1.1 Role and applications of the transmission system operator

German transmission system operators (TSOs) provide two main applications for the integration of renewable energy sources into the transmission grid: the market for control reserve (regelleistung.net) and feed-in management for renewables.

The German TSOs are responsible for maintaining the balance between electricity generation and consumption within their control areas at all times. For the execution of this task, the TSOs can engage different types of control reserve (primary control reserve, secondary control reserve, and tertiary control reserve). The types of control reserve differ according to the principle of activation and their activation speed. Close cooperation between the TSOs contributes to keeping the total requirements for control reserve as low as possible [4]. Therefore, the control reserve may be provided not only by conventional power plants but also by VPPs composed of renewable power generation units, electricity storage units, and flexible loads. In the last few years this led to a decrease of market prices for tertiary and secondary control reserve.

Communication between TSOs, VPPs, and DERs is usually implemented mostly by using the telecontrol standard IEC 60870-5. In case of an activation of a secondary control reserve or a tertiary control reserve, the supervisory control and data acquisition (SCADA) system of a TSO sends an activation signal to a VPP SCADA by the serial protocol IEC 60870-5-101 and gets the meter data about power delivery on the same telecontrol channel. The VPP SCADA communicates with pooled DERs, often using the IP-based protocol IEC 60870-5-104.

The Federal Network Agency (BNetzA) provides a guideline on feed-in management by grid operators under the Renewable Energy Sources Act (EEG). This guideline regulates priorities for the reduction of energy production by conventional and renewable power plants in case of an impending congestion for power grid areas. Briefly, the energy production by renewable power plants has a much higher priority than the feed-in by conventional power plants. Furthermore, the EEG provides guidance on compensation for renewable power plant operators in case of production throttling by a grid operator.

Feed-in management applications of TSOs and distribution system operators (DSOs) apply ripple control systems or IEC 60870-5-104 based automation systems for communication of reduction signals to DERs in a case of feed-in management activation. Historically, most German DSOs implement ripple control systems for the support of their own feed-in management or the feed-in management by TSOs. A ripple control system implements a radio-based unidirectional communication from DSO SCADA to all DERs in an electricity grid. The main drawbacks of this technology are missing feedback about the success of a requested DER deactivation and roughly defined communication groups, which do not always match with the area of impending congestion. In practice, grid operators often deactivate more DERs than required for prevention of congestion in a grid area. Therefore, new installed DERs have to provide an IEC 60870-5-104-based bidirectional remote terminal unit (RTU) [5]. This technology allows a tightly focused feed-in management for congestion-relevant subareas in the grid and therefore helps to increase the overall amount of renewable energy in the power grids.

In summary, regulatory, market, and technical rules for the control reserve market and feed-in management by TSOs in Germany are well known and broadly applied.

1.2 Role and applications of the distribution system operator

DSOs implement feed-in management in the same manner and with similar technologies as TSOs. The usage of ripple control systems for feed-in management in distribution grids has the same shortcomings as in transmission grids. Implementation of bidirectional communication with small DERs, for example, household PVs, based on “classic” RTUs from substation automation is often too expensive. Therefore, there is a demand for a new approach for bidirectional communication between small DERs and feed-in management systems.

New applications for flexibility management in distribution grids are, at the moment, a matter of discussion and research in context of the position paper “Smart Grid Traffic Light Concept” of the German Association of Energy and Water Industries [6]. The proposed traffic light concept describes a model for market participants and network operators to interact with one another in the future. The BDEW model uses the logic of a traffic light as an analogy. In the green phase, the energy market participants may act without restrictions. In the red phase, there is a critical congestion and the grid operator overrules market participants by feed-in management. The BDEW position paper defines a new yellow intermediate phase. The yellow phase is entered if a potential bottleneck in a network segment of a distribution grid has been identified. In the yellow phase, the DSO calls upon the flexibility offered by DER operators or their aggregators in that network segment in order to prevent a red phase situation. The discussion about the possible flexibility products for DSOs is still a work in progress, nationally and EU-wide [7]. The German government initiated the funding program “Smart Energy Showcases—Digital Agenda for the Energy Transition” (SINTEG) that aims to develop and demonstrate new approaches to safeguarding secure grid operations with high shares of intermittent power generation on the basis of wind and solar energy in five model regions. The initiated projects in this program address, among other things, the issue of flexibility products for the yellow phase in distribution grids in order to secure an increased share of renewable energy in the energy mix.

The feed-in management applications and those within the SINTEG projects developed market-based flexibility applications for DSOs require detailed knowledge about the grid state and reliable bidirectional communication to the DERs also in distribution grids.

1.3 Role and applications of consumers and decentralized producers in electrical grids

In many situations, it is beneficial if a consumer is able to adapt his consumption behavior. One idea is that he is rewarded if he shifts his power demand in times with high production or even an overproduction from renewable energy sources. To reach this goal, smart metering solutions with real time visualization for the customers are proposed as well as flexible tariffs that adapt to the situation in the grid. Furthermore, there is a need for bidirectional communication to customers with flexible and controllable demand in order to implement DR applications for the yellow phase.

All DERs with an electrical connection point to medium-voltage grids and few of the DERs with a connection point to low-voltage grids have to provide bidirectional communication to feed-in management of DSOs. Due to decreasing subsidies for renewable energy production, DER operators will have to cooperate with VPP operators and other aggregators in the long term in order to sell the produced energy. Therefore, there will be an additional demand for affordable bidirectional communication and metered data from producers and consumers in real time. This demand is addressed by the new bill called “Digitalization of the Energy Transition” [8].

1.4 Distribution grid digitalization as enabler for energy transition

As was seen in the examples of application above, the next step is the energy system transition demands, a more active integration of consumers and DERs in distribution grids and markets. Due to high hardware costs and engineering efforts, grid automation technologies such as the existing IEC 60870-5-104 RTUs are not widely applicable in Germany; therefore a different approach is proposed. The main issue for integrating more renewables into power grids is the digitalization of the distribution grid. The German government addressed this issue in 2016 by a new bill called “Digitalization of the Energy Transition” [8]. The bill will boost digitalization by implementing a Germany-wide advanced metering infrastructure (AMI), including the staggered nationwide rollout of smart meters. On the one side, the planned AMI will provide utilities, customers, and other authorized external entities (AEEs) with metering data in order to better manage the power grids or optimize energy usage. On the other hand, the AMI will implement a secure communication backbone to control decentralized energy production as well as end user consumption.

In the following sections, the basic concepts, features, and technology of the planed Germany-wide AMI will be introduced; it will be explained how the AMI can be combined with the American Green Button Standard for better meter data management; and describe how the AMI will be used for bidirectional communication with DERs and controllable loads in an inexpensive and highly secure manner.

2.1 Basic concepts, roles, and components of German AMI

Regulations for the German AMI differentiate few key roles and components. Fig. 1 illustrates these roles and components with its dependencies.

The role of “smart meter operator” is responsible for installation and operation of the metering infrastructure on customer sites. Persons or companies with the role “customer” are the owner of metering data. Customers may provide the role “authorized external entities” (AEEs) with metering data for billing purposes or efficiency consulting projects. Furthermore, customers can entrust AEE with the usage of the CLS communication channel for various purposes.

The system configuration at the customer's site includes a digital smart meter, a SMGW, and an optional device, the “controllable local system” (CLS). The SMGW is the actual communication device that collects data from one or more smart meters and sends it to authorized receivers. The SMGW is also responsible for the establishing of secure communication channels for further purposes, for example, the control of local CLS devices. All these components must fulfill the security and privacy requirements of the BSI [10]. The smart meter and SMGW must provide a metrological certificate of the PTB [11].

The role “smart meter gateway administrator” (SMGWA) is a kind of a sovereign role. SMGWA is an independent authority that checks authentication and authorization credentials of an AEE and can deny their requests for metering data or for communication with CLS devices on customer's sites.

Regulations for smart metering differentiate between passive and active AEE. The passive AEE only receives metering data from the SMGW whereas the active AEE can interact with CLS devices on customer's sites, for example, for implementation of the feed-in management use case. Furthermore, there are regulated and nonregulated AEEs. Smart meter operators are obliged to support regulated AEEs (customer, energy supplier, and grid operator). The government has defined a price limit for the regulated services in Ref. [8]. Additionally, smart meter operators can charge nonregulated AEEs with usual market prices for nonregulated services in order to generate additional revenues with smart metering infrastructures. We will describe various use cases for typical German AEEs later in more detail.

The distinctive feature of German AMI is the “don’t call me, I‘ll call you back” principle of the SMGW. This means that an AEE cannot initiate communication directly with an SMGW. The SMGW always initiates the communication between the AEE and SMGW. The BSI chose this procedure in order to minimize cybersecurity risks in communication with smart meters and DERs. The UML sequence diagram in Fig. 2 describes in detail the procedure for establishing communication between the SMGW and AEE in case of a special need.

An AEE asks SMGWA for metered values or for a communication request to a dedicated SMGW. SMGWA authenticates the AEE and checks its rights. If the authorization checks of the AEE are successful, then SMGWA sends the request notification to the SMGW. In case of a data request, SMGW sends metering data in the COSEM [12] format to the AEE. In case of a communication request, SMGW opens a secured communication channel between the CLS device and the AEE. The communication channel can last up to 24 h before it shuts down.

Besides lower security risks, this communication paradigm reduces dependencies from a centralized communication server because different AEEs may establish communication to an SMGW without a communication server in the middle. Besides the described sequence, the SMGW can be configured using a so-called communication profile to send meter data regularly to authorized AEEs. The communication profile is provided to the SMGW by the SMGWA. This way the SMGWA doesn’t have to be contacted for every communication case.

In consequence, the regulations of the BSI [10] and the Bundestag [8] lead to a system architecture described in Fig. 3. On each customer site, we have an SMGW and at least one smart meter. Optionally, we may have one or more CLS devices on a customer site specializing in different domains, for example, a CLS device for supporting feed-in management by a home PV-system or a CLS device for remote health monitoring. In order to control a local CLS device, each AEE can establish a dedicated communication channel to the customer SMGW, if it is authorized by law or by a customer and fulfills the security requirements of the BSI.

2.2 AMI-based use cases for the German Energiewende

In Fig. 4, you see an overview of use cases for the German Energiewende that are supported by the AMI. Regulated services are mandatory. Smart meter operators must support these use cases. Nonregulated services are optional and provide a chance to make additional revenues for smart meter operators. Use cases for nonregulated services described in this chapter are only showcase examples. There are a potential for various other use cases in the context of smart home applications. In the following, the use cases will be described in detail.

3.1 System and security architecture of the German AMI

The system architecture of the AMI differintiates three security zones (cf. Fig. 5):

• • The LMN contains digital metering devices. Devices in this zone communicate only with a dedicated SMGW.
• • The HAN hosts security-certified devices. These may be visualization devices for customers, PCs of service technicians, or CLS devices. CLS devices can communicate to physical devices such as a PV on the roof over secured automation protocols. But neither CLS device nor linked devices are allowed to communicate with other networks, for example, the public Internet.
• • The WAN hosts the mandatory SMGWA service and services for different kinds of AEEs. Communication between an SMGW and an AEE service is always initiated by the SMGW after security approval by the SGMWA. The provider of the AEE services must have the ISO 27001 [13] certification because this service may have communication channels to unsecure networks.

This system architecture design reduces high cybersecurity risks because of strict security zones and mandatory authorization of AEEs by the SMGWA. Furthermore, the SMGWA can force a disconnection between the SMGW and an AEE in case of security threats. All SMGWAs in Germany will jointly maintain black lists of untrustworthy AEEs.

The SMGW implements collection and processing of data at the content level as well as the establishment of trusted channels to connected devices and AEEs [14]. All metered values that are prepared to be sent to an AEE or connected devices in the HAN are encrypted and integrity-protected at the content level. Furthermore, the SMGW always enforces the use of encrypted, integrity-protected and mutually authenticated channels for all external communication to AEEs and connected devices. This concept of two-layer encryption facilitates scenarios in which the SMGWA is not the final recipient of metered values from the smart meters. In this way, for example, the SMGWA receives meter data that it forwards to a different party, the real recipient of the data. Here, the SMGWA is the endpoint of the trusted communication channel but cannot read the encrypted meter data addressed to the third party. System administration messages and data exchanged between SMGW, SMGWA, and service components of AEEs are also encrypted and integrity-protected using the cryptographic message syntax of the BSI.

The BSI technical directive “smart metering-public key infrastructure (SM-PKI) for Smart Meter Gateways” [15] specifies requirements for security certificates and how they should be used in context of the German AMI. SM-PKI distinguishes between certificate authorities and certificate users. Certificate authorities release and manage security certificates. Security certificates are X.509 certificates according to requirements in Ref. [16]. All security certificates have a limited validity period. User's certificates are only valid for 2 years. Other certificates may be valid up to 5 years.

Security certificates guarantee secure communication and data exchange between the components and actors of the AMI on various levels of communication. For this purpose, the SM-PKI differentiates three kinds of security certificates:

• • Transport layer security (TLS) certificates: AMI components use TLS certificates for implementation of encrypted communication channels between each other.
• • Encryption certificates: SMGWs use encryption certificates for encryption of meter data before sending the data to an AEE. Thus, it ensures a very high level of privacy because only the receiver with the correct certificate can read the meter data.
• • Signature certificates: A SMGW signs all meter data on arrival with its own signature certificate so that manipulations of metered data by third parties in the SMGW memory or outside the SMGW can be uncovered by signature checks.

Certificate authorities can invalidate security certificate before the end of their validity. A certificate authority publishes invalid certificates in a certificate blacklist. All components and actors in the AMI must always check the validity of the public certificates of their communication counterparts before establishing a connection channel or encrypting the metered data.

In summary, the strict differentiation of network zones LMN, HAN, WAN, and the hard security requirements of the SM-PKI ensure that only trustful AEEs can receive metered data or communicate with CLS devices over the AMI. In case that an AEE or another AMI actor is compromised, for example, by hackers, certificate authorities can isolate the compromised AEE by adding its security certificates to the blacklist. Furthermore, the SMGWA can instantly separate open communication channels of the compromised AEE to SMGWs and CLS devices.

3.2 Data privacy compliant metered data delivery

The main issue in the design of the German AMI is the high requirements in data protection and privacy. The system and security architectures provide interfaces and technologies for the implementation of data protection. The primary use cases “Providing Data (to grid operators) for State Estimation” and “Providing Data (to energy suppliers) for Invoicing” can be implemented with concepts and technologies defined in Ref. [10]. However, these BSI specifications do not exactly describe the delivery of the metered data to customers (respectively consumers). BSI specifications define only a communication channel from SMGW to consumers in HANs, such as the IF_GW_CON communication channel in Fig. 5. But the data model and the protocol for IF_GW_CON are not specified. This implies that data visualization solutions for customers are vendor-specific. It can be acceptable for the use case “energy usage visualization” but it does not work for the use case “invoice verification.” Here, a solution with open interfaces and data formats is needed that supports both. Where the IF_GW_CON lacks standardization, the German National Metrology Institute PTB defined a large set of requirements to enable the customer to verify the bill. They defined that the customer not only has the right to receive data from the SMGW in a digital way, but also that the tariff rules that were applied in order to make the energy bill comprehensible. The requirements also define the metered data to be secured against manipulation using an additional digital signature that includes a hash function over the actual metered value, its status, and the time stamp associated with it.

Since the IF_GW_CON was not fully specified, the idea was to use the IF_GW_WAN interface and an independent instance of an AEE called 3D-EMT to collect the necessary data for the customer and to provide it in a standardized manner using the so-called IF_3D_CON interface. The 3D-EMT serves as an interface between the highly secure AMI with its encrypted machine-to-machine communication and the customer who might not have a digital certificate to provide identification and encryption. It also serves as a bridge between the highly regulated web service-based communication infrastructure that was built up for high automation and security and transforms the data into one file that can be handled by the customer. Fig. 6 shows the system architecture where the 3D-EMT plays a major role as the data collector and processor. The customer logs himself on to the portal of the 3D-EMT to find the meter data of his smart meter together with additional information in one file. The file can be downloaded securely by standard Internet encryption technologies, for example, those used for Internet banking applications.

The data format that is used to provide the data to the customer is defined by the German standard application rule IF_3D_CON [17]. This application rule adapts and extends the American Green Button format to German requirements. Green Button is based on the standard NAESB REQ.21—Energy Services Provider Interface [18] and is already applied widely in providing meter data and additional information to customers in the United States. The format is XML-based and uses the Atom Link Model for a hierarchical structure of the data. Over time, two application variants have emerged: “Download My Data” and “Connect My Data.” Download My Data (DMD) describes the original use case: the data is provided to the customer as one downloadable file. This file can then be provided to other applications for evaluation or can be viewed in the web browser. Connect My Data (CMD) extends this use case by enabling the customer to authorize third-party applications and service providers to download the data file on behalf of the customer. Respective authorization mechanisms and processes are provided.

In Germany, the DMD concept is applied in a first step. Green Button provides extension points in the format definition that were used to extend the format to the German requirements. The idea was to keep the German version as compatible as possible to the original definition. So-called “transparency software” will be provided to the customer that can import the Green Button data file and check the digital signatures of the metered data. Only if the metered data is identified as unaltered will the data be presented to the customer. In the application rule that describes the format, the data is structured into two different parts: “base data” and “verification data.” The base data describes the actual meter data for a point of delivery. This relies in most parts on the original Green Button format and was extended to provide additional information on the meter and the meter data that is required in Germany. One example of additional information is the OBIS-figure (based on IEC 62056-61) that is used to identify the kind of metered values. The base data also includes the digital signature for the meter data and the respective certification data of the SMGW. Since the American Green Button format does not include any information on tariffs and invoicing rules, this information had to be completely added into the German version. Therefore, the verification data provides possibilities to describe a variety of tariff rules such as time of use or amount of use rules, for example. For purposes besides invoice validation, for example, energy consumption visualization or energy awareness applications, the base data is sufficient. Fig. 7 shows the process and the different instances for downloading the data to the customer's PC as well as verifying the meter data using the transparency software.