OpenADR and Cyber Security

NEW: Check here for easier access to Digital Certificates for small scale trial and demo deployments.

Order Trial Certificates here

OpenADR Security Certificates Overview

Cyber Security is an important component of the Smart Grid. OpenADR works with you to help fulfill our role in ensuring strong Cyber Security in the Smart Grid.

In order to fulfill industry security requirements and NIST Cyber Security guidelines, the OpenADR Alliance maintains its own Public Key Infrastructure (PKI). The PKI is uses server and client side digital certificates that act as digital keys to ensure only clients and servers communicate with each and their communication is secure.

This means that manufacturers of both OpenADR certified OpenADR Servers (VTN) and OpenADR certified Clients (VEN) need to purchase valid OpenADR-specific digital certificates to authenticate communication links. This provides a strong security mechanism for the transport layer. Common security mechanisms include RSA and ECC algorithms.

Another important requirement from the NIST recommendations involves digital certificate management. OpenADR has mechanisms in place that allow the control, authorization, issuance, and revocation of digital certificates in order to maintain control of its PKI and maintain an accounting of the connection between manufacturer <–> client device <–> certificate.

The OpenADR Alliance has partnered with Kyrio** (http://www.kyrio.com), an independent entity that operates and manages the OpenADR PKI on behalf of the Alliance. The following figure provides a high level view of the mechanisms that have been put in place. The digital certificates are governed by the OpenADR Alliance Certificate Policy.

NOTE: OpenADR Certification should not be confused with an OpenADR Digital Certificate. OpenADR Certification means that VTNs and VENs have undergone OpenADR testing and conform to the current OpenADR interface specification. Part of this testing also checks whether the systems can handle the minimum security requirements. Passing testing, plus additional paperwork, enables the systems to claim to be OpenADR Certified. A list of certified devices can be found at - http://www.openadr.org/products. This certification does not mean that the manufacturers have valid Digital Certificates built into their systems yet. Manufacturers achieving OpenADR Certification need to obtain the Digital Certificates via the OpenADR/Kyrio portal. Kyrio partners with Symantec, a well-known digital certificate service provider, to handle the issuance of OpenADR Digital Certificates. Manufacturers can then embed the digital certificates into their certified products at time of manufacture.

Different types of certificates are available to manufacturers depending on their development stage.

  1. Test Security Certificates – These certificates are not valid for real communication. However, they can be used for free for testing purposes. They are also used during certification testing
  2. Evaluation Certificates – These certificates are valid for real implementations. However, they are only valid for a limited time (60-90 days). These certificates could be used for further interoperability testing with existing live systems.
  3. Production Certificates – These certificates have a longer validity period (20 years) and should be used for real implementations

OpenADR Certificates can be obtained through the OpenADR/Kyrio portal:

https://portal.kyrio.com

To obtain production certificates, please contact Kyrio:

Digital Certificate Account Coordinator

Kyrio, Inc.
858 Coal Creek Circle
Louisville, CO 80027-9750
Tel: (303) 661-3320
Fax: (303) 664-8131

Email:  info@kyrio.com

Any other questions can be addressed to certification@openadr.org.

** Kyrio was previously NetworkFX. Therefore you may encounter some references to NetworkFX in the documentation.