SIVACON S8
Low Voltage Switchgear
Cybersecurity
The imperative of Cybersecurity in Energy Management
At Ardan Katzenstein, the core of our operation revolves around delivering efficient, secure, and dependable energy supply solutions - a testament to our commitment to best-in-class engineering services for all clients. As a producer of critical infrastructure, we've observed the transformation of grid management, attributed to the integration of renewable, decentralized energy resources, optimization needs, interaction with consumers, and the emergence of new market players.
​
Our business landscape, deeply interwoven with information and communication technology down to distribution networks and households, has given rise to a complex web of interconnections. These not only increase the efficiency of our operations but also present potential vulnerabilities to critical infrastructure. Therefore, cybersecurity has become a central concern for today's power system operators.
​
As depicted in Fig 1, power system operators, like many of our customers, strive for the security of supply - the guarantee of uninterrupted, competitively priced power, compliant with regulations. From this vantage point, cyber threats are seen as considerable risks that could destabilize supply security. Cybersecurity, in this context, encompasses all efforts to mitigate such risks, adhering to industry standards, and meeting local cybersecurity regulations, thus resonating with our principle of acting with social responsibility and integrity.
​
To meet this goal, we opt to use products that:
-
Strictly adhere to relevant cybersecurity regulations, which outline what measures should be taken,
-
Conform to associated cybersecurity standards, specifying the manner of implementation, and,
-
Implement strategies to mitigate cyber risks.
Our holistic approach to cybersecurity follows the '3P' paradigm - people and organization, processes, and products and systems, aligning with our pursuit of producing high-quality, sustainable results.
Through Siemens' products and solutions, we not only ensure regulatory compliance but also promote interoperability with third-party components. Siemens' cybersecurity consultancy services are integral to our strategy, providing us with regulatory compliance assessments and protection concept development to mitigate cyber risks in energy automation.
Fig. 1: Cyber security targets for a power system operator
Cybersecurity Framework
At Ardan Katzenstein, our cybersecurity framework sets the blueprint for how cybersecurity is addressed by all stakeholders in the energy value chain. It hinges on the following elements:
​
Cybersecurity Regulations: The entire energy value chain needs to uphold cybersecurity regulations, as it's an essential part of providing best-in-class engineering services for all clients.
Cybersecurity Standards: International standards provide comprehensive guidelines for cybersecurity, ranging from governance to product-specific implementation options. The three main standards utilized in energy automation are ISO/IEC 27001, IEC 62443, and IEC 62351.
Cybersecurity Guidelines: These offer guidance on how to implement cybersecurity measures. The most widely accepted guidelines include NERC CIP and the BDEW whitepaper.
​
Siemens, In line with these guidelines, outlines 14 categories of security measures as seen in fig. 2. This holistic approach to cybersecurity aligns with our '3P' principle of People and
Organizations, Processes, and Products and Systems. This trifecta creates a harmonious balance between those who run the company, the processes employed to fulfill business needs, and the underlying infrastructure that supports these needs.
Fig. 2 shows these categories, with organization and process-related security measures marked in gray, while those related to products and systems are outlined in green.
The categories of security measures are described as follows:
​
Organizational Preparedness:
This involves implementing security measures to develop, integrate, and maintain secure products and solutions. It encompasses the entire organization through defined roles, clear responsibilities, appropriate qualifications, policies, processes, tools, and communication. Siemens’ information security policies align with ISO/IEC 27001.
​
Secure Development:
This systematic approach integrates cybersecurity into the product and solution development lifecycle, covering the entire process chain from cybersecurity requirements to validation. It also includes securing the IT infrastructure necessary for the development organization.
​
Secure Integration and Service:
Cybersecurity is ingrained in Siemens' processes to deliver customer solutions, providing them with designs, integration, and commissioning executed according to cybersecurity best practices.
​
Vulnerability and Incident Handling:
This process outlines how an organization responds to and manages security vulnerabilities and incidents, including both internal and external communication. It also interfaces with the routine vulnerability monitoring and patch development processes of product or solution development.
​
Fig. 2: Siemens categories of cyber security measures
Siemens demonstrates its commitment to cybersecurity through its dedicated in-house Computer Emergency Response Team (CERT). This specialized unit, known as Siemens ProductCERT, is tasked with monitoring and analyzing security issues.
ProductCERT publishes advisories about product-related vulnerabilities and provides recommendations for their mitigation in coordination with the relevant Siemens organizational units. Utilizing their recognized expertise in penetration testing, they assess Siemens products and third-party components within the Siemens portfolio for potential weaknesses. These tests involve selective hacker attacks, the results of which guide the creation of implementation recommendations for the respective Siemens organizational units.
​
Secure System Architecture:
A robust cybersecurity architecture isn't just about meeting regulatory requirements; it must also embody security by design principles. To protect the power system, a defense-in-depth approach is required. This approach tackles cyber risks and promotes secure operations through an alignment of people, processes, and technologies - resonating with our '3P' principle.
Fig. 3 presents a typical network architecture, where the foundation lies in clear segmentation of the network into manageable zones. Each zone is equipped with appropriate cybersecurity measures, enabling secure and cost-efficient operation.
Fig. 3: Cyber security architecture
The architecture is the most discernible aspect of our comprehensive cybersecurity strategy, providing a solid base for implementing further measures in people, processes, and products as outlined within our cybersecurity framework.
​
System Hardening:
Hardening minimizes the attack surface of products and solutions through secure configuration, such as the removal of unnecessary software, unused usernames/logins, and disabled ports, or through OS hardening. Siemens provides hardening guidelines for products and systems and can assist operators in hardening their infrastructure.
Access Control and Account Management:
Access control selectively restricts access to products, solutions, or infrastructure by authenticating users (and systems) and granting them suitable permissions. Account management involves defining various user accounts with appropriate privileges, ideally done centrally with unified security policies. Siemens can aid system operators in designing and implementing an access control and account management system, facilitating the integration of Siemens energy management products seamlessly into their central user management solutions.
​
Security Logging/Monitoring:
This process involves capturing and monitoring all security-related activities performed across the system, including user account activities such as logins/logouts and failed login attempts. Siemens products and solutions support centralized logging of security events and alarms, providing the foundation for advanced Security Information and Event Management (SIEM) solutions.
​
Security Patching:
Security patch management encompasses vulnerability monitoring for all software components used in a product or solution, classification of vulnerabilities and available patches, security patch compatibility tests, and if required, the development of additional security patches. Siemens provides comprehensive patch management services to energy automation operators.
​
Malware Protection:
Protection against malware is ensured through the support of appropriate malware protection solutions and procedures. Siemens offers technical solutions for malware protection and assists customers in establishing a secure update process for antivirus patterns.
​
Backup and Restore:
This process involves copying and archiving software, configuration data, and operational data for restoration after a data loss event. Siemens offers backup and restore concepts and assists system operators in establishing corresponding processes.
Secure Remote Access:
This refers to encrypted, authenticated, and authorized access to substation assets from remote sites through potentially untrusted networks. Siemens provides a certified secure remote access solution tailored to the needs of power system operators.
​
Data Protection and Integrity:
This ensures the protection of all sensitive data across the system, both at rest and in transit. Data integrity and availability are ensured through appropriate methods, with Siemens components supporting the required functionality for data protection and integrity.
​
Privacy:
Privacy measures ensure users have control over the collection, use, and sharing of their personal information. Information privacy becomes particularly sensitive where personally identifiable information is collected, such as in Smart Metering applications. Siemens helps operators comply with the associated regulatory requirements, aligning with our values of social responsibility and integrity.
Operational security
In operational security, the interplay of the ‘3 P’s’ becomes obvious: products and systems, people and organizations need to work together according to the defined processes. In operational security, key functionalities include mea- sures such as security patch management, access control and account management, security logging and moni- toring, and malware protection. These measures are neces- sary to establish a protective and detective environment, where accountability and traceability of all actions involved in operation of an energy grid become relevant and support the possibility to take corrective control within the opera- tional environment. Siemens has the target to support operational security by relying on international standards.
​
Vulnerability and Incident Handling:
The meticulous management of vulnerabilities and incidents is imperative to the safeguarding of the energy network. This process includes devising countermeasures, as needed, and communicating effectively with the operator about critical vulnerabilities, temporary workarounds, and accessible patches. Power system operators, in turn, must be equipped to analyze provided security advisories, and to efficiently design and apply countermeasures. While vulnerability management supports business protection, incident management focuses on responding to and recovering from cyber incidents effectively. The security measures required for incident handling are analogous to those for vulnerability management but necessitate additional organizational preparedness, especially regarding process handling.
​
Security Patch Management:
Among the various cybersecurity activities, patch management is of paramount importance, especially given the augmented interconnectivity and the heightened risk of attackers exploiting known vulnerabilities. Standards such as ISO/IEC 27002 and IEC 62443-2-3 provide guidance to operators on the implementation of robust measures for a patch management process. The recommended steps in this process for operators include:
​
-
Completing a thorough asset inventory
-
Reviewing available patches
-
Verifying compatibility
-
Testing in an environment that mirrors the production environment
-
Scheduling the patch installation
-
Installing patches or mitigation measures
-
Updating the asset database.
Fig. 4: Tasks and security measures needed in vulnerability handling
Siemens is committed to meeting the stringent requirements set out by standards such as IEC 62443-2-3 and IEC 62443-2-4. These require a system vendor to be actively involved in patch management, which includes:
​
-
Providing clear documentation detailing patch management policies for components and systems
-
Verification of patches concerning compatibility and applicability for own and third-party components
-
Supplying the patch information and patches to the operator
-
Providing lifecycle information for products and systems, including end-of-life information.
-
​
To fulfill these obligations, Siemens has established a comprehensive patch management process for its products and systems. This includes regular patch testing for both in-house and third-party components, with the test results made available to customers. Siemens' in-house Computer Emergency Response Team (CERT) plays a key role here, carrying out comprehensive vulnerability scanning and communicating vulnerabilities and advisories for all Siemens products. Additionally, Siemens provides 'back-up and restore' documentation at both product and system level, which is a crucial part of the patch management process.
​
A simplified process overview can be seen in Fig 5, depicting the initial and cyclic activities of a complete patch management process from an operator's perspective.
The initial activities include the migration to a secure system (step 0), defining the assets to be taken into scope, and preparing the asset data as required to carry out patch management (steps 1 and 2).
Fig. 5: Identity and access management – the basic principle
The recurring activities begin with the collection of patch information based on the asset inventory (step 3). This is followed by a decision-making phase on what, whether, and when patches need to be installed (step 4). Patch validation (step 5) and patch installation (step 6) are the subsequent steps. The final step is to update the asset data (step 7).
​
Siemens offers comprehensive patch management services for products and systems to meet the regulatory requirements derived from ISO/IEC 27001 based on these process steps.
​
User management and access control:
Access control is an essential aspect of cybersecurity. It ensures that only authorized users or systems can interact with resources as intended. This is done by verifying the authenticity of the user (authentication) and their permission level (authorization). This principle is depicted in Fig 6.
​
Identity Management: The foundation of this pyramid is identity management, which is responsible for managing the users and their credentials. This is essential because it forms the trust base upon which the other layers of the pyramid are built.
​
Authentication: This step verifies that a user is who they claim to be. This can be done through various methods such as passwords, biometrics, or digital certificates.
​
Authorization: Once a user is authenticated, the next step is to verify that they have the necessary permissions to perform the operation they intend to do on the resources.
It's important to note that access control not only considers users but also other resources such as devices or applications.
​
Access control is critical during all lifecycle phases of systems and networks, from commissioning, operation, and renovation to decommissioning. However, the most crucial phase for cybersecurity is during daily operations. Typical access control scenarios can include physical access, HMI access, IED access, remote access, etc. Due to safety reasons, emergency access routes are also defined to bypass regular access control mechanisms when necessary.
​
Implementing access control in the power grid can be done in several ways, with varying levels of depth and security. A common method for a centralized approach is using LDAP or RADIUS servers for identity management. Authentication and authorization can be achieved through password verification or by using a Public Key Infrastructure (PKI) that handles X.509 certificates. The access rights are defined by the system or device, as these are specific to those devices based on the operational function provided.
Fig. 6: Identity and access management – the basic principle
Fig. 7 demonstrates an example of RBAC. A user makes an access request to an Intelligent Electronic Device (IED) via a device management tool. This request is forwarded to an Active Directory (AD) domain controller for user authentication. The AD returns the result of this authentication, and if successful, the IED retrieves the user's role information (indicating their authorization level) from the AD. The IED then initiates a user session based on the user's role.
​
Considering the multi-vendor environment of power grids, a standardized approach like IEC 62351 is crucial for effective access control implementation to ensure interoperability. It's also important to use transitionary technologies and tools that address the limitations of older secondary equipment. Centralized access management solutions, such as Siemens CrossBow, can bridge this gap by managing users and rights for both older and newer generation secondary equipment.
​
Centralized Logging:
Visibility of activities and events in the power grid is crucial and can be achieved through monitoring. One fundamental function of monitoring is centralized logging, which involves gathering information about events and activities in the energy grid at a central location for further analysis. Centralized logging relies on the syslog functionality and is defined in standards like RFC 5424/5/6, IEEE 1686, and IEC 62351. Guidelines like the BDEW whitepaper or NERC CIP also provide guidance on what needs to be monitored. Siemens supports centralized logging and provides system operators with centralized logging solutions.
​
Malware Protection:
Measures and concepts implemented to protect systems against malware infection are critical. Potential malware infection sources include infected portable media, network shares, or infected PCs. Various technical solutions exist for combating malware, including classical antivirus software, application whitelisting for PC-based systems, and software signing for embedded devices. Antivirus patterns should be updated regularly, but this should be done without directly connecting to external network update servers. Approaches might include using an internal update server or a secure manual process. To ensure compatibility with new antivirus patterns, Siemens regularly tests these patterns against the Siemens application. Siemens provides technical solutions for malware protection and supports customers in establishing a secure update process for antivirus patterns.
Fig. 7: Example for role-based access control
Applied Cyber Security:
Effective cybersecurity requires a multilayered approach. The following examples demonstrate how methodologies and security measures previously discussed have been applied to safeguard products and systems. The implementation of cybersecurity involves considering requirements as defined in the cybersecurity framework, and supporting operational cybersecurity needs.
​
Product Security:
Siemens adopts a holistic approach to the security of their energy automation portfolio, encompassing processes, communication, employees, and technologies. They first establish cybersecurity within the organization through clearly defined roles, rules, and processes, implementing a governance structure aligned with ISO/IEC 27001 standards. Secure product development is integrated into the product lifecycle management, fulfilling stringent cybersecurity demands and incorporating secure product architecture.
​
Product development encompasses secure design, starting with security requirements, software implementation, and carrying out systematic cybersecurity tests. The cybersecurity of Siemens' own infrastructure is also crucial, with internal design documentation and source code protected against unauthorized access and tampering to ensure integrity.
​
Secure energy automation products form the basis of a secure energy automation system. The cybersecurity requirements for these products vary based on several factors, including their intended function (protection, control, operation, or monitoring) and spatial layout. Security functions in modern energy automation products align with the key objectives of cybersecurity: availability, integrity, and confidentiality. They adhere to industry-specific standards, and state-of-the-art protection devices can meet these requirements.
​
Fig. 8 highlights the importance of secure communication between the engineering software and the device for secure operation. An encrypted connection, established after mutual authentication, is vital. A connection password, complying with BDEW whitepaper and NERC CIP recommendations, is used and managed during this process. All security-relevant events are logged in a non-erasable security log. The protection device is equipped with a crypto chip, ensuring cryptographic functions, including an integrity check of the device firmware in a protected environment.
Fig. 8: Security features of a state-of-the-art protection device
During the software production phase, firmware is assigned a digital signature that allows the device to authenticate it, ensuring that the firmware hasn't been tampered with in transit from the production facilities to the device. The device allows for the physical separation of process and management communication. Devices that communicate outside a physically protected zone must meet higher communication security requirements than devices communicating within a physically protected area.
​
For distribution automation scenarios, where adequate physical security measures may not be feasible to protect automation equipment from process communication manipulation, Siemens RTU products support end-to-site encryption of the process communication to the control centers.
​
Siemens also tests security patches and virus patterns on reference systems to ensure that regular installations of the operating system don't affect the availability of energy automation functions.
Fig. 9: Example for a secure telecommunication
Final Remarks
An effective cybersecurity strategy requires addressing cybersecurity holistically. It demands a continuous effort to protect against existing and upcoming threats and risks concerning processes, technologies, and people. Maintenance and knowledge update, process improvements following international standards like ISO/IEC 27001, and technological updates to maintain the security level are all essential. Siemens addresses cybersecurity systematically throughout the lifecycle of its products & solutions, making it a strong and trusted partner in cybersecurity.
