as in B2B applications, typically focus on different areas of development. Therefore they tend to endorse HSM as a reliable and fail-safe choice.
Best Practice No.1: Complement your B2B applications using Z1 solution for Market Communication paired with a Cryptographic Module
For passive EMTs, we recommend using Zertificon’s Z1 Energy Market Communication solution along with the Z1 Cryptographic Module. This combination provides a cost-effective method to meet Security Level 1 requirements. As a Messaging Service Handler (MSH), our product connects to many standard applications (e.g., ERP, B2B) via an email interface. That means you can switch to AS4 without giving up your existing applications. At the same time, you will benefit from substantial cost savings compared to using HSM and enjoy the convenience of Zertificon’s automated certificate management.
Best Practice No. 2: Using Z1 SecureMail Gateway to meet regulations for Critical Infrastructures (KRITIS)
Critical infrastructure operators dealing with the EU NIS2 directive need a comprehensive solution set that includes office communication.
Our Z1 SecureMail Gateway is a trusted solution for secure email communication. And if you’re already using Zertificon’s energy products, it’s easy to extend your license to cover email encryption as well. Discuss this vital issue with your departments handling NIS2 matters and digital transformation.
Investing in a central signature and encryption solution that meets all of your use cases can provide you with long-term investment security in various areas. You won’t need extra work for integration, administration, or staff training to meet all the regulations in your sector.
Additional recommendation: Planning your security concept early
We support passive EMTs, who use our Cryptographic Module, in creating a comprehensive security concept for the roll-out of AS4 in Market Communication. We recommend getting in touch early. Each concept needs unique solutions, and we need to schedule these in time.
For more information – including HSM integration, – please join our live webinar „Z1 Energy MarketCommunication – Entwicklungsstatus AS4 mit Demo“ (in German). Don’t hesitate to ask your questions there.
Live webinar with demo:
„Z1 Energy MarketCommunication – Entwicklungsstatus AS4 mit Demo“