The application cases of the SMGW Administrator (abbreviated to: SGMW Admin) are described in Chapter 3 of the TR-03109-6. These are based on the legal framework (Act on Metering Point Operation and Data Communication in Smart Energy Networks -- MbsG) and the TR-03109-1.

The following tasks can be listed as keywords: commission, operation, configuration, administration, monitoring and maintenance of the smart meter.

In the context of the smart meter, the SMGW admin plays a central technical role. It is responsible for the reliable technical operation of the meter (cf. Section 25 (1) MsbG). The scope of its tasks as presented above mean it serves a critical function, and it is therefore essential for information security to be taken into account when designing the required IT.

The minimum requirements for information security are based on Section 25 MsbG and bindingly stipulate that in addition to the obligatory ISMS and the security concept model required for it, the SMGW admin must also appropriately meet the minimum requirements described in the TR-03109-6.

According to Section 3 of the Metering Point Operation Act (MsbG), the meter operator with 'basic responsibility' is responsible for metering point operation, provided that no other agreement to the contrary has been reached according to Section 5 or Section 6 of the Metering Point Operation Act. The technical function of the SMGW administrator has been assigned to the meter operator. From the perspective of TR-03109-6 it is first and foremost a technical function and the question of which market role this function performs is insignificant.
However, the duties of the meter operator (as a market role) according to Section 3 of the Metering Point Operation Act and the duties of the SMGW administrator according to Section 25 of the Metering Point Operation Act must be clearly delineated on an organisational and a technical level, i.e. the meter operator cannot access (physically or in relation to systems) the technical operations of the SMGW administrator.

Compliance with the defined requirements on information security must be confirmed in documentation by an independent third party.

Certification applies to all of the tasks of a SMGW admin along with the associated technical infrastructure and applies in particular to the sustainable operation of an information security management system (ISMS) already in place or to be established within the SMGW admin.

An information security management system (ISMS) specifies the instruments and methods that the management level of an organisation (or person in charge of information security) should use to comprehensibly manage the tasks and activities aimed at achieving information security.
An ISMS is therefore a planned and organised course of action to achieve and maintain an appropriate level of information security.

No. The information security management system within the SMGW admin must be certified.

No. The implementation of the defined minimum requirements in accordance with Section 25 (5) MsbG can be documented either through a ISO 27001 certification on the basis IT-Grundschutz or alternatively through a certification in accordance with ISO/IEC 27001.

No. The TR-03109-6 requires an ISO 27001 certification on the basis of the IT-Grundschutz or a certification in accordance with ISO/IEC 27001 that demonstrates that the minimum requirements of the TR-03109-6 are taken into account and appropriately applied within the ISMS.

The TR-03109-6 does not stipulate a time by which the SMGW admin must be certified. However, a SMGW admin must provide evidence of the relevant certificate in order to participate in the Smart Metering PKI (see Certificate Policy of the SM-PKI).

According to Section 25 (1) of the MsbG, the responsible Gateway Administrator (GWA) can outsource the technical operation of the smart metering system to a third party (see Section 2 (20) MsbG). From its market support, the BSI has observed the following realisations or implementations of GWA operation to date:

• a) "Responsible full-scale operation of the GWA in line with BSI TR-03109-6" (responsible implementation of the use cases from BSI TR-03109-6)
• b) "IT operation for a GWA in line with BSI TR-03109-6" (e.g. as a SaaS provider)

In all cases, the responsible GWA with the ISMS is responsible for ensuring its compliance with its security requirements for third parties in particular when outsourcing to third parties.

Example:
The GWA takes over the "Responsible full-scale operation of the GWA in line with BSI TR-03109-6" and awards the "IT operation for a GWA in line with BSI TR-03109-6" to a third party. The third party proves its suitability to the responsible GWA by an ISMS certification with the scope "IT operation for a GWA in line with BSI TR-03109-6". The tasks as well as any individually existing security requirements for the third party are documented as proof of dealing with the existing individual risk. The GWA is responsible for the seamless outsourcing and ensures compliance with the security requirements, for example through random audits. The GWA also provides evidence of certification of its ISMS in accordance with Section 25 (5) MsbG.
This example from practise clearly shows that while outsourcing the IT operations to a third party, the technical responsibility as well as the responsibility for the ISMS still remains with the GWA.

In principle, the responsible GWA is subject to a certification obligation according to the Metering Point Operation Act, including when outsourcing to a third party.
An exemption from this principle may be granted under the following conditions:

1. The third party produces an ISMS certificate for the information domain they operate, which proves compliance with the requirements defined in BSI TR-03109-6
2. The responsible GWA operates an ISMS according to Section 25(4) of the Metering Point Operation Act. The third party can advise and support the GWA in this; alternatively, the third party operates the ISMS on behalf of the GWA
3. Information security requirements according to BSI TR-03109-6 must be implemented for the IT and processes that remain with the responsible GWA. The third party must conclude a contract to meet these requirements and check they are implemented
4. How individual areas of responsibility are allocated between the third party and the responsible GWA must also be regulated by contract

Yes. Pursuant to Section 25 (4) MsbG, it is required to operate an ISMS.

Yes. In accordance with Section 24 (1) MsbG, manufacturers of gateways must provide evidence of their gateways having been certified to the SMGW admin. The SMGW Admin may only include certified gateways in its production system.

Yes, if the following specifications are taken into account.
If the SMGW admin operates uncertified gateways for test purposes, the test data must be separated from the production data in such a way that the metered readings determined from the production operation cannot be falsified. How exactly this is implemented is the responsibility of the SMGW Admin's ISMS. However, both a technical and organisational separation of the types of data is recommended.

Yes. A SMGW admin must provide evidence of its ISMS certificate in order to participate in Smart Metering PKI (SM-PKI) (see SM-PKI Certificate Policy).

Yes. The test PKI is functionally identical to the actual PKI (Smart Metering PKI). It is therefore possible for the audits necessary for the certification of the PKI processes to be carried out within the test PKI. The switch from the test PIK to the actual PKI that will later be necessary in this case must be carried out using the normal mechanisms used in the certification process (amendment notification and if applicable partial re-audit).

x

No. The required BSI-certified penetration tester must both be in charge of performing the penetration test and documenting the results and actively involved in carrying out the test. The penetration can, however, be supported by other,
non-BSI-certified penetration testers.

As this is such a general question, it is only possible to provide a very general answer in this FAQ. To protect the availability of services and IT components of an SMGW Admin against potential risks, a remote access solution for technicians (technical administrators) may be used as a measure to handle risks. However, each measure that is introduced can open up new risks, which the ISMS is responsible for handling.
Remote access must be organised only in defined exceptional cases and under defined technical and organisational framework conditions, which must be documented.

The requirements are defined in PTB A50.8, Chapter 8.1 and recorded in the subsequent version of the TR-03109-6. As part of the audits to certify the ISMS within the SMGW Admin, these requirements must be audited and confirmed by the BSI-certified auditors.
The PTB has issued a leaflet with notices and support regarding these requirements, which can be accessed on the website of the PTB.

A BSI-certified auditor reviews the documentation relating to penetration tests during their audit of the service provider. If required, the service provider passes the following information on to its GWA customers as evidence that the penetration tests have been conducted:

• Management Summary
• Audited systems/areas
• Period when tests were conducted
• Company that conducted the penetration tests
• Number of findings identified including their level of criticality and the processing status or a schedule for resolving vulnerabilities (the GWA should be informed if vulnerabilities are not resolved as per the schedule)

The service provider's GWA customers are not given a detailed description of the vulnerabilities that were identified, for obvious and transparent reasons. The service provider's certified management system ensures the actions derived from the penetration test are implemented.

In addition to the penetration test conducted by the service provider, the GWA can also subject its own IT infrastructure to a penetration test.

In principle, and in accordance with the ISMS implemented, no right exists to issue complete documentation, e.g. concepts or manuals.

In order to confirm the contractual rules between the service provider and GWA, it may be a good idea for the service provider to give the GWA certain information from the last audit on request. As well as information on the penetration tests completed, this may include information about emergency management or the backup concept, for example.

The specific information requirements of the GWA can only be clarified in direct conversation with the service provider and must take account of the "interface" between the two parties described in the contract.