13 Jul

Cyber Security through Operational Technology (OT)

In the context of digitalization, the demand for cyber security is also growing enormously. “For example, 11% of German companies recorded an IT security incident in the past 12 months. Three out of ten companies expect to be targeted by cyber criminals in the next 12 months – organized gangs are particularly feared. The Ukraine war is fueling fears of more cyberattacks in this regard. [1]” The area of critical infrastructure, that which virtually keeps us alive on a daily basis, requires extra attention. For example, the electrical infrastructure, which will be highlighted in this article. The Swiss daily newspaper Tagesanzeiger (TA), for example, postulates in a “Survey on cyber security: Swiss electricity suppliers are insufficiently protected against hackers. The companies are particularly poor at recognizing attacks as well as responding to them. [2]”

This white paper addresses the fundamental dangers, the status quo, the laws in force in the EU as well as the currently practicable and available solutions in the context of electrical measuring instruments.

Due to the dynamic and challenging complexity of the topic, this report is intended as a guide and is not intended to be exhaustive.

Cyber Security auf OT-Level
Cyber Security auf OT-Level

Threat scenarios

Basically, it can be said that we know two main categories of possible risks. One is data theft [3] and the other is data manipulation. [3] Intentionally or unintentionally. By accident or by criminal acts.

For better segmentation, we list, as always non-exhaustively, some of the threat scenarios as follows in addition:

  1. Hack attack on company with extortion, data encryption, theft, threats, …
    (e.g. by ransomware (Lockbit, …), malware, …)
  2. Failure and attack on (externally hosted) services
    (e.g. websites, social media accounts, cloud services, data backup services, …)
  3. Espionage and phishing attacks
    (e.g. through interviews, surveys, virtual & physical spying, unknown visitors, credit card leaks, …)
  4. Cyber attacks on individuals
    (e.g. blackmail and threats against individuals, smartphone applications (e.g. camera, microphone), …)
  5. Losses
    (e.g. simple data loss, hardware loss, hardware theft, …)
  6. Conscious data exchange
    (e.g. through external data carriers (USB sticks, SD cards, smartphone…), EDI, API, …)
  7. Physical & Physical Influences
    (e.g. lightning, fire, water, vandalism, sabotage, …)
  8. Malfunction & failure of data backup
    (e.g. NAS, inadequate documentation, inadequate updates, long power outages, defective media carriers, aging, …)
  9. Lack of awareness in the company itself
    (e.g. general ignorance and naivety, lack of ICT knowledge, no “boss thing”, lack of training, …)
  10. Inadequate equipment
    (e.g. outages, legacy systems, virus on smartphone, unknown number of ICT clients, third-party devices in ICT network, …)

In particular, the point “third-party devices in the ICT network” should concern us here in the article, as this also affects measuring instruments and thus also reflects the above-mentioned threat scenarios.

Interim conclusion (1):

Unintentional data interventions mean that something is no longer the way it was planned in principle. Therefore, such interventions often have a direct impact on costs as well as on the reputation of the affected person or company. The damage is therefore x times higher than just averting or curing the intervention that has taken place.

In addition, it should be noted that devices that have already been attacked can be used as a platform for the substantial spread of data tapping & manipulation. Thus, unintentional accesses have an x-fold higher risk potential than it might initially appear.

Elektrische Netzebenen 1-7

The new importance of data flows in electrical distribution networks

  • Electrical interconnected grids must be able to communicate with each other
  • Integration into the World Wide Web takes place (www)
  • Integration of more metering points due to the many nodes is necessary (especially in the low-voltage network = smart grid)
  • Users on grid level 7 (local distribution grid <1kV) become (app) specialists (e.g. SmartHome, energy procurement, CO2 footprint, …)
  • Smart grid applications are necessary and also demanded (e.g. smart grids, create transparency, automations, real time, …)
  • Planning with simulation, real-time data and trends are becoming increasingly important for networks
  • Dynamic load and power management = remote control (e.g. redispatch, §14a EnWG (Germany), PV plants without counter load, …)
  • Today’s control centers are connected with parallel applications (e.g. for smart grid)
  • Cloud solutions come to the electrical grids
  • Disturbances and changes (dynamics) must be recorded in real time
  • New disturbing and influencing factors appear (e.g. renewable energies like cloud formation, wind, heat, …)

Excursus: Energy Industry Act (EnWG) – Controllable consumption devices:

The new version of §14a EnWG (01.01.2023) of Germany provides for a reduction of grid fees for those consumers who have concluded an agreement with the grid operator on the grid-oriented control of controllable consumption devices or grid connections with controllable consumption devices. [4]

In a nutshell: “From 2024, the low-voltage grid is to be gradually expanded into a smart grid as part of §14a EnWG. The first expansion stage for each distribution grid operator is the static control of disconnectable loads at the low-voltage grid level, which is to be replaced by dynamic control by 2029 at the latest.

In the low-voltage grid, the term disconnectable loads refers to all loads with a connected load greater than 3.7 kW. This primarily includes heat pumps, electrical storage units, charging infrastructure for electric vehicles or air conditioning systems.” [5]

Thus, data flows and volumes will increase significantly and it is likely that other countries with urban and complex infrastructures could follow a similar principle.

Interim conclusion (2)

Data flows and volumes are piling up, with extreme threats as well as obstacles (e.g., connectivity).

Which strategies are used for data and manipulation security

This paragraph deals in principle with the possible elements of cyber security that are considered. It is always striking how little is said specifically about operational technology (OT) in the context of integrated field devices (e.g., sensors, measuring instruments, etc.).

  • Definition of a company-specific I(C)T policy
  • Employment of internal as well as external IT specialists in respective areas of expertise
  • Operate closed, or isolated, networks
  • Strict compliance with country-specific guidelines and laws on the subject of data protection
  • Reduce proprietary systems (e.g., proprietary vendor interfaces).
  • Use of standardized protocols (e.g. IEC61850, PQDIF IEEE1159.3, etc.)
  • Use of additional software solutions for monitoring
  • Centralization of systems (hardware, software, HR)
  • Outsourcing of services to external service providers
  • Insourcing of outsourcing services
  • Segmentation of the network to minimize possible attack surfaces
  • Use of auditable security standards (e.g. ISO27001, individual, etc.)

Insight into ISO27001 – a viable approach?

This International Standard has been developed to establish requirements for the establishment, implementation, maintenance and continuous improvement of an Information Security Management System (ISMS).

The introduction of an information security management system represents a strategic decision for an organization. The creation and implementation of such a system within an organization depend on its needs and goals, security requirements, organizational processes, and the size and structure of the organization. It can be assumed that all of these influencing variables will change over time.

The information security management system maintains the confidentiality, integrity and availability of information using a risk management process and gives interested parties confidence that risks are being managed appropriately.

It is important that the information security management system is integrated into the organization’s overall governance structure as part of its operations, and that information security is considered at the design stage of processes, information systems and measures.

It is expected that the implementation of a security system (ISMS) will be scaled according to the needs of the organization.

This standard is joined by IEC62443. This in turn describes a holistic approach to cyber security. And this down to the component level within industrial automation.

 

Interim conclusion (3):

  • Individual approaches take up only partial aspects
  • IT experts mostly have a technical focus and less on the overall context
  • ISO27001 is a complete, holistic management system and very complex
  • The IEC62443 is in principle only applicable for the subarea of industrial automation
  • There is not yet an IEC IT security standard for power quality instruments and power monitoring devices at device level. This is currently being developed in the committees of EC TC 85/WG 20 – Equipment for measuring and monitoring of steady state and dynamic quantities in Power Distribution Systems under the project title: “Cybersecurity aspects of devices used for power metering and monitoring, power quality monitoring, data collection and analysis”. It remains to be seen which standards will behave in which way.
  • If no CS hardened components are used, more effort has to be invested in CS management to get a grip on cyber security. This is risky because insecure components cannot really be managed in a secure way.
  • Cyber security compliance testing of a product costs only a fraction of the outlay for a security management system certificate.
  • Many manufacturers leave the cost of security management to customers instead of developing secure products themselves.

And what does the EU have to say about cyber security?

The EU has already issued a directive on the subject of cyber security in 2019. This is presented in the “Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (European Union Cyber Security Agency) and on cybersecurity certification of information and communication technology and repealing Regulation (EU) No 526/2013 (cybersecurity legal act) (Text with EEA relevance) [6]”. The origin of this can be found in the European Cyber Resilience Act (CRA) “Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. [7]”

Aus einem Zusammenschluss mehrerer Staaten (Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), United Kingdom’s National Cyber Security Centre (NCSC-UK), Germany’s Federal Office for Information Security (BSI), Netherlands’ National Cyber Security Centre (NCSC-NL), Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ)) hat diese Organisation, mit dem Namen “Cybersecurity and Infrastructure Security Agency”, zum Thema Cyber Security ein Papier erlassen. Dieser Leitfaden unter dem Titel “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default” soll dabei helfen, das Thema Cyber Security und somit Cyber Protection (OT) beherrschbar zu machen. [8]

Small or big conclusion?!

It is therefore absolutely clear that the issues of cyber security must also be worked on continuously at field level, in this case with regard to measuring instruments. The manufacturers of measuring instruments can therefore no longer refer to the fact that cyber security is to be borne by the product user alone. And thus cyber security for the measuring instruments attracts the topic of “Operational Technology (OT)” and is indispensable in the near term, at least for critical areas.

However, it is also clear that existing measuring instruments cannot simply be equipped with cyber security at OT level, or better still, with cyber protection. There are technological limits to embedded technologies for this. For example, if measuring instruments are not designed for this purpose at all. Or if processor performance is already fully utilized for other computing applications. This mainly affects measuring instruments that are already on the market.

But even if designs were to allow cyber protection, there is often a lack of competence that defines cyber protection at the field level so that it can then be developed. At least from today’s perspective, IT technology, i.e. everything that concerns regular applications and infrastructures, must not be equated with embedded technologies. And even if it were, cyber security in the IT world still has enough topics ahead of it. Sometimes even essential basic topics. And that’s not to mention mobile connectivity. But this is another topic that would fill its own white paper.

Another barrier to following the EU regulations just like that are the uncertainties from the IEC standards. It should be noted that attracted standards, such as for PQI or PMD, are not yet specified cyber security standards. Yes, work is being done on them. But when and which standards will take effect is completely open. Thus, manufacturers of measuring instruments cannot refer to unambiguities and are thus limited. An exception is Camille Bauer with its measuring instruments. Here, Camille Bauer, e.g. power quality analyzers in a pioneering position, has already been following the ENEL standard GSTQ901 for several years.

Cyber_Happy

Solution approaches for increasing cyber security with OT

Despite the lack of standards, product users should not forgo cyber security in the OT area, i.e. cyber protection. And certainly not in the area of critical infrastructures. For the integration of measuring instruments, you can refer to aspects of ISO 27001 (Annex A; reference measure objectives and measures) as follows:

  • Access control for systems and applications
  • Cryptographic measures
  • Physical and environmental security
  • Protection against malware
  • Data protection
  • Logging and monitoring

Observing these criteria in measurement tools already helps enormously to increase cyber security with the help of OT.

1. Role-based access authorization (RBAC)

  • Granting user rights that are necessary and not beyond:
    • Access to measurement data: Visualization, deletion, download
    • Configuration data: Display, change
    • Comprehensive user management
    • Remote access via website / software
    • Local access
  • No clear text transmission of login information
  • Repeated login attempts increase latency
  • Storage or RBAC settings only encrypted
Role Based Access Control (RBAC)

2. Hypertext Transfer Protocol Secure (https)

  • Secure hypertext transfer protocol (eavesdrop-proof through transport encryption)
  • Bidirectional encryption between server and client
  • Root certificates as encryption element
  • Protected authentication
  • Encryption of the data content
  • Encryption with Camillebauer certificate or custom certificate
Hypertext Transfer Protocol Secure (https)

3. Client Whitelist / Client IEC61850 Whitelist [Firewall].

  • List of maximum 10 authorized participants (computers) with:
    • vIPv4 Address
    • vIPv6 Address
  • All other subscriber accesses are blocked
Informationstechnik; 09.08.2021] Möglichkeiten zur Daten-und Manipulationssicherheit Quelle: Camille Bauer Metrawatt AG Kontakt Rollenbasierte Zugriffsberechtigung (RBAC) Gewähren von Nutzer-Rechten, die notwendig sind und nicht darüber hinaus Zugriff auf Messdaten: Visualisierung, Löschen, Herunterladen Konfigurationsdaten: Anzeigen, Ändern Benutzerverwaltung Fernzugriff über Website / Software Lokaler Zugang Keine klare Textübertragung von Login-Informationen Wiederholte Anmeldeversuche erhöhen die Latenz Speicherung der RBAC-Einstellungen nur verschlüsselt RBAC Hypertext Transfer Protocol Secure (https) Sicheres Hypertext-Übertragungsprotokoll (abhörsicher durch Transportverschlüsselung) Bidirektionale Verschlüsselung zwischen Server und Client Stammzertifikate als Verschlüsselungselement Geschützte Authentifizierung Verschlüsselung des Dateninhalts Verschlüsselung mit Camillebauer Zertifikat oder benutzerdefiniertem Zertifikat RBAC Client Whitelist / Client IEC61850 Whitelist [Firewall]

4. Audit log [Registration of all manipulations]

  • Secure logging with user information for all:
    • Connection attempts
    • User login / logout processes
    • Visualizations of the monitoring protocol
    • Reset of configuration changes / delete data
Audit-Log

5. Sys-Log

  • Central network monitoring
    • Transfer of the monitoring log entries to a security server
SysLog-Server Transfer

6. Secure firmware updates

  • Verify if the firmware is original
    • Firmware images are digitally signed
    • Plausibility check of the validity is guaranteed
Secure Firmware

7. Data logger & Uninterruptible Power Supply (UPS)

  • SD card memory in the meter
  • 16 GB data memory lasts for many years of typical operation
  • UPS with 5×3 minutes in case of power failure on the supply
Datenlogger und unterbrechungsfreie Spannungsversorgung (USV)

8. Data export

  • Manual data export via CSV & PQDIF
  • Automated data export csv & PQDIF (scheduler)
  • Event push (PQDIF) to SFTP server
Datenexport

9. Secure platform solution with secure connectivity

  • Secure platform solution due to ISO27001 certified provider
  • No investment in own IT infrastructure necessary due to full verticalization
  • Computing power of the system always remains at a high level (self-sufficient data hub)
  • Own ICT protection barriers are not needed (e.g. firewall, virus protection, …)
Plattformlösung BentoNet

10. Non-µP measuring instruments

The easiest way to support cyber security.

  • Transmitter for I/U/P/Q
  • “Dumb” hardware prevents IT attacks (no IP address)
  • High availability & longevity over decades
  • Globally proven technology
Unifunktionale Messwandler
Source references

[1] https://www.tuev-verband.de/studien?tx_news_pi1%5Bnews%5D=671 [07.07.2023]

[2] https://www.tagesanzeiger.ch/schweizer-stromversorger-sind-ungenuegend-gegen-hacker-geschuetzt-686630607216 [02.07.2021]

[3] https://pq-as-a-service.com/en/power-quality-standards-emc/information-and-data-security/ [07.07.2023]

[4] https://www.bundesnetzagentur.de/DE ff [01.01.2023]

[5] https://itemsnet.de/itemsblogging/14a-enwg-worueber-sich-verteilnetzbetreiber-jetzt-gedanken-machen-sollten/ [15.03.2023]

[6] Legal Act on Cyber Security: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32019R0881 [17.04.2019]

[7] European Cyber Resilience Act (CRA): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454 [15.09.2022]

[8] https://www.cisa.gov/sites/default/files/2023-04/principles_approaches_for_security-by-design-default_508_0.pdf [13.04.2023]

Related Posts

blog solar mexico

The critical role of power quality evaluation in solar installations

4 SmartGrid-Lösungen von Camille Bauer

4 SmartGrid solutions from Camille Bauer

SmartGrid Use Case with MT7150 from Camille Bauer

SmartGrid monitoring for recording basic data and triggering switching operations

energiewende smartgridbox

Securely process (measurement) data treasures

Spannungsqualität

Interference-free thanks to optimum voltage quality

For a grid operator, the basic...

Leave A Comment