A second line of defence for the energy sector

The transformation of the energy sector is being driven by changing business strategy and cybersecurity is being prioritised.
Published: Thu 28 Jul 2016

Brought to you by:


Germany’s smart metering rollouts have kicked off with the Certificate Authority of the smart metering public key infrastructure which has been put into place on behalf of the BSI, the federal office of information security. This has led to new market players taking sub-certificate authorities and implementing them in their own data centres to prepare for the rollout as well as manage the smart metering gateways. Market players have access to technical guidelines developed by BSI which has established very strict regulations.

Currently, the energy provider would have a Certificate Authority (CA) and then manage the smart meter gateways. Normally there is between one to 10 smart meters linked to one gateway with a small smart card which connects via fixed or mobile networks to a central data centre. The connection between the data centre and the smart meter gateway is encrypted as a transport layer encryption and to this end, a hardware security module at the data centre acts as the secure storage for the Sub-CA and as the counterpart to the smart cards in the field.

That has all now been very well established in the technical guideline and there are now four to five players that are offering the smart meter gateways. Most of them are in the process of being approved and certified according to the guideline and in parallel to that the different data centres are being set up to manage these smart meter gateways. Likewise two different Hardware Security Modules have recently been approved for meeting the strict criteria as laid out in the BSI’s Certificate Policy for Smart Metering. Both solutions are offered by Rohde & Schwarz Cybersecurity who currently helps various players to implement an infrastructure for Smart Meter Gateway Administration.

We spoke to Marius Münstermann, Head of Enterprise Sales, Rohde & Schwarz Cybersecurity, who says that it’s an additional security anchor. In terms of integrating the solution, R&S Cryptoserver has standard interfaces which the applications talk to-applications usually use Microsoft CAPI, Oracle JCE or PKCS#11.

He adds: “These are standard interfaces that this crypto module has on offer. Basically the application would ask the crypto module to provide a random number and then it generates a random number or certificate or stores the key. These operations are done via standard interfaces that a number of developers use.”

Paradigm shift in energy security

The strict guidelines for smart metering show that there has been a paradigm shift from reactive IT security to preventive IT security.

Münstermann points out: “In IT security and in cyber security you find more and more smart solutions that actually have security by design so that from the start and from the core, you design the solution that prevents certain threats or certain aspects. For instance, Browser in the box, which uses a totally different and secure approach to protect against cyber threats.”

The solution provides a virtual machine with a hardened operating system and an encapsulated web browser. Malware cannot penetrate the host operating system. While he points out that firewalls and antiviruses still have an important role to play, this now allows users in very restricted areas of operation access to the Internet without the danger of affecting critical infrastructure. For example operators on duty in a 24/7 energy network control room can now safely browse the web for weather warnings without compromising sensitive systems

Business driving cybersecurity

There is a shift amongst utilities because of changes in the energy market especially when it comes to digitalisation in Germany, says Münstermann.

He adds: “We see this energy turnaround. Business models are changing as utilities re-assess their old strategies. There is also a higher adoption of security as a result being driven mostly by the need to change business strategy.”

Implementing and operating IT-Security is done in-house generally rather than being outsourced, however 27001 certifications and auditing is being outsourced. Players usually do this internally because it’s a critical infrastructure and they want to have control and full access.

He says: "It’s part of their business model that availability of power and availability of services is their USP. Some energy providers are opting to offer outsourcing service to others like data centre capacities or other 24/7 services. Some already have a monitoring and control centre for their own network which they could leverage to other communal shareholders so that they provide various services to other parts of the city or the municipality."

He points out that a proper analysis should be carried out especially an ISO 27001 audit and that findings are “taken seriously.” He recommends: “Business analysis should be ongoing; only trusted providers should be used;  take an interest in where solutions have been developed and manufactured, investigate company reputation and track record of suppliers, and don’t settle for the cheapest solution because it is a critical infrastructure and if chosen correctly, it will pay off in the long-term.”

Data management and security models

The intelligent automated management of power generation, transmission and consumption makes a smart meter smart. Small and large-scale energy sources have to be integrated to ensure real-time power balancing. These individual components between plants or units within the smart grid are controlled over process control networks (PCN).

PCNs are connected to and converge with business IT networks. The strict physical separation between both systems is a thing of the past. Operational efficiency drives the increasing use of commercial hardware and software solutions in PCNs. Therefore, critical energy infrastructure is increasingly exposed to various cyber threats – from well-known exploits to sophisticated attack methods.

Adequate security levels can be achieved through the deployment of effective internal security systems within business and control networks. Conventional firewalls and their security strategies protect the corporate perimeter towards the Internet, acting as a first line of defence. The Next Generation Firewall gateprotect NP+ from Rohde&Schwarz Cybersecurity additionally separates networks based on a zoned IT security concept that keeps applications, users and data where they belong – providing an effective second line of defence.

A major strength of gateprotect NP+ is the ability to process and filter industry-specific protocols, such as the IEC-60870-5-104 protocol that is used by smart grid PCNs.

Moving forward

In response to the energy sector transformation, Rohde & Schwarz has now fully integrated their activities in IT security and cyber security into one group. There are currently around 350 staff members and the company is one of the top three manufacturers of IT security solutions within Germany.

Münstermann says that the German IT security market is fragmented and as a result, there’s a lot of start-ups and small players. “There is a lot of consolidation and we want to drive it by acquiring further companies for IT-Security made in Europe, specifically Germany. We also want to build more solutions and we invest heavily in R&D to develop more solutions.”