Prioritising Cybersecurity As “Tomorrow May Be Too Late”

As the energy sector undergoes the digital transformation, cybersecurity should not be an afterthought.
Published: Wed 03 Feb 2016

Brought to you by:

While the digitisation of the energy sector and the move towards distributed generation are creating a number of opportunities for all stakeholders, new technologies can also open the door to cyber threats.   

Cyber-attacks, which are growing in complexity, have the potential to cost businesses a fortune so it makes sense that the global cyber security market is estimated to grow to $170 billion (USD) by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020, as published by Markets and Markets.

According to Marius Münstermann, Key Account Manager, Rohde & Schwarz SIT, data exchange between field elements is gaining momentum and while this makes for more efficient business processes, vulnerability to cyber attacks is heightened. “No-one wants to experience the scenario that Marc Elsberg describes in his book, “Blackout -tomorrow will be too late” (a techno-thriller about a two week large-scale power outage in Europe caused by a cyber attack).” To avoid this scenario, Mr Münstermann suggests that stringent cybersecurity measures be put into place right from the start as new technologies and processes are adopted - not later.  

Overcoming cybersecurity challenges

The implementation of cybersecurity in Europe has been somewhat sluggish as many utilities adopted a “wait and see” stance in the past, says Mr  Münstermann, but as the threat of hacking escalates,real cases are reported and new regulation is implemented, cybersecurity is being prioritised. To identify gaps in security, he points out that many utilities are now carrying out threat analysis and the larger-scale adoption of solutions is likely to occur over the next year or two.

While there is evidence that utilities are starting to work on their cybersecurity issues, there is still a great deal of work to be done. Old infrastructure, which is now being updated with new technologies, has to be made secure. There is no doubt that this is going to take time and will more than likely cost a great deal of money which can be major obstacles for utilities. A lack of skilled manpower will also prove to be a challenge for utilities as new technologies are implemented.  

To overcome these challenges, Mr Münstermann suggests that utilities analyse their current situation and identify the “crown jewels”, in other words, the assets that essentially drive the business forward. It is these assets and processes that should be prioritised and made secure. He adds that the system should also have zones that can be quickly disconnected if there is a security threat. This will ensure that one infected zone does not affect the entire system.

It is also important for utilities to choose the right cybersecurity partner. Mr Münstermann says that many vendors are joining forces and sharing their expertise to offer well-rounded and holistic solutions. For instance, Rohde & Schwarz - has partnered with Siemens to create a combined solution that will cover many security aspects, filling in gaps where perhaps one solution may not.

New world, new challenges

In the past, serial protocols and messages (control messages, measurement values and status notifications, for instance) travelled back and forth between various actors and energy generating elements. This system was based on the IEC 60870-101 serial protocol. This has been converted to the IEC-60870-104 protocol which is based on Transmission Control Protocol/Internet Protocol (TCP/IP) and the protocol is now widely used in Europe to control and regulate field elements like wind turbines, for instance.

Now that everything is connected via IP by means of 3G or leased lines, i.e. open internet, the systems could be accessed without permission. To avoid unauthorised access Internet Protocol Security (IPsec) encryption ensures that encrypted messages are exchanged via Virtual Private Network (VPN) tunnels so that nobody on the outside can intercept the communication stream.

However, while the tunnel and endpoint at the control centre are now secure, the endpoint at the field element, like a turbine, can be physically hacked and/or malware can be transmitted through the secure tunnel to headquarters. But, this attack can be avoided if traffic inside the tunnel can be verified by means of protocol validation.

Achieving successful protocol validation

To achieve protocol validation, the first step would be to carry out a deep-packet inspection. The utility would have to analyse every TCP/IP packet to gain an understanding of what is occurring from a security point of view.

It’s important to understand the protocols being used within the smart grid ie. IEC-60870-104 and implement a gateway that enables the administrator to create firewall rules based on protocol attributes. For instance, a wind turbine can only send status messages and measurement values but it can’t send command and control messages to the central control centre.

Coupled with a whitelisting approach, only protocols / messages that can be identified as 100% secure can be passed through. Everything else is blocked (this is the opposite to the classic blacklisting approach in common firewalls), ensuring a stronger security level.

“The whitelisting approach narrows the door significantly. Only communication that is known and trusted or is a 104 message, can pass through. Everything else that is not this protocol will be blocked. The trick here is to only accept information that is expected. The firewall rule can be based on this protocol.”

R&S already had firewall capabilities made in Germany under the "Gateprotect" and "Adyton" brand for many years and has recently added the protocol validation feature for the smart grid.

“We have implemented this in our next generation firewalls called gateprotect NP (network protector) and also recently launched a brand new graphical user interface which allows users with little IT experience an easy and convenient administration. This is especially important in the energy sector as we have found that the current changes in the sector create new challenges for employees in charge of the established process networks who previously had limited exposure and experience with IP-technology.” 

Introducing other applications to the solution

Now that there is the capability of adding protocols in a very short space of time, it is possible to teach the gateway further protocols.

With the industry 4.0 and Internet of Things developing fast, similar security is needed in these fields as well.

Depending on which protocols are being used in these networks, one can add these and implement them in the gateway solution and offer a similar added value for other process networks outside of the energy sector. 

Choosing a trusted & experienced supplier

With a strong background in the test and measurement as well as radio communication fields, German firm Rohde & Schwarz has always had capabilities for high-end-encryption and IT-Security, mainly as a supplier for other business units.

“We have now decided to strengthen this further and to become a trusted supplier of Cybersecurity solutions made in Europe. Our aim is to tailor make solutions for the needs of tomorrow’s critical infrastructure security needs.”

In line with this strategy, Rohde & Schwarz has recently acquired Sirrix, which has strong capabilities in endpoint security and secure mobile solutions and will bundle all activities in a new, larger Rohde & Schwarz Cybersecurity division. The gateway solution is only part of a larger portfolio of hard- and software made in Germany, which will be officially presented under one roof at the CeBit fair in Hannover this March.

Related Webinar