PKI for Network Management
Certificates for Network Management from Manufacturing to MSB Field Operations
SMGW Manufacturing & Network Management (© MTG AG)
As early as the manufacturing stage, manufacturers equip the SMGW with certificates for network management. MTG already supplies the PKI technology required for this to three out of five Smart Meter Gateway manufacturers. These certificates are used in the SMGW outside the device section regulated under BSI TR-03109.
This should be distinguished from the SMGW-G certificates. These originate from a separate sub-CA of the SM-PKI. MTG also provides the appropriate PKI technology for this, for example through DARZ.CA, which has been operated in a long-standing partnership.
Secure Network Management for Smart Meter Gateways in the Field
For the stable operation of Smart Meter Gateways in the field, monitoring the communication connection (such as LTE, 450 MHz, or powerline) is a major advantage. This allows metering point operators to monitor connection status in a targeted manner and better ensure the operational reliability of the gateway.
Securing this communication connection is particularly critical. It should therefore be protected consistently through digital X.509 certificates.
During field operation, the manufacturer-issued initial certificates should be regularly replaced with operational certificates issued by the metering point operator for security reasons. To do so, the metering point operator needs a suitable PKI for network management designed for automated and secure certificate processes.
Key requirements include:
- EST interface: Automated and secure retrieval of digital certificates via EST in accordance with RFC 7030.
- Device certificates: Issuance of certificates in accordance with RFC 5280 and exclusively in the X.509v3 standard.
- OCSP validation: Real-time certificate validation via an OCSP server, for example to check validity or revocation status.
- LwM2M support: Integration into network management solutions based on LwM2M (Lightweight M2M). This globally established standard is designed for the secure remote management of connected devices and is particularly well suited for device management, monitoring, and field operations.
Key Features of the MTG Corporate PKI (CPKI) for Network Management
The MTG Corporate PKI (CPKI) meets the key requirements for secure Smart Meter Gateway network management, thereby establishing the appropriate trust foundation for field deployment.
A key value-add is the integrated Certificate Lifecycle Management (CLM). It simplifies certificate management across the entire lifecycle, automates core processes, and significantly reduces manual operational effort. This makes secure, scalable operations in smart metering environments much easier.
Managed Services at DARZ or in an On-Premises Environment
Depending on the operating model, the PKI for network management can be provided either as a managed service at DARZ or in an on-premises deployment. As a managed service, it reduces in-house operational effort and accelerates implementation. In an on-premises setup, the PKI can be integrated into the organization’s own infrastructure and adapted to internal policies, processes, and security requirements. This gives metering point operators and GWA service providers the operating model that best fits their organization, business model, and security strategy.