Subscribe to Blog Updates

Tightening IoT security with software

Power grids are fast becoming digital jungles. Internet of Things (IoT) sensors, smart meters and integrated cloud services are bringing new considerations for organisations in relation to hackers, cyber security and data protection. Here, I'd like to explain how software is playing an important role in securing networks of information technology (IT) and operational technology (OT) in the energy industry.

    

Stakes are high in the energy sector. In fact, it is one of the only industries in which cyber security is entangled with public safety and environmental concerns. Digitalisation in this sector provides huge efficiency benefits, but also presents risks. Cyber criminals are now looking for gaps in security measures, and IoT devices can provide an opportunity to infiltrate these networks.

 

The arrival of ISA/IEC 62443-4-1:2018

In 2017, Energy UK called for a collaborative approach to cyber security in the industry. One of the objectives was to encourage security vendors to work closely with operators to ensure products are fit for purpose.

During the same period the Cyber Security in the Energy Sector report by the Energy Expert Cyber Security Platform (EECSP) was released. The group identified 39 gaps in energy cyber security that were not covered by existing legislations. Alongside calls from trade associations like Energy UK, the report demonstrated a need for a flexible framework that addresses and mitigates current and future security vulnerabilities in energy automation.

Shortly following this, the ISA/IEC 62443 series of standards were released. Developed by the ISA99 committee as American National Standards, ISA/IEC 62443 was also adopted globally by the International Electrotechnical Commission (IEC).

 

What does this mean for the energy sector?

Prior to this new standard, products and services for energy automation could not be certified in relation to secure product development. The new IEC 62443 standard therefore creates the basis for comprehensive security. For the first time, the standard provides a baseline to unite all perspectives — that of the component supplier, systems integrator and equipment operator.

TÜV SÜD, part of the German Association for Technical Inspection, recently awarded the new ISA/IEC 62443-4-1:2018 security standard to COPA-DATA, for its software development, quality assurance and support processes used for energy automation software, zenon.

Certifications like these are particularly beneficial for the UK energy sector as entire power grids are often networked using HMI and SCADA systems powered by software like zenon. Energy grids are increasingly using centralised software to visualise and control their operations, linking critical infrastructure and the cyber world.

While this connectivity is valuable, it automatically increases cyber security risks in all networked equipment. Therefore, it is necessary that the software at the centre of it all is trusted — and this trust is certified by a third-party standard.

 

Intense audit

What exactly does a company need to earn IEC 62334 certification? The certification requires companies to check the potential weaknesses of their automation and control technologies, and then demonstrate they have developed effective protection measures.

The requirements are very comprehensive, and in the case of COPA-DATA, required the formation of a Security Management Team (SMT) to demonstrate exceptional security issue management for the duration of one zenon release. In particular, the team introduced threat models to search for structural vulnerabilities from the point of view of an attacker.  

For systems integrators, achieving the certification requires testing of integration processes and the assessment of implemented IT security functions. The relevant documents will be scrutinised by the assessor, and an on-site audit plan is put in place. Next up are intense interviews, procedural assessments and technical checks.

The certificate is only considered current for one year, ensuring security in product development is regularly assessed. Businesses must recertify annually. This guarantees that new and emerging cyber threats and loopholes are consistently managed and therefore are not able to infiltrate the software.

Power grids may be fast becoming digital jungles, but as with every trek, the best voyagers are equipped smartly and prepared for the worst. To secure their networks in today’s turbulent energy sector, it is vital that operators are armed with software that is designed in line with current industrial IT security guidelines.