1) The smart grid introduces new security challenges as it enables two-way communication between utilities and customers.
2) Securing this communication requires authentication of smart meter identities and data integrity. Hardware security modules (HSMs) can help by protecting cryptographic keys.
3) SafeNet HSMs provide a cost-effective public key infrastructure (PKI) solution for smart grid security by combining multiple security functions into a single device and supporting the large scale of smart grid deployments.
The payShield 9000 hardware security module has several potential customer groups:
- Issuing banks that create credit/debit card data instead of outsourcing
- Banks that authorize transactions and their approved third parties
- Acquirers that act on behalf of merchants to obtain transaction authorization
- Card payment networks like Visa and Mastercard
- ATM and debit networks
- Third party processors that handle issuing or acquiring for banks
The payShield 9000 improves on competitive HSMs by offering dual power supplies, higher performance, targeted software license packages, multiple logical security modules, and cost-effective scalable remote management. These benefits lower costs and improve security. Strong support from Thales and partners enhances
This document provides an overview of Thales Payment HSMs (hardware security modules). It discusses Thales' history in payment HSMs and the features of their current payShield 9000 model. Key points covered include how Thales HSMs work using a command/response API, examples of common commands, physical interfaces, local master keys, hardware and software options, and certifications. Useful collateral materials for learning more about Thales Payment HSMs are also listed.
The document provides an overview of Datacryptor Ethernet Layer 2 Version 4.5, which introduces new features like secure multipoint encryption and MPLS awareness. It protects data in transit at the Ethernet layer to avoid bandwidth expansion from alternative Layer 3 encryption methods. The new version offers centralized automatic key generation and distribution for up to 200 nodes, increased security with GCM mode, and flexibility to deploy units at network edges and infrastructures. It solves problems around high bandwidth costs and latency issues compared to Layer 3 encryption.
Key management involves generating, storing, agreeing upon, and revoking encryption keys. Keys can be used for identity, conversation, or integrity purposes. Keys should be generated securely using random numbers from cryptographically secure random number generators rather than predictable pseudorandom number generators. Keys also need to be stored securely, such as in external hardware security modules, rather than in files, databases, or software source code where they could be compromised. Common key agreement protocols like asymmetric encryption or Diffie-Hellman key exchange allow two parties who have not shared secrets previously to establish a shared secret key over an insecure channel.
The document provides information about DGS&D business and how Matrix products like the ETERNITY PBX platform can benefit organizations working with DGS&D. It discusses:
1) DGS&D is the central purchase and quality assurance organization of the Government of India that handles registration and rate contracts for products. Registering with DGS&D provides a ready platform for sales.
2) Partnering with Matrix for DGS&D business provides benefits like special pricing, marketing support, and opportunities to supply additional products and services beyond just PBXs.
3) The ETERNITY PBX platform from Matrix is well-suited for DGS&D requirements as it offers reliable technology, easy management,
The ISIM module stores IMS-specific subscriber data provisioned by an IMS operator. It contains six groups of data: security keys, private/public user identities, home network domain name, P-CSCF address, and administrative data. The ISIM supports IMS AKA, GBA, and HTTP Digest security mechanisms. It initializes by selecting profiles and verifying PIN codes before providing subscriber data to the IMS application.
The payShield 9000 hardware security module has several potential customer groups:
- Issuing banks that create credit/debit card data instead of outsourcing
- Banks that authorize transactions and their approved third parties
- Acquirers that act on behalf of merchants to obtain transaction authorization
- Card payment networks like Visa and Mastercard
- ATM and debit networks
- Third party processors that handle issuing or acquiring for banks
The payShield 9000 improves on competitive HSMs by offering dual power supplies, higher performance, targeted software license packages, multiple logical security modules, and cost-effective scalable remote management. These benefits lower costs and improve security. Strong support from Thales and partners enhances
This document provides an overview of Thales Payment HSMs (hardware security modules). It discusses Thales' history in payment HSMs and the features of their current payShield 9000 model. Key points covered include how Thales HSMs work using a command/response API, examples of common commands, physical interfaces, local master keys, hardware and software options, and certifications. Useful collateral materials for learning more about Thales Payment HSMs are also listed.
The document provides an overview of Datacryptor Ethernet Layer 2 Version 4.5, which introduces new features like secure multipoint encryption and MPLS awareness. It protects data in transit at the Ethernet layer to avoid bandwidth expansion from alternative Layer 3 encryption methods. The new version offers centralized automatic key generation and distribution for up to 200 nodes, increased security with GCM mode, and flexibility to deploy units at network edges and infrastructures. It solves problems around high bandwidth costs and latency issues compared to Layer 3 encryption.
Key management involves generating, storing, agreeing upon, and revoking encryption keys. Keys can be used for identity, conversation, or integrity purposes. Keys should be generated securely using random numbers from cryptographically secure random number generators rather than predictable pseudorandom number generators. Keys also need to be stored securely, such as in external hardware security modules, rather than in files, databases, or software source code where they could be compromised. Common key agreement protocols like asymmetric encryption or Diffie-Hellman key exchange allow two parties who have not shared secrets previously to establish a shared secret key over an insecure channel.
The document provides information about DGS&D business and how Matrix products like the ETERNITY PBX platform can benefit organizations working with DGS&D. It discusses:
1) DGS&D is the central purchase and quality assurance organization of the Government of India that handles registration and rate contracts for products. Registering with DGS&D provides a ready platform for sales.
2) Partnering with Matrix for DGS&D business provides benefits like special pricing, marketing support, and opportunities to supply additional products and services beyond just PBXs.
3) The ETERNITY PBX platform from Matrix is well-suited for DGS&D requirements as it offers reliable technology, easy management,
The ISIM module stores IMS-specific subscriber data provisioned by an IMS operator. It contains six groups of data: security keys, private/public user identities, home network domain name, P-CSCF address, and administrative data. The ISIM supports IMS AKA, GBA, and HTTP Digest security mechanisms. It initializes by selecting profiles and verifying PIN codes before providing subscriber data to the IMS application.
BE Infratek is a pioneer company. We provides Parking Management System, Electronic Toll Management System, Interactive Touch Screen Kiosk and Ikoncierge.
The CP80 Plus card printer enables government agencies, corporations, and universities to produce secure IDs. It can personalize contact and contactless smart cards, encode magnetic stripe cards, and issue proximity cards. The printer offers superior security features like edge-to-edge laminates for durability, UV printing, and theft deterrent software. It produces high quality IDs at speeds of up to 175 cards per hour for single-sided printing.
Embedded devices - Big opportunities in tiny packagesteam-WIBU
Only a decade ago, programming devices like these usually meant working on a very low-level Assembler language, just one mental step removed from the actual hardware and its functions, often fixed and set in stone in ASICs. Technology has evolved by leaps and bounds and made embedded devices more powerful, cheaper, and above all, more versatile. Instead of custom hardware, modern devices tend to use standard components, programmed with Java or C without the need for highly specialized Assembler coding experts. This has opened the floodgates for more innovation, but it has also raised the bar when protection, security, and monetization concepts are concerned.
Any entrepreneur who has invested their time and resources into innovations like these want to know that their IP is protected. Their first concerns are piracy and reverse engineering: Users might buy fakes or forged products by intent or by mistake, eroding considerable business from the original makers and potentially harming their reputation when users inevitably run into trouble with their knock-off products. On top of the threats for the makers themselves, users are at risk as well: Their data, be it sensitive sensor data or valuable production data, needs to be safe from theft, espionage, manipulation, or – currently a hot topic – hijacking.
When it comes to monetizing the resources and IP they have invested into their products, manufacturers generally used to have only one route: Selling the physical devices. In the modern world, business models and monetization options have multiplied: Money can be made by selling additional features and functions ("features-on-demand"). This could be the ability to configure additional axes in an industrial robot: The hardware and software could have the built-in 6-axis controls, but the user would have the opportunity to buy an add-on license to activate additional axes beyond the basic functions if they want to. This makes for leaner logistics, as the manufacturer only needs to sell one type of physical device, and for greater freedom for users to choose which features they actually need.
Another option are time-based licenses, like subscriptions. Users could enter into a leasing contract that allows them to use a device for a defined time with guaranteed updates in that period. The manufacturer benefits from the certainty of regular payments, and the user from lower upfront costs, upgrades to new functions, and permanent state-of-the-art security.
A third monetization option seems synonymous with our times: Apps. OEM or third-party developers can offer additional features in the form of apps that can be bought, licensed, and loaded onto devices. Opening up their ecosystem to third parties in this way can make a manufacturer’s products much more appealing for users and generate additional revenue in the form of licensing fees.
This document provides an overview of the SmartTrust Wireless Internet Browser (WIB) which allows a WAP browser to run on a SIM toolkit card. It discusses how the WIB works as a WAP browser on the card, how it communicates with a Wireless Internet Gateway (WIG) via SMS messages, and some of the capabilities and limitations of having a browser on a card versus on a mobile phone.
Cellnetrix is a company that develops smart card operating systems and applications. They introduce their CellSIM OS, a Java Card 2.2 and Global Platform 2.1.1 based operating system for telecom and internet applications on UICCs (universal integrated circuit cards, formerly known as SIM cards). CellSIM OS supports applications for mobile payment, transportation ticketing, and more. It provides features such as dynamic memory management, cryptography algorithms, and compatibility with 3GPP and ETSI standards. Cellnetrix also offers customized application development and testing services to its customers.
IP Centric Conferencing IP Centric Conferencing IP Centric ...Videoguy
IP Centric Conferencing involves real-time voice, video, and data conferencing over IP networks, allowing multiple participants to communicate simultaneously. Key benefits include reduced costs, improved communications, and increased business competitiveness. Implementing IP conferencing requires choices around standards, network devices, bandwidth, quality of service, scalability, management, security, and legacy system interconnectivity. Proper planning is needed to ensure a successful IP conferencing solution.
The document describes Lipman's Nurit 8000, a 4th generation wireless electronic payment terminal. It is a small, lightweight and flexible handheld device that enables fast, secure transactions for on-the-go retailers and service providers. It offers advantages like supporting various payment and value-added services, functioning as a cellular phone, and enabling electronic signature capture. The Nurit 8000 and its management system allow for increased transactions and profits through customizable features and remote network management capabilities.
SmartWorld is a leading IT solutions provider focused in card solutions and secure identification domain. With expertise in card personalization solutions , EMV Testing Tools & Consultancy , e-security & physical access control products, logical access control solutions, SmartWorld provides unrivalled customer service by truly understanding unique secure identification needs. With a passion for providing high quality, innovative products, and an in-depth understanding of the solution application, SmartWorld has earned a name as a Trusted Identification Expert.
The document summarizes multi-technology contactless card readers that can read both proximity and iCLASS cards. The readers provide a simple migration path from proximity to iCLASS technologies while allowing the use of multiple card types. The readers support popular proximity formats from HID and Indala and provide security features such as mutual authentication and encrypted data transmission. The readers are designed to seamlessly interface with existing access control systems.
The FT7000 is Triton's new full-function ATM that offers a lower total cost of ownership compared to traditional ATMs. It has a 15-inch color display, PC-based platform with Windows XP, and Triton's Prism software. The FT7000 is compliant with all security and accessibility standards and can be installed in new or existing through-the-wall openings. Triton aims to provide financial institutions with reliable, compliant, and cost-effective ATM solutions.
The Display Control Server is the core component of an EZcall enterprise alarm system. It receives and processes alarms, events, and schedules. It can operate on its own connected directly to input and output systems, or work with additional client applications over Ethernet. A single Display Control Server can support over 10,000 input and output connections. The Message Dispatch Server expands the system's capabilities by allowing multiple output connections and additional features like email and message boards.
The Polycom PathNavigator is an advanced gatekeeper solution that makes IP and ISDN video conferencing easy to use. It provides benefits such as simplified dialing, automated deployment and management, and intelligent network routing. Key features include conference on demand, least cost routing, call forwarding, and alternate routing to increase flexibility and reduce costs. The solution is designed to integrate with other network components and manage complex video networks efficiently.
Cryptomach Ltd. is a Ukrainian company that provides various cryptographic products and services including software development, hardware development, theoretical research, and consulting. The company has several departments focused on different areas such as scientific research, integrated security systems, and digital signature certification authority. Some of its cryptographic products include loyalty cards, secure readers, network security devices, hardware security modules, encryption software, and cryptographic libraries. The company also offers pre-boot authentication, digital signature services, and technical support.
This document discusses hardware-assisted virtualization in embedded systems and provides examples. It begins with an overview of embedded virtualization requirements and key use cases. It then reviews Intel virtualization technology features like EPT and VT-d. Examples shown include a retail digital signage soft failover proof of concept using Xen virtualization and a medical critical OS isolation proof of concept separating real-time and standard functions. The document promotes virtualization for consolidation, isolation and robustness in embedded applications.
Vindicator Security Solutions provides comprehensive security solutions including intrusion detection, access control, and advanced security capabilities. They have nearly 30 years of experience and can handle all aspects of a security project from concept design to installation to long-term support. Their goal is to provide customized, scalable solutions tailored to each customer's specific needs and mission.
The document discusses HID's iCLASS 13.56 MHz contactless smart card readers. The readers provide plug-and-play compatibility with access control systems and offer simple upgrades from proximity technology. They support multiple applications through technology partners and are included in the GSA Approved Products List. The readers also allow for on-site firmware upgrades and provide flexible access.
Embedded Development Systems-WearberryTec-LinkedAnil Kumar
Wearberry provides embedded systems engineering and manufacturing solutions for wearable devices, POS terminals, handhelds, and IoT devices. It offers services across the product development lifecycle including hardware and software design, validation, testing and sustaining engineering. Wearberry has expertise in MCUs, connectivity solutions, sensors, displays, wireless technologies and various hardware platforms. It also designs and develops applications for segments like wearables, home automation and healthcare.
Meeting SEP 2.0 Compliance: Developing Power Aware Embedded Systems for the M...mentoresd
Meeting SEP 2.0 Compliance: Developing Power Aware Embedded Systems for the Modern Age – Andrew Caples
The Smart Energy Profile (SEP) 2.0 is quickly becoming the go-to standard for developing innovative products and services in the energy power management sector. Information flow between meters, smart appliances, and energy management systems must occur in an open, standardized, and interoperable fashion. SEP 2.0 establishes the standard for communication interoperability as well as security for networked appliances and meters.
In this session attendees will learn how to meet the challenges of SEP 2.0 compliance with a small footprint RTOS, such as Nucleus RTOS from Mentor Graphics, to address the connectivity and security requirements for the smart energy profile. This session takes a detailed look at the design considerations to consider how an RTOS can reduce development time and cost for SEP 2.0 compliant products.
The next generation of the Bioscrypt V-Flex fingerprint reader is built on the new 4G technology platform that transforms an access control device into a flexible and smart security appliance through improved performance, usability and scalability.
Key2Share is a system that allows smartphones to be used for access control via Near Field Communication (NFC). It issues digital keys that are represented as QR codes and can be shared remotely. This provides flexible access control with options for easy key delegation, remote revocation of access, and management of access rights. A proof of concept has been developed with Bosch Security Systems to integrate Key2Share into their existing access control infrastructure. The system aims to provide secure access control via smartphones while balancing security and compatibility with mobile devices.
Signify provides two-factor authentication software tokens that turn smartphones into secure authentication tokens for remote access. The software tokens deliver the same security and reliability as RSA SecurID hardware tokens using the user's existing smartphone. As a hosted service, Signify ensures the tokens work securely and reliably from any location without needing mobile data coverage.
BE Infratek is a pioneer company. We provides Parking Management System, Electronic Toll Management System, Interactive Touch Screen Kiosk and Ikoncierge.
The CP80 Plus card printer enables government agencies, corporations, and universities to produce secure IDs. It can personalize contact and contactless smart cards, encode magnetic stripe cards, and issue proximity cards. The printer offers superior security features like edge-to-edge laminates for durability, UV printing, and theft deterrent software. It produces high quality IDs at speeds of up to 175 cards per hour for single-sided printing.
Embedded devices - Big opportunities in tiny packagesteam-WIBU
Only a decade ago, programming devices like these usually meant working on a very low-level Assembler language, just one mental step removed from the actual hardware and its functions, often fixed and set in stone in ASICs. Technology has evolved by leaps and bounds and made embedded devices more powerful, cheaper, and above all, more versatile. Instead of custom hardware, modern devices tend to use standard components, programmed with Java or C without the need for highly specialized Assembler coding experts. This has opened the floodgates for more innovation, but it has also raised the bar when protection, security, and monetization concepts are concerned.
Any entrepreneur who has invested their time and resources into innovations like these want to know that their IP is protected. Their first concerns are piracy and reverse engineering: Users might buy fakes or forged products by intent or by mistake, eroding considerable business from the original makers and potentially harming their reputation when users inevitably run into trouble with their knock-off products. On top of the threats for the makers themselves, users are at risk as well: Their data, be it sensitive sensor data or valuable production data, needs to be safe from theft, espionage, manipulation, or – currently a hot topic – hijacking.
When it comes to monetizing the resources and IP they have invested into their products, manufacturers generally used to have only one route: Selling the physical devices. In the modern world, business models and monetization options have multiplied: Money can be made by selling additional features and functions ("features-on-demand"). This could be the ability to configure additional axes in an industrial robot: The hardware and software could have the built-in 6-axis controls, but the user would have the opportunity to buy an add-on license to activate additional axes beyond the basic functions if they want to. This makes for leaner logistics, as the manufacturer only needs to sell one type of physical device, and for greater freedom for users to choose which features they actually need.
Another option are time-based licenses, like subscriptions. Users could enter into a leasing contract that allows them to use a device for a defined time with guaranteed updates in that period. The manufacturer benefits from the certainty of regular payments, and the user from lower upfront costs, upgrades to new functions, and permanent state-of-the-art security.
A third monetization option seems synonymous with our times: Apps. OEM or third-party developers can offer additional features in the form of apps that can be bought, licensed, and loaded onto devices. Opening up their ecosystem to third parties in this way can make a manufacturer’s products much more appealing for users and generate additional revenue in the form of licensing fees.
This document provides an overview of the SmartTrust Wireless Internet Browser (WIB) which allows a WAP browser to run on a SIM toolkit card. It discusses how the WIB works as a WAP browser on the card, how it communicates with a Wireless Internet Gateway (WIG) via SMS messages, and some of the capabilities and limitations of having a browser on a card versus on a mobile phone.
Cellnetrix is a company that develops smart card operating systems and applications. They introduce their CellSIM OS, a Java Card 2.2 and Global Platform 2.1.1 based operating system for telecom and internet applications on UICCs (universal integrated circuit cards, formerly known as SIM cards). CellSIM OS supports applications for mobile payment, transportation ticketing, and more. It provides features such as dynamic memory management, cryptography algorithms, and compatibility with 3GPP and ETSI standards. Cellnetrix also offers customized application development and testing services to its customers.
IP Centric Conferencing IP Centric Conferencing IP Centric ...Videoguy
IP Centric Conferencing involves real-time voice, video, and data conferencing over IP networks, allowing multiple participants to communicate simultaneously. Key benefits include reduced costs, improved communications, and increased business competitiveness. Implementing IP conferencing requires choices around standards, network devices, bandwidth, quality of service, scalability, management, security, and legacy system interconnectivity. Proper planning is needed to ensure a successful IP conferencing solution.
The document describes Lipman's Nurit 8000, a 4th generation wireless electronic payment terminal. It is a small, lightweight and flexible handheld device that enables fast, secure transactions for on-the-go retailers and service providers. It offers advantages like supporting various payment and value-added services, functioning as a cellular phone, and enabling electronic signature capture. The Nurit 8000 and its management system allow for increased transactions and profits through customizable features and remote network management capabilities.
SmartWorld is a leading IT solutions provider focused in card solutions and secure identification domain. With expertise in card personalization solutions , EMV Testing Tools & Consultancy , e-security & physical access control products, logical access control solutions, SmartWorld provides unrivalled customer service by truly understanding unique secure identification needs. With a passion for providing high quality, innovative products, and an in-depth understanding of the solution application, SmartWorld has earned a name as a Trusted Identification Expert.
The document summarizes multi-technology contactless card readers that can read both proximity and iCLASS cards. The readers provide a simple migration path from proximity to iCLASS technologies while allowing the use of multiple card types. The readers support popular proximity formats from HID and Indala and provide security features such as mutual authentication and encrypted data transmission. The readers are designed to seamlessly interface with existing access control systems.
The FT7000 is Triton's new full-function ATM that offers a lower total cost of ownership compared to traditional ATMs. It has a 15-inch color display, PC-based platform with Windows XP, and Triton's Prism software. The FT7000 is compliant with all security and accessibility standards and can be installed in new or existing through-the-wall openings. Triton aims to provide financial institutions with reliable, compliant, and cost-effective ATM solutions.
The Display Control Server is the core component of an EZcall enterprise alarm system. It receives and processes alarms, events, and schedules. It can operate on its own connected directly to input and output systems, or work with additional client applications over Ethernet. A single Display Control Server can support over 10,000 input and output connections. The Message Dispatch Server expands the system's capabilities by allowing multiple output connections and additional features like email and message boards.
The Polycom PathNavigator is an advanced gatekeeper solution that makes IP and ISDN video conferencing easy to use. It provides benefits such as simplified dialing, automated deployment and management, and intelligent network routing. Key features include conference on demand, least cost routing, call forwarding, and alternate routing to increase flexibility and reduce costs. The solution is designed to integrate with other network components and manage complex video networks efficiently.
Cryptomach Ltd. is a Ukrainian company that provides various cryptographic products and services including software development, hardware development, theoretical research, and consulting. The company has several departments focused on different areas such as scientific research, integrated security systems, and digital signature certification authority. Some of its cryptographic products include loyalty cards, secure readers, network security devices, hardware security modules, encryption software, and cryptographic libraries. The company also offers pre-boot authentication, digital signature services, and technical support.
This document discusses hardware-assisted virtualization in embedded systems and provides examples. It begins with an overview of embedded virtualization requirements and key use cases. It then reviews Intel virtualization technology features like EPT and VT-d. Examples shown include a retail digital signage soft failover proof of concept using Xen virtualization and a medical critical OS isolation proof of concept separating real-time and standard functions. The document promotes virtualization for consolidation, isolation and robustness in embedded applications.
Vindicator Security Solutions provides comprehensive security solutions including intrusion detection, access control, and advanced security capabilities. They have nearly 30 years of experience and can handle all aspects of a security project from concept design to installation to long-term support. Their goal is to provide customized, scalable solutions tailored to each customer's specific needs and mission.
The document discusses HID's iCLASS 13.56 MHz contactless smart card readers. The readers provide plug-and-play compatibility with access control systems and offer simple upgrades from proximity technology. They support multiple applications through technology partners and are included in the GSA Approved Products List. The readers also allow for on-site firmware upgrades and provide flexible access.
Embedded Development Systems-WearberryTec-LinkedAnil Kumar
Wearberry provides embedded systems engineering and manufacturing solutions for wearable devices, POS terminals, handhelds, and IoT devices. It offers services across the product development lifecycle including hardware and software design, validation, testing and sustaining engineering. Wearberry has expertise in MCUs, connectivity solutions, sensors, displays, wireless technologies and various hardware platforms. It also designs and develops applications for segments like wearables, home automation and healthcare.
Meeting SEP 2.0 Compliance: Developing Power Aware Embedded Systems for the M...mentoresd
Meeting SEP 2.0 Compliance: Developing Power Aware Embedded Systems for the Modern Age – Andrew Caples
The Smart Energy Profile (SEP) 2.0 is quickly becoming the go-to standard for developing innovative products and services in the energy power management sector. Information flow between meters, smart appliances, and energy management systems must occur in an open, standardized, and interoperable fashion. SEP 2.0 establishes the standard for communication interoperability as well as security for networked appliances and meters.
In this session attendees will learn how to meet the challenges of SEP 2.0 compliance with a small footprint RTOS, such as Nucleus RTOS from Mentor Graphics, to address the connectivity and security requirements for the smart energy profile. This session takes a detailed look at the design considerations to consider how an RTOS can reduce development time and cost for SEP 2.0 compliant products.
The next generation of the Bioscrypt V-Flex fingerprint reader is built on the new 4G technology platform that transforms an access control device into a flexible and smart security appliance through improved performance, usability and scalability.
Key2Share is a system that allows smartphones to be used for access control via Near Field Communication (NFC). It issues digital keys that are represented as QR codes and can be shared remotely. This provides flexible access control with options for easy key delegation, remote revocation of access, and management of access rights. A proof of concept has been developed with Bosch Security Systems to integrate Key2Share into their existing access control infrastructure. The system aims to provide secure access control via smartphones while balancing security and compatibility with mobile devices.
Signify provides two-factor authentication software tokens that turn smartphones into secure authentication tokens for remote access. The software tokens deliver the same security and reliability as RSA SecurID hardware tokens using the user's existing smartphone. As a hosted service, Signify ensures the tokens work securely and reliably from any location without needing mobile data coverage.
Signify provides two-factor authentication software tokens that turn smartphones into secure authentication tokens for remote access. The software tokens deliver the same security and reliability as RSA SecurID hardware tokens using the user's existing smartphone. As a hosted service, Signify ensures the tokens work securely and reliably from any location without needing mobile data coverage.
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
The document discusses strong authentication solutions from Gemalto for enterprises. It describes Gemalto's secure personal devices that are used by billions of individuals worldwide, including SIM cards, credit cards, and e-passports. It then discusses the evolution of the authentication market towards mobility and cloud computing. The document promotes Gemalto's Protiva strong authentication service, which provides a flexible authentication solution that can be deployed both on-premise or as a hosted cloud service. It describes features such as user on-boarding, device fulfillment, and easy billing models.
SmartCard Forum 2010 - Secured Access for enterpriseOKsystem
Gemalto presented an overview of their identity and access management (IAM) solutions for enterprises. Their solutions include smart cards, tokens, readers, drivers, applications and authentication servers. Smart cards securely store digital certificates, user PINs, one-time passwords and encryption keys. Gemalto has several smart card families including .NET, TPC and IAS cards that provide different features like PKI, OTP authentication and certification levels. Their solutions help enable strong multi-factor authentication for secure access to enterprise networks, applications, data and facilities. Gemalto also discussed their management systems and middleware to integrate their solutions.
Signify provides token-based two-factor authentication as a fully hosted service using RSA SecurID tokens. This secure solution reliably authenticates users 24/7 from any computer without needing a mobile phone. As a complete managed service, Signify handles the authentication infrastructure across multiple data centers with 99.999% uptime, provides an identity management portal and end-user helpdesk, and offers options for token provisioning and emergency access.
Signify provides token-based two-factor authentication as a fully hosted service using RSA SecurID tokens. This secure login method generates and displays a unique passcode on each token every 60 seconds, removing the vulnerabilities of passwords. Signify's service handles all infrastructure management and support so customers can quickly deploy strong authentication without needing new hardware, software, or IT resources.
PIV Card based Identity Assurance in Sun Ray and IDM environmentRamesh Nagappan
This document discusses using PIV (Personal Identity Verification) cards for identity assurance in a Sun Ray desktop environment. It describes the mandatory and optional credentials that can be stored on a PIV card, including biometric fingerprints. It outlines how Sun Ray supports the use of PIV cards for multi-factor authentication and single sign-on to applications. Integration is discussed with identity management and PKI/biometric middleware providers to enable PIV card authentication on Sun Ray desktops and in virtual desktop environments.
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
Instead of spending thousands of dollars, and weeks, to install, customize, and integrate
business transaction applications in-house on local servers and workstations, running these
transactions ‘in the cloud,’ or on virtualized platforms, offers an attractive, simple, and costeffective
option.
In order to foster a level of trust matching that of existing internal enterprise resources, and
to sustain compliance with internal policy and external regulations, it is essential that cloud
platforms adopt a cryptographic deployment model. Through this adoption, organizations can
ensure ownership and confi dentiality of the cloud, integrity of business processes, transactional
non-repudiation, and streamlined compliance with heightened security standards—without
negatively impacting performance and reliability of cloud resources.
RSA SecurID is a two-factor authentication solution that provides strong security through one-time passwords generated by hardware or software tokens combined with a user's PIN. It protects access to critical network resources and helps organizations comply with regulations. RSA Authentication Manager is the centralized management software that verifies authentication requests from various applications and systems. It offers scalability, high availability, and integration with over 400 third party products. RSA also provides hardware and software tokens, as well as appliances, to deliver two-factor authentication in a way that meets various user and organizational needs.
Deep Security provides software-based security and compliance for systems operating in standalone, virtual, and cloud environments to help organizations meet PCI DSS requirements. It addresses 7 PCI regulations and over 20 sub-controls with features like network segmentation, host firewall, antivirus, virtual patching, and web application protection to provide core PCI controls from a single, centrally managed solution. Deep Security can economically help organizations meet PCI compliance challenges for distributed locations, vulnerability management, and website and virtualization security.
The document discusses WISeKey's end-to-end security framework for IoT devices and data. It provides cryptographic root keys and digital certificates to protect IoT devices and their data through authentication, confidentiality and integrity. WISeKey's solutions include VaultIC tamper-resistant chips embedded in devices, as well as a Certificate Management System and security broker that manage the lifecycle of device certificates signed by WISeKey's Certificate Authority rooted to the Swiss-based OISTE root of trust. This framework is designed to securely connect IoT devices to networks and platforms.
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
Gemalto is introducing their .NET smart card solution for strong authentication. The .NET smart card can be used in various form factors like badges and USB devices. It hosts applications, keys, and generates one-time passwords. Gemalto's solution works with the Microsoft security platform and addresses network logon, desktop authentication, and other services. The .NET smart card works with the new Microsoft Smart Card Framework and provides a small minidriver that interfaces with the Base Cryptographic Service Provider. Gemalto offers professional services and an evaluation kit to help customers implement the .NET smart card solution.
The document discusses Bitzer Enterprise Application Mobility (BEAM), a solution that allows secure access to corporate networks and data from mobile devices. BEAM isolates corporate access and data from personal apps through a secure container with an AppTunnel. It offers single sign-on access to corporate applications while maintaining a rich user experience. BEAM supports multiple mobile platforms and provides remote management capabilities for IT.
Tata Communications offers a Managed Authentication service to help secure access to critical data through two-factor authentication using a personal identification number and randomly generated token code. The service provides fully managed authentication servers and supports a choice of hard token and soft token options. It helps reduce complexity, costs, and improves security for network-connected assets.
A joint presentation of Gary Williams of Schneider Electric and Michael Coden of NextNine at the 10th Annual Conference of the American Petroleum institute. The presentation discusses benefits, disadvantages, and architectures for allowing 3rd party access.
AppViewX CERT+ provides a one-stop solution for automated discovery, expiry alerting, renewal, provisioning and revoking of digital certificates across networks including servers, clients, and ADC devices. It arms Security Operations and Public Key Infrastructure (PKI) teams with critical insights that can be used to avoid unwanted outages and other issues associated with non-compliant certificates. CERT+ integrates with major Certificate Authorities such as GeoTrust, Comodo, GoDaddy, DigiCert, Microsoft CA and Entrust.
Similar to Securing the Smart Grid with SafeNet HSMs (20)
An important part of eIDAS is to regulate electronic signature and ensure safe transactions online. By providing qualified electronic signature, Trust Service Providers allow both signatory and recipient a higher level of convenience and security. Use this guide to understand and navigate the regulation goals and benefits.
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
Forget the geeky analysis of cloud security; risk is driven by people involved and the approach to adoption. In this RSA Conference 2015 presentation, David Etue, VP of Corporate Strategy, Gemalto, reviews the complex issues around data ownership and control in the cloud. When so many people have access to your data, how do you keep it safe? Unshare it!
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
This document discusses security challenges with cloud computing and sharing data in a multi-tenant environment. It notes that while cloud computing provides benefits like scalability and efficiency, security and compliance needs are not fully addressed due to increased risks from a larger attack surface, new definitions of privileged users, and difficulties applying security controls in shared environments. The document advocates approaches like encryption and strong authentication to help customers maintain ownership and control of their data and enable security in cloud models.
Cyber Security Management in a Highly Innovative WorldSafeNet
Cyber attacks are reaching pandemic levels. State-sponsored groups and organized crime are successfully stealing valuable intellectual property—including critical infrastructure and operational readiness information, businesses’ and consumers’ financial data—often without anyone realizing the attack has occurred!
But preparedness cannot be delegated solely to the IT department. The involvement of the entire enterprise, armed with an understanding of the highly dynamic landscape, is vital for warding off potential threats.
Author: David Etue, VP of CorpDev Strategy, SafeNet
Watch the webcast on demand: https://www.brighttalk.com/webcast/6319/75109
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
By Joshua Corman, Dir. Security Intelligence, Akamai Technologies (@joshcorman) & David Etue, VP of CorpDev Strategy, SafeNet Inc. (@djetue)
Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.
Watch the full webcast: https://www.brighttalk.com/webcast/2037/72187
What is ProtectV and how can it help your organization? Here's a concise overview of SafeNet's cloud encryption solution for Amazon Web Services or VMware, as presented at VMworld.
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelSafeNet
The document provides a 5-step guide for optimizing a SaaS business model: 1) Track usage data to understand customer usage patterns, 2) Identify patterns in the usage data, 3) Segment customers based on usage patterns, 4) Test new pricing and packaging models with A/B testing, and 5) Continuously measure results and refine the business model. The goal is to develop a segmented offering that maximizes revenue by matching products and prices to customer value based on usage data and feedback.
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeNet
SafeNet simplifies competitive migrations with bundled migration packages that enable organizations of any size to seamlessly transition to SafeNet’s Fully Trusted Authentication Environment. With this type of environment, customers retain control over data and policies,
improve management and visibility, manage risk through a variety of authenticator options, and can supplement their installation with additional layers of protection to further secure sensitive data.
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
Strong authentication and single sign-on for SaaS applications is available with SafeNet
Authentication Manager and SafeWord 2008.
With either platform, the enterprise security team retains complete control over the
configuration, deployment, and administration of the authentication infrastructure, which
remains in the enterprise’s IT domain.
Organizations can deploy either platform in their network’s DMZ, so users can authenticate
directly to cloud-based applications and services, rather than having to go through the corporate VPN. As a result, users have a faster, more seamless experience accessing on-premise and
cloud-based applications, while enterprises enjoy optimized security.
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...SafeNet
Traditionally, a local connection, such as SCSI or PCI bus, has been used to connect an HSM to
its host server. While these local connections provide good bandwidth and an added degree of
physical security, they cannot offer the fl exible, shareable features of a network connection. The
Luna SA was designed from the ground up to provide customers with a more powerful, fl exible
HSM product. One of the cornerstones of this fl exibility is the fact that the Luna SA is a network
attached device, a feature that permits the Luna SA’s high-performance HSM capabilities to be
easily deployed and shared between multiple network clients.
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...SafeNet
To aid a successful and secure Public Key Infrastructure (PKI) implementation, this article
examines the essential concepts, technology, components, and operations associated with
deploying a Microsoft PKI with root key protection performed by a SafeNet Luna Hardware
Security Module (HSM).
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
Cloud computing services can support nearly every mission the federal government performs –
from defending our nation’s borders to protecting the environment. Offering an elastic, adaptive
infrastructure, cloud computing enables federal agencies and their component organizations
to share information and create services, improving how agencies support the federal mission
and serve the American public. Just as the benefits are obvious, however, so too are the security
concerns. When consolidating their infrastructures with cloud service providers, how do federal
agencies ensure that sensitive data remains secure? How do they remain in control of their
information assets and compliant with U.S. Office of Management and Budget (OMB) and
agency-specific mandates and policies? Of equal importance is how the security concerns differ
within the federal community. This white paper outlines the role of trust in different federal
government communities, the path federal agencies can take to start building trust into cloud
deployments, and the approaches and capabilities that these organizations need to make this
transition a reality.
Hardware Security Modules: Critical to Information Risk ManagementSafeNet
The volume of information is mushrooming and being transformed from paper to digital form
at an alarming rate with no end in sight. Individually, we all experience the steady growth in storage capacity and our use of that capacity in the devices we touch daily – our laptops, desktops, and smart phones. On the commercial side, a conversation with the IT data center personnel quickly reveals that adding storage capacity is a perennial budget item. What should also be recognized is that the value of digitized information is not solely determined by the fact that it exists and its increasing volume, but its use. Business and
governmental entities know from experience that the fl uidity of digitized information is critical
in the advancement of their business operations and citizen-serving endeavors. The escalating growth in the creation, storage, and use of digitized information also creates a growing exposure of information being lost, stolen, misused, and contaminated. The rise in regulations and laws designed to protect the rights of individuals is tangible evidence that this exposure is real. The rise in incidences of information breaches represents another piece of evidence of this growing exposure.
Strong Authentication: Securing Identities and Enabling BusinessSafeNet
In today’s environment, the need for organizations to enable secure remote access to corporate networks, enhance their online services, and open new opportunities for e-commerce is bringing ever-growing attention to the importance of securing user access and validating identities. In addition, the recent barrage of identity theft and corporate fraud cases has brought corporate responsibility and the protection of sensitive data to the spotlight. Consumer demands and compliance pressures bring organizations and institutions to search for new ways to strengthen their internal controls, authentication methods, and identity management practices. The message is clear – action is needed to stay ahead in the fast changing, security-conscious market.
Building Trust into eInvoicing: Key Requirements and StrategiesSafeNet
For years, the digitalization of assets has been underway, completely transforming entire
industries, from healthcare to music. In the same way, the move to digitalization has also
brought fundamental change to the way businesses manage invoices. By moving to electronic
invoicing, known as eInvoicing, organizations in a host of industries can realize a range of
benefi ts • Reduced costs. By eliminating the purchase of paper for invoice printing, reducing the
time and expense of physical invoice handling, reducing the space and expense of paperbased
fi le storage, and eliminating postage, organizations can realize direct, upfront cost
savings.
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud computing services can deliver clear cut benefi ts to a host of companies. Today, however, security concerns are a big barrier to many clients’ adoption of cloud services. To boost market share and gain competitive distinction, cloud service providers need to add the security infrastructure that safeguards clients’ sensitive data and fosters trust. This white paper outlines the path cloud providers can take to start building trust into cloud deployments, and details the approaches and capabilities organizations need to make this transition a reality.
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
To ensure their compliance with the PCI Data Security Standard, many businesses have turned to SafeNet technology for a solution. To meet these demands, SafeNet offers a range
of products, proprietary and through partner alliance. SafeNet, a global leader in information security, provides the industry’s most comprehensive range of solutions to help companies achieve compliance with the PCI Data Security Standard. Through its own proven set of products, along with an extensive partner network, SafeNet can provide merchants with the assurance that sensitive and valuable cardholder information is protected from all types of threats, and that regulatory compliance is not only being met, but
exceeded.
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
In the wake of acts of terrorism occurring worldwide, it has become imperative for countries to increase the level of security at their borders. To assist in
their efforts for stronger border security, countries around the globe are implementing an e-passport program.
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
Given the vital records databases hold, these systems often represent one of the most critical areas of exposure for an organization. Consequently, as organizations look to comply with security best practices and regulatory mandates, database encryption is becoming increasingly common—and critical. Today, security teams looking to employ database encryption can choose from several alternatives. This paper provides a high level comparison of two approaches: Microsoft’s native encryption capabilities for SQL Server and the SafeNet DataSecure platform.
DNSSEC represents a vital means with which to address many security threats, including cache poisoning, man-in-themiddle attacks, and more. But the DNSSEC infrastructure is only as secure as the cryptographic keys used to protect DNS records. This paper reveals important strategies for maximizing DNSSEC security, outlining the key role HSMs play and the critical requirements for successful HSM implementations.
1. Securing the Smart Grid with
SafeNet HSMs
SafeNet
WH
WHITEPAPER
WHITEPAPER
Overview
The smart grid is the first major effort to modernize an energy infrastructure that has
remained largely unchanged over the past several decades. The smart grid creates a network
of links between customers and utility companies that provides increased insight into and
management of energy consumption, cost, and workload across the entire energy grid. At a
time when energy utilities play an increasingly important part of our everyday lives, smart
grid technologies introduce new security challenges that must be addressed. Implementing a
smart grid without proper security could result in grid instability, loss of private information,
utility fraud, and unauthorized access to energy consumption data.
Building a trusted smart grid will require robust security solutions, and interoperability from
multiple vendors, that can be easily deployed at the communication and application layers of
the smart grid infrastructure. In the first phase of smart grid deployments, traditional meters
will be replaced with meters that can be read remotely, called smart meters. The Advance
Metering Infrastructure (AMI) is the second phase of the smart grid and uses smart meters
to enable a two-way channel of communication between meters and the utility company.
Securing this two-way line of communication is imperative, and will require a solution for
Head End Trusted Identity authentication and Smart Meter device attestation to ensure the
integrity of the grid. Leveraging this integrity will allow utilities to both; issue trusted firmware
upgrades on deployed smart meters, and verify data from smart meters coming back to the
deployed Head End Systems. This system integrity will maintain security, and minimize cost
footprint of upgrades to the deployed smart meters.
A critical component of smart grid security is cryptography and key management, which will
ensure confidentiality, authenticity, and integrity of devices and communications within the
grid. Every cryptographic system needs strong protections for the top-level cryptographic
material used to provide the systems trust anchor. Typically, compromise of these top-level
keys results in complete or at least very broad system-wide compromise. This is where
hardware security modules offer significant trust value.
Securing the Smart Grid with SafeNet HSMs Whitepaper 1
2. HSMs Role in the Smart Grid
Smart grid security solutions must be able to deploy on a large scale, with minimal effect
on applications. Securing the smart grid at the communication layer will require a system
to identify connected meters, to verify that these meters are configured correctly, and to
validate these meters for network access. The recommended solution for this authentication
process is an identity based model, often a Public Key Infrastructure (PKI). PKIs are ideal for
large-scale security deployments that require a high level of security with minimal impact
on performance. In a PKI environment, it is essential that private keys and certificates are
guarded with a reliable key management solution that protects against ever-evolving data
threats, such as hardware security modules (HSMs).
HSMs require secure interoperability with deployed Smart Grid infrastructures. For years,
various industries have relied on HSMs for securing the most sensitive PKI environments.
In fact, SFNT HSMs have a long standing history with large scale deployments in the
financial industry, working to define and implement industry standard based deployments,
and deployed to protect more financial transactions than any other HSM (more than a
trillion Dollars day) applications. SafeNet HSMs offer a cost-effective PKI solution for
easy deployment in smart grid infrastructures. With the SafeNet PKI Bundle, product and
maintenance costs are dramatically reduced by combining HSM functionality that usually
requires two or more HSMs into a single HSM “bundle” of modular functions. For CAs with
certificates and root keys, for example, rather than requiring separate HSMs for key generation
and key export for offline and online root CAs, the requirements can be fulfilled by one SafeNet
HSM that stores keys in hardware to achieve FIPS 140-2 L3 security. In addition, with high-
performance RSA, ECC, and AES cryptographic services, SafeNet HSMs are the only HSM in
the industry that can keep up with the performance requirements of even the most complex
advanced smart grid deployments.
Generation
High Value
Endpoints
Suppliers
Device ID DR
PKI PKI
Provisioning
Head-End
PKI
Messaging
Production
Code Signing
HAN
Utility Engineering
Development
Code Signing Utility Operations
PEV
End to End Security
HSMs Uses Related to Smart Grid Functions
Device Identities. A SafeNet HSM performs many vital security functions during the
manufacturing of smart grid devices. While issuing device identity certificates at the factory,
the SafeNet HSM can protect both a sub-ordinate CA and registration authority (RA) key
pairs, and secure signing key for any firmware or code loaded at manufacturing time. Hosting
a sub-ordinate CA at the each manufacturing site isolates the site both operationally and
cryptographically. HSM-supported RA functionality at the manufacturing site is important
as the HSM provides high entropy RNG seed material and FIPS 140-2 Level 3-certified key
generation for each device. The resource-constrained nature of smart grid devices makes
Securing the Smart Grid with SafeNet HSMs Whitepaper 2
3. it critical to ensure devices are provisioned with FIPS Validated high entropy seed material.
Therefore, it is important to offer support for both CA and RA capabilities in the same HSM
Bundle—SafeNet HSMs support this through the PKI Bundle feature without compromising
security. Once manufactured with a trusted identity, a deployed device is expected to remain in
the field for a long period, during that period the HSM is used to securely sign all firmware or
Device ID updates in the field
Root CA
Vendor DR CA Site
Contract
Manufacturers ……
Utilities
Equipment vendors certifying device IDs at manufacturing
Device Provisioning. The same SafeNet HSM features and capabilities that support device
issuance, as described above, can also be used by utility companies to provision devices
within their infrastructures. In this case, deploying subordinate CAs at distribution centers,
where meters and other devices are accepted into the utility’s control. Of course, this may
be at a central office when provisioning is done during final installation at the site. Here, the
utility either re-certifies the key pair created by the device manufacturer or generates their
own completely new key pair and certificate. Device identities (certificates) are one part of
the provisioning, HSMs are also leveraged for firmware updates and code signing -an equally
important part of a secure end-to-end system. At this staging point, it is also critical to import
into each device a trust root database, informing the devices which head-end systems to trust.
Such device provisioning is required to maintain security, and minimize operational costs, in
the long life expectancy of smart meters once deployed.
Securing the Smart Grid with SafeNet HSMs Whitepaper 3
4. Key
Manager
Head
PKI Utility
End
HSMs in
High Availability
Device
HSMs in
Vendor High Availability
Device
Manifests
Device S/N
Customer ID
Create/Certify ID
Issue Device ID Pre - provisioned Issue Utility keys
Seed Device
End Point
Installer
From factory to deployment
Device Re-Certification. It would certainly be tempting to issue device certificates with
very long lifecycles to avoid re-certification challenges altogether. However, this is not
practical given the realities of the infrastructure. Devices fail and are replaced, devices
require upgraded certificates, and the device firmware could get compromised—all leading
to potential point of weakness. Because of this, device certificates and firmware need to
have reasonable lifecycles and, therefore, utilities need the ability to re-certify the devices.
The same set of SafeNet HSMs used for device provisioning can support re-certification. Of
course, this is standard CA functionality but highlights another reason why utilities need their
own PKI.
Secure Message Processing. In smart grid infrastructures, the confidentiality, integrity, and
authenticity of messages are critical. Meters need to accept commands only from authentic
head-end systems, and the integrity and confidentiality of meter data must be assured. HSMs
are critical in protecting the high assurance trusted head-end system Identities. Endpoint
devices can use their certificates to sign and encrypt messages destined for the head-
end system. At the head-end messaging side, keys used to sign commands and messages
directed to the endpoint are obviously high-value keys. A compromise of these keys could also
compromise a substantial portion of the infrastructure. SafeNet HSM’s provide the security,
performance, and reliability, and cross vendor interoperability required to support this
function. SafeNet HSMs provide 5 9’s availability and high-performance RSA, ECC, and AES
cryptographic services capable of supporting a wide range of secure messaging architectures.
SafeNet HSMs are also capable of protecting very large quantities of keys, so it’s easy to
ensure keys are used for only one purpose and to devise schemes that cryptographically
segment a network into a large number of keys to provide further isolation within the
infrastructure.
Securing the Smart Grid with SafeNet HSMs Whitepaper 4
5. Distribution
Automation
Meter Data
Mgmt System Head End
HSMs in
Meter Reading
High Availability
Residential
Generation
Meter
Management
Demand
Management
Pluggable
Electric Vehicle
Digital envelope messaging
Device Authentication. Given the massive scale associated with many smart grid
deployments, utilities need to carefully manage their certificate policies. Without proper
segmentation and lifetimes, revocation schemes will quickly become overwhelmed.
Segmenting a utility’s equipment cryptographically as discussed above is one component
of the strategy. Another strategy is the use of On-Line Certificate Status responders.
Traditionally, a head-end system would check an OCSP responder directly while validating
a device’s certificate. However, a recommended approach has the end devices periodically
collecting their own certificate status. The devices cache the responses, and then supply it to
the head end with each message. This approach has the advantage of making the grid more
robust to equipment failures, but has the disadvantage of broadening the attack footprint.
A compromise of the OCSP responder key pair could then be used to supply fraudulent
certificate status. SafeNet HSMs provide the performance and FIPS 140-2 Level 3 protections-
protection of the OCSP responder private keys, offsetting the risk associated with caching
certificate statuses. The HSM partitioning capability means the utility does not need a
dedicated HSM to support the OCSP responder.
Securing the Smart Grid with SafeNet HSMs Whitepaper 5
6. DR
PKI
Device Vendor
Utility Utility Root
Federated
Neighbors
……
Device ID
HSMs in
High Availability
Regional
Sub Roots
West Central East
Securing utilities segmented by domain
Infrastructure Trust Anchors. As utilities and smart grid vendors deploy PKIs within their
solutions, they often choose to set up their own private PKI, as opposed to basing it on a public
CA, however both are viable options. SafeNet HSMs are the market leader in both Enterprise
PKI, and hosted PKI Services options. An Enterprise PKI provides the policy controls and
assurance necessary that are not always available in a public CA. When deploying root CAs,
it is common to keep the root offline and use it under very strict controls on a rare basis. The
SafeNet HSM family includes small form factor, high security HSMs ideal for a root CA. These
devices are small enough to be stored in a safe, provide all the security demanded by root key
protection and, of course, interoperate with the rest of SafeNet’s HSM family.
Securing the Smart Grid with SafeNet HSMs Whitepaper 6
7. Smart Grid
Distributed
Generation and Storage
Utility Infrastructure Consumer
Encrypted
Information
PKI and Key
Management
HSMs for
Root of Trust
HSMs are the secure root of trust for protecting the smart grid
Secure Management of Meters. Securely update the metering settings, configuration, security
credentials, and firmware of all devices in the smart grid system. Signing and encryption
of messages was discussed previously under the Secure Message Processing use case. In
addition, SafeNet HSMs can be used to protect code signing keys. These high-value keys are
used to sign firmware update images destined for endpoint devices. Compromise of these keys
can lead to fraudulent software loads on devices, so an HSM is a natural place to host these
keys.
Utility Engineering
Secure over the air
Utility Operations firmware update
Development
Code Signing
Production
Code Signing
HSMs in HAN
High Availability
Suppliers HSMs in
High Availability
Initial
Production
Firmware
Provisioning
Installer
Secure firmware management
Securing the Smart Grid with SafeNet HSMs Whitepaper 7
8. HSMs Features Supporting Smart Grid Uses
Compliance and Certifications: SafeNet HSMs have been validated to FIPS 140-2 Level 3 and
Common Criteria EAL4+. They also facilitate compliance with PII, NIST, and NERC audits.
HSM Partitioning. A key challenge in a smart grid is the overall scale of the deployments. It is
not uncommon for a utility to have millions of endpoints. This leads to all sorts of challenges
in the cryptographic management system, including the impact of a key compromise
and management of the CRLs. One recommended strategy to address these issues is to
cryptographically segment the utility into regions or groups. Establishing subordinate
certificate authorities for each region or group limits the impact of any compromise. This
segmenting scheme also helps manage the size of CRLs since they will be issued on a per-
segment basis. SafeNet HSMs support this approach through a secure flexible partitioning
capability. A single physical HSM can be segmented into up to twenty logically separate
HSMs, referred to as partitions. This can be field upgradable to up to 100 partitions per HSM.
Keys stored within each partition are not just separated by thin access control lists, but
are fully cryptographically isolated from every other partition. Partitions can be mapped to
independent applications, assigned object limits per partition and, perhaps most importantly,
can be controlled by a separate group of users. This feature is not only useful to utilities,
but is also instrumental for device manufacturers. It provides the capability to run separate
subordinate CAs at the factory for each end customer, tailoring the manufacturing of devices
to specific customers. Through HSM partitioning, a device manufacturer can cryptographically
isolate its customers so that a compromise of one customer does not impact other customers.
It also enables the use of low-cost contract manufacturers without putting at risk security-
sensitive customers who may not be able to accept devices manufactured in certain countries.
Meter Data Head End
Code Signing PKI Root Key Manager
Mgmt System Messaging
High Availability
HSM and
Root of Trust Load Balancing
Automatic Key
DR site Replication
for HSMs
HSM partitioning for support of multiple applications in the smart grid
HSM Key Usage Controls. Smart grid devices can be manufactured all over the world and,
given the cost sensitivities; they are often manufactured in locations that have limited trust.
SafeNet HSMs provide key usage controls that allow a remote authority to manage how often
a particular key is used. With this capability, an organization can tightly control how many
devices each contract manufacturer produces—preventing the production of fraudulent
devices by manufacturing vendors.
Securing the Smart Grid with SafeNet HSMs Whitepaper 8