Cyber security solutions (protection level) for data and manipulation security
Due to the steadily growing digitization and the associated connectivity, the risk of intentional as well as unintentional misuse is also increasing. In this article, solution approaches are found at the level of measuring devices, which are also used in subareas of software solutions. From this, approaches from ISO 27001 (Annex A; reference measure objectives and measures) can be found, such as:
- Access control for systems and applications
- Cryptographic measures
- Physical and environmental safety
- Protection from malware
- Data backup
- Logging and monitoring
In addition, it is advantageous to include the high requirements of GSTQ901, Network Quality Instrument – Cybersecurity Requirements of the company ENEL. All this should contribute significantly to a significant increase in security at the level of measuring devices.
All this is furthermore supported by the “Act to Increase the Security of Information Technology Systems (IT Security Act 1.0)“as well as the “Second Act to Increase the Security of Information Technology Systems (IT Security Act 2.0 -new IT security law for modern cyber security)” underlined again [Source: German Federal Office for Information Security; 09.08.2021]
Possibilities for data and manipulation security
Source: Camille Bauer Metrawatt AG
Role-based access authorisation (RBAC)
- Granting user rights that are necessary and not in excess of them
- Access to measurement data: Visualisation, deletion, download
- Configuration data: Display, Change
- User administration
- Remote access via website / software
- Local access
- No clear text transmission of login information
- Repeated login attempts increase latency
- Storage of RBAC settings only encrypted
Hypertext Transfer Protocol Secure (https)
- Secure hypertext transmission protocol (tap-proof through transport encryption)
- Bidirectional encryption between server and client
- Root certificates as encryption element
- Protected authentication
- Encryption of the data content
- Encryption with Camillebauer certificate or user-defined certificate
Client Whitelist / Client IEC61850 Whitelist [Firewall]
- List with a maximum of 10 authorised participants (computers) with:
- vIPv4 Address
- vIPv6 Adresse
- All other participant accesses are blocked
Audit log [Registration aller Manipulationen]
- Secure logging with user information for all:
- Connection attempts
- User login / logout processes
- Visualisations of the monitoring protocol
- Configuration changes Reset / delete data
Sys-Log
Secure firmware updates
- Check if the firmware is original
- Firmware images are digitally signed
- Plausibility check of the validity is guaranteed
Data logger & Uninterruptible Power Supply (UPS)
- SD card memory in the measuring device
- 16 GB data memory lasts for many years of typical operation
- UPS with 5×3 minutes in case of power failure on the supply
Data export
- Manual data export via CSV & PQDIF
- Automated data export csv & PQDIF (scheduler)
- Event push (PQDIF) to SFTP server
Secure (mobile) connection
- Secure connection via gateway (private cloud (e.g. BentoNet ISO 27001 certified)
- VPN single node Cloud-Service
- Modem connection
Metrologically certified measurement system
- METAS Certificate (Swiss Federal Institute of Metrology)
- Certified power quality according to IEC61000-4-30 Ed.3, Class A & S
- Certified active energy according to class 0.2S
Non-µP measuring devices
The easiest way to implement cyber security.
- Transmitter for I/U/P/Q
- “Dumb” hardware prevents IT attacks (no IP address)
- High availability & longevity over decades
- Globally proven technology
Conclusion
It is already apparent today that at the level of measuring instruments, the manufacturer, in cooperation with users, is giving intensive thought to bringing the subject of information and data manipulation to the highest level of security.