Techem, the leading service provider for smart and sustainable buildings, relies on securely encrypted data transmission for the transfer of meter and consumption values collected in millions of buildings.
With the ECOS TrustManagementAppliance (TMA), Techem has introduced a powerful public key infrastructure to issue and manage certificates.
The TMA ensures secure data exchange at all times between the wireless data collection devices, an IoT cloud platform and the Techem data center.
»The PKI allows us to build securely encrypted communication channels between smart meters, IoT cloud and data center.«
About Techem
Techem GmbH is one of the leading energy service providers in the real estate sector. With around 3,750 employees, the company services more than twelve million homes and is a partner for property owners in areas such as utility billing, consumption metering, healthy housing, energy management and resource preservation. Among its customers are homeowners, housing associations, investors as well as cooperatives. Techem is the market leader for wireless metering of residential energy consumption.
The provider’s all-in-one ‘Smart System’ package is a comprehensive solution digitizing metering and billing processes in the real estate sector.
Meters placed on radiators and water supply lines send the measured consumption values to so-called Smart Readers, which are commonly found in the staircases of apartment buildings and act as master data collectors. Both regular meter reading and functional checks can be performed efficiently and easily from afar. The company’s connected digital solutions thus contribute to a sustainable and eco-friendly real estate management. In total, Techem operates more than 52 million wireless data collectors.
Securing the data traffic of the meter-reading infrastructure
Securely transmitting meter and consumption values recorded by these devices is crucial for Techem for several reasons at once. On the one hand, legal aspects play an important role, as the data are considered personal data by definition and must be processed and protected as such. On the other hand, the service provider must also ensure in the company’s own interest that no third party can access the wireless protocols or manipulate the data, as this would theoretically allow changes to the meter reading values and thus to the billing itself.
Techem was therefore looking for an appropriate solution to secure in particular the data traffic from the master data collectors to an IoT cloud platform and further from the cloud to the back- end of the data center. To be able to manage the meter-reading infrastructure securely in terms of encryption and authentication, the company opted for a PKI (public key infrastructure).
»We figured out quite quickly that we explicitly wanted to secure the meter-reading infrastructure separately from the other certificates we use on the IT side«, explains Sebastian Fingerloos, Head of Information Security at Techem Energy Services GmbH. »In addition, these other certificates are mostly issued by an Active Directory certification authority, whereas in this scenario we were dealing with an IoT infrastructure with- out AD connectivity, which would have made the process very complex.«
Selection of a suitable PKI solution by tender
In the course of a tender process, Techem reviewed a number of offers for implementing a suitable PKI solution. In the final round, two solutions were up for selection, both functionally convincing: a very comprehensive system from the existing, general IT provider and the ECOS TrustManagementAppliance (TMA) from ECOS Technology.
ECOS was able to score as a German manufacturer for a start. On the other hand, Techem’s IT management explicitly wanted to separate security-relevant information from providers of operative IT systems as far as possible. Since the scope of the ECOS solution also met Techem’s requirements exactly, the decision was made in favor of introducing TMA.
Implementation of the ECOS TrustManagement-Appliance
The Trust Management Appliance is specifically designed for PKI and key management as well as for securing a wide range of end devices, mobile devices, sensors, control devices in the IoT environment and more. The TMA was installed in a virtual environment at Techem and individually configured in collaboration with the ECOS partner Devoteam. For reasons of practicality, Techem opted for asymmetric encryption. The TMA also offers optional secure keystore storage for symmetric keys, a feature that was a key factor in the original selection. Techem currently operates two sub CAs with different en- cryption algorithms: One CA uses elliptic curve cryptography key algorithms, the other RSA (Rivest-Shamir-Adleman) key algorithms.
Issuance, renewal and management of certificates
The ECOS PKI solution’s main purpose is to peri- odically issue security certificates for Techem’s master data collectors (smart readers), especially when a new batch of smart readers is produced by the respective manufacturer. For example, Techem uses the PKI to create 50,000 certificates that are sent to the manufacturer and installed on the master data collectors in the production process. These certificates secure the communication of the remote meter-reading infrastructure.
As the certificates have fixed validity periods, their periodic renewal is governed by Techem’s own certificate policy. The TMA further allows revoking certificates and supports certificate revocation lists (CRLs) via cloud. Certificates must be revocable if a customer switches to a different provider or in case a smart reader has a defect, has been compromised, or can no longer be found.
»We are very satisfied with the ECOS TrustManagementAppliance«, says Sebastian Fingerloos. »The PKI has enabled us to create secure, encrypted communication paths between the smart readers, the IoT cloud and the data center. An important aspect for us is that the system, primarily operated via API, works completely uninterrupted and requires no intervention, which has now been the case for several years. Currently, we are planning a major upgrade together with ECOS to further optimize the PKI in terms of performance, security and functionality.«
Because of the positive experience with the TMA as a PKI solution, Techem has since extended the scope of application beyond the original scenario:
ECOS Technology’s solution is now also successfully used to issue a couple of internal server certificates.
ECOS Partner Devoteam
Devoteam is a leading consulting company focused on digital strategies, platform technologies, cybersecurity and business transformation. The implementation of the ECOS PKI at Techem GmbH was initiated, supported and implemented by Devoteam.
Text taken over from original – ECOS Technology
