Threat from cyber attacks

Data security for monitoring systems

This section discusses information on IT security in the context of power quality & power monitoring systems.

The chapter is dynamic and therefore not to be considered conclusive.

Possible risks

12

Data theft

  • Hacking & Cracking
  • Listening
  • Datamining
  • Theft of passwords and other information

Data manipulation

  • Unauthorised access (intranet, terminals, server, …)
  • Modification of data & data telegrams
  • Delete data
  • Changing configurations

Conclusion

Unintentional data interventions mean that something is no longer the way it was planned in principle. Therefore, such interventions often have a direct impact on costs as well as on the reputation of the person or company concerned. The damage is therefore x times higher than just the defence or healing of the intervention that has taken place.

It should also be noted, that devices that have already been attacked can be used as a platform for the substantial spread of data tapping & manipulation. This means that unintentional access has an x-fold greater risk potential than it might initially appear.

Practice examples click here

Die 7 Netzebenen

The main characteristics of the 7 network levels in the context of data flow

  • Electrical interconnections must communicate with each other
  • Integration into the World Wide Web (www)
  • Integration of more measuring points
  • Users on grid level 7 (local distribution grid <1kV) become (app) specialists (e.g. SmartHome, energy procurement, …)
  • SmartGrid applications are becoming popular and also demanded
  • Planning with simulation and trends are becoming increasingly important for the networks
  • Dynamic load management (e.g. redispatch, …)

Conclusion

Data flows and volumes are increasing and are associated with extreme threats as well as obstacles (e.g. connectivity).

What data and manipulation security strategies are used?

  • Definition of a company-specific IT(C) policy
  • Employment of internal as well as external IT specialists in the respective areas of expertise
  • Operate closed or isolated networks
  • Strict compliance with country-specific data protection guidelines and laws
  • Reduce proprietary systems (e.g. proprietary manufacturer interfaces)
  • Use of standardized protocols (e.g. IEC 61850, PQDIF IEEE 1159.3, etc.)
  • Use of additional software solutions for monitoring
  • Centralisation of systems (hardware, software, personnel)
  • Outsourcing of services to external companies
  • Insourcing of outsourcing services
  • Segmentierung des Netzes, um mögliche Attacken-Oberfläche zu minimieren
  • …..
  • …..
  • Use of auditable security standards (e.g. ISO 27001, individual, etc.)

All points are not conclusive!

Insight into ISO 27001 – a workable approach?

This International Standard has been developed to specify requirements for the establishment, implementation, maintenance and continuous improvement of an Information Security Management System (ISMS).

The introduction of an information security management system is a strategic decision for an organisation. The creation and implementation of such a system within an organisation depends on its needs and goals, the security requirements, the organisational processes and the size and structure of the organisation. It can be assumed that all these influencing variables will change over time.

The information security management system maintains the confidentiality, integrity and availability of information using a risk management process and provides confidence to interested parties that risks are appropriately managed.

It is important that the information security management system is integrated into the organisation’s overall governance structure as part of its operations and that information security is already taken into account in the design of processes, information systems and measures.

It is expected that the implementation of a security system (ISMS) will be scaled according to the needs of the organisation.

This standard is supplemented by IEC62443. This in turn describes a holistic approach to cyber security. And this down to the component level within industrial automation.

Risks cyber attacks

The problem

  • Individual approaches only take up partial aspects
  • IT experts mostly have a technical focus and less on the overall context
  • ISO 27001 is a complete, holistic management system and very complex
  • IEC62443 is in principle only applicable to the sub-area of industrial automation
  • There is still no IT security standard according to IEC for power quality instruments as well as power monitoring devices at device level. This is currently being processed in the committees of the IEC TC85/WG 20 – Equipment for measuring and monitoring of steady state and dynamic quantities in Power Distribution Systems unter dem Projekttitel: “Cybersecurity aspects of devices used for power metering and monitoring, power quality monitoring, data collection and analysis”.

A possible answer for monitoring applications

Consideration from individual aspects of ISO 27001 as well as from GSTQ901, Network Quality Instrument – Cybersecurity Requirements of the company ENEL

  • Assign role-based access rights (RBAC)
  • Use transport encrypted websites (https)
  • Client whitelist for limiting access to end devices
  • Audit log for seamless monitoring of changes and operations
  • SysLog to secure the operations (tracking)
  • Apply certified firmware updates to measuring instruments and software
  • Decentralised data loggers as redundancy outside the IT system
  • Use secure connections in mobile applications
  • Uninterruptible power supply (centralised/decentralised)
  • Use metrologically certified measuring instruments

Conclusion

  • If Cyber Security hardened components are not used, much more effort has to be invested in Cyber Security Manegement Systems. This is dangerous because insecure components cannot really be managed in a secure way either.
  • Conformance testing of a product’s Cyber Security costs a minimum of the outlay for a security management system certificate
  • Often, device manufacturers leave the costs for security management to the customers instead of developing secure products themselves