Swiss Smart Meter
Data Security and
METAS Certification
Accurate data collection and secure data transfer are a must for the smart meter market. Smart metering solutions need to be METAS certified (METAS Zertifizierung) in Switzerland since 2019.
CCLab has become one of the leading accredited electric meter testing laboratories in cybersecurity evaluations of smart metering solutionsfor the energy industry. Among others we have great experience in data security evaluations in Switzerland under the METAS certification scheme.
Companies who chose us
Get your METAS certification
with CCLab
According to the Electricity Supply Ordinance (Stromversorgungsverordnung), Switzerland has taken a big step forward by standardizing the requirements for Smart Metering Environments.
Thanks to thorough data security evaluation processes, METAS certificates are issued based on independent third party evaluation done by accredited Laboratories.
Keep your solution up to date regarding smart meter security risk and data security vulnerabilities.
Swiss Smart Metering testing laboratory
CCLab has been involved in the preparation of procedures and security functionalities while supporting Swissmig community since the beginning, hence our continuous experience to deliver smart meter security evaluations and METAS certs professionally and quickly. We have pre-evaluated and certified a number of Head-End-Systems, Gateways and Smart Meters (IMS | Intelligent Measurement Devices | intelligenten Messsysteme)
Find all of the necessary documents and information about swiss smart meter evaluations at our FAQ section.
For up to date information and processes, see the Data Security Checks site of METAS certification.
Get your METAS
data security certification
the possibilities, such as:
Initial document/ functionality review
Readiness assessment
Pre-evaluation for documentation
Market specified vulnerability pre-assessment
Official evaluation of documents and vulnerability assessment to get METAS certification.
Get your A-Z supporting material for evaluation projects:
Checklist for Swiss Smart Metering Cybersecurity Evaluations
Webinars
Do you want to know how you can get your product certified?
SECURE, NOT JUST SMART – SMART METERING DEVICES
On-demand webinar on Swiss Smart Meter evaluation. Have you missed it? Don't worry - you can get the videos for FREE and view them whenever you have the time.
Practical information and recommendations for Smart Meter Manufacturers according to the Swiss Data Security Examination processes and introduction of the Common Criteria Protection Profile for Smart Meter Security.
Get in touch with us
Our sales team will guide you through the possibilities of certifying your:
Smart metering device (iMG)
Communication System ( Data concentrator (DC) or| Gateway (GW))
Head End System (HES) through the respective test object (ToE or PG)
Our agile evaluation methodology is based on Common Criteria and strictly follows the latest version of “Die Prüfmetodologie zur Durchführung der Datensicherheitsprüfung für Smart Metering Komponentenin der Schweiz (Test Methodology for Execution of Data Security Evaluation of Swiss Smart Metering Components)” for METAS certification, issued by SWISSMIG.
Testimonials
Kenneth Lasoski
Versa Networks
Evaluation team was extremely reasonable and flexible with resolution to findings and was helpful in finding agreeable solutions for CB comments. Consultation team was always responsive and helped shape the documentation for easier evaluation, and provided useful recommendations on satisfying SFR/SARs.
Thierry Bonda
Landis+Gyr
CCLab was well prepared, flexible during the whole evaluation process, and supported us with continuous communication and guidance. Many lessons were learnt during the project and CCLab has always been looking for solutions, supporting our developers the best way they could. The new Swiss evaluation methodology was a good and professional basis to work with, but both parties had to learn how to deal with it.
Jake Nelson
Corsec Security Inc.
The relationship between Corsec and CCLab has been instrumental in helping product vendors successfully complete the Common Criteria certification process. As a Common Criteria consultant to the product vendor, Corsec relies on CCLab’s responsiveness and expertise to quickly and thoroughly complete the testing component of the process. CCLab has been essential in managing multiple projects, their professionalism has helped ensure product vendor satisfaction and ultimate project success.
Alexander Testov
AO Kaspersky Lab.
"I would definitely recommend CCLab to anyone in need of Common Criteria certification. Our cooperation was comfortable, well organized and efficient. I am totally satisfied with the result."
Dayton Marcucci
HID Global
The CCLab team gave us full support to adapt to the changes during product development. Whatever the challenges faced they could keep the due dates and we were able to complete the process quickly and efficiently. The real agile lab helped our success. We are going to work with them again. I highly recommend them to anyone wanting to get its product certified.
Jaime Chica
NXP Semiconductors
It was a well-managed project which achieved success in an effortless manner.
Kalev Pihl
SK ID Solutions
We needed a lab that works quickly but with high work morale and quality of work. CCLab is exactly like that! It was good cooperation experience to work with them. The project was rather complex and our expectations maybe even too high, but the team was committed to the common goals and could keep the milestones; therefore we were able to deliver what was needed. I highly recommend CCLab team to anyone for their great team spirit, quality orientations, agility and reasonable pricing.
Israr Ahmed
Ascertia Ltd.
On behalf of Ascertia, accept my appreciation for the excellent job done by CCLab team over the past several months in achieving the Common Criteria Certificate for ADSS Server SAM solution. It was an enormous undertaking but went smoothly and efficiently! Thanks to your leadership and dedication combined with your staff's teamwork and energy, we achieved our target. You and your employees should take great pride in this accomplishment. We look forward to extend our work with you for our next certification milestone and hope will continue to get such excellent service.
Zsolt Rózsahegyi
I4P Informatics Ltd.
Thanks to the agile processes we've been able to add new features to the product during the evaluation that made it even more valuable to customers. CCLAB efficiently supported us throughout the whole change management process. The predictability, accurate scheduling, and supportive mindset helped us to finish the project in time.
FAQ
What documentation helps Manufactures to get prepared for the test process?
Our Laboratory issues this Whitepaper as a brief summary. METAS provides a checklist and detailed information to the test process: https://www.metas.ch/metas/de/home/dl/datensicherheitspruefungen.html
What documentation helps Manufactures to get prepared for the test process?
Our Laboratory issues this Whitepaper as a brief summary. METAS provides a checklist and detailed information to the test process: https://www.metas.ch/metas/de/home/dl/datensicherheitspruefungen.html
What documentation helps Manufactures to get prepared for the test process?
Our Laboratory issues this Whitepaper as a brief summary. METAS provides a checklist and detailed information to the test process:
https://www.metas.ch/metas/de/home/dl/datensicherheitspruefungen.html
Which documentation should I submit?
Sec. 2.1 Required documents describe which documents should you submit at the beginning of the test process.
What shall I know about the checklist as the Manufacturer?
The checklist is a requirement catalogue ("WHAT" column) that shall be fulfilled by the manufacturer ("HOW" and "WHERE") columns. "HOW" is an ADV_FSP-like description while the "WHERE" is an ADV_ARC-like description. In each HOW cell of the checklist the relevant OT tuples (“x”) from the OT matrix must be referenced (if any).
What about the IT security concept documentation (item 5.1 in the testing methodology)? Is this a part of RL-DSP Annex 2 (RL-DSP-CH_A2_1045)?
The RL-DSP-CH_A2_1045 is the recommended process for operating a whole smart meter system. It includes among others a theoretical explanation for the “5.1 Test field IT security concept” part of the Manufacturer document.
The requirements in Die Prüfmethodologie (Evaluation methodology) and in Annex 1 (RL-DSP-CH_A1_1045) are different. How will annex 1 be considered in the test process, if it is considered at all?
The requirements from chap. 5 of Annex 1 and the Prüfmethodologie chap. 7 are identical. Other parts of Annex 1 and Annex 2 basically contain requirements for the main components of an iMS.
The requirements are implemented by the architecture and functionality of the main components.
We will perform the testing procedure based on the requirements of the Prüfmethodologie from section 5.1 to 5.6. which refers to the OT matrix and the checklist.
How will a requirement be evaluated?
Based on the Prüfmethodologie sec 5.2 which is about the checklist:
The Manufacturer:
- fills the checklist of the Prüfmethodologie chap.7 Prüflistenmodule (checklist)
- (HOW - secure functionality to satisfy the WHAT requirement, WHERE – localization of the functionality in the architecture, referencing the relevant OT tuples)
- delivers the sufficient documentation of the Components
- and performs functional tests
The Evaluator:
- checks the HOW value of checklist to make sure that it gives a solution to the WHAT (correctness, efficiency, completeness, based on the filled checklist and the additional Manufacturer documents for meter system components) (Prüfmethodologie chap.7 Prüflistenmodule, e.g 5.1.4 (b)
- looks at whether the functionalities linked in the WHERE can really deliver the functionality
- determines a verdict based on steps above
- performs vulnerability analysis and penetration test to confirm the compliance
The requirements of the Prüfmethodologie will also be examined during the documentation evaluation and the penetration test process according to the steps above.
DOES THE 5.1.4 (b) REQUIREMENT ONLY MEAN THAT DATA BETWEEN MAIN SYSTEM COMPONENTS (HAUPTKOMPONENTEN) NEED TO BE EXCHANGED IN ENCRYPTED WAY?
The requirement means that the assets need to be stored in encrypted format in the Smart Meter, furthermore the system must include a procedure for the secure, selective deletion of specific data. This procedure shall delete the data permanently, for example through overwriting with random data, therefore these specific data cannot be restored.
So, it is about secure storing and deleting, not exchanges.
Does the 5.1.4(b) requirement only mean that data between main system components (Hauptkomponenten) need to be exchanged in Encrypted way?
The requirement means that the assets need to be stored in encrypted format in the Smart Meter, furthermore the system must include a procedure for the secure, selective deletion of specific data. This procedure shall delete the data permanently, for example through overwriting with random data, therefore these specific data cannot be restored.
So, it is about secure storing and deleting, not exchanges.
What is the definition of ‘Vulnerable data’? Is it a secure material (e.g. keys)?
The “Vulnerable data” means the protected objects (assets or interfaces based on the SBA) in the test object that shall be protected (confidentiality, integrity and availability).
In this case, the key is also vulnerable data.
Swissmig created a Risk analysis document [Studie «Schutzbedarfsanalyse Smart Metering in der Schweiz»; 062016], which contains risk scenarios.
In this document, Swissmig determined the assets, the objects to be protected against threats. Prüfmethodologie's OT matrix summarizes this information.
Requirement 5.5.1.5 (a): Safe deletion… is a general requirement for all components. How will it be tested?
This is a general requirement for all components, and it will be tested during the penetration test.
Usually, this process cannot be planned preliminary - a deep knowledge of the TOE is necessary.
How can I choose CCLab for our Test Lab?
To choose CCLab as Test Laboratory please enter the CCLab specific data to METAS Application form (Antragsformular):
- Name: CCLab Ltd.
- Abteilung: -
- Strasse: Katona Jozsef 17. III.2.
- PLZ Ort: 1137 Budapest
- Land: Hungary
- Internetadresse: https://www.cclab.com
- Kontaktperson (des Prüflabors)
- Name: Mr. Ferenc Molnár
- Funktion: CEO
- Telefon/Mobiltelefon: +36 30 280 6524
- E-Mail: ferenc.molnar@cclab.hu
Do I have to send to CCLab the HES test system too?
There is a possibility to set up the HES in our laboratory. We can also test the HES with remote access.
What is the lifecycle of the test samples?
First of all you deliver the test samples to our laboratory. We are responsible for the secure management of the test samples within the physical boundaries of the Laboratory. After the test process, we store the samples for at most one year for easier re-evaluation. After the one-year retention period, we send back the samples to you or take care of the secure disposal. Our price list contains the conditions of back delivery or secure disposal.
What are my options if I have the same device but with several different configurations. E.g. different size of memory, storage, communication modules, enclosure?
This can be certified within one evaluation process, but all the security relevant parts need to be tested separately. This may result in additional costs compared to a simple TOE evaluation process. If a configuration is not security relevant (e.g. color of the enclosure) no further tests are necessary. In the final test report, all possible configurations will be listed.
