More security for the smart grid

6 February 2017 | Energy: Electricity and gas network operators have to establish an Information Security Management System by 31 January 2018.

Essen, Germany: Smart grids need smart IT Security standards. Electricity and gas network operators have to establish an Information Security Management System (ISMS) by 31 January 2018 in order to protect against cyber attacks. These and further security measures are also needed in view of the impending rollout of smart meter systems.

In the course of Industry 4.0 and the energy revolution, more efficient energy supply and a more transparent payment model should be created for consumers. As part of this, intelligent metering systems are to be established and consumer data transmitted to energy suppliers. However, this also involves risk: “Increasing the interaction of systems for plant and equipment control with information and communications technology systems leads to a greater threat from cyber attack”, says Gerhard Dreier, Business Development Power Generation at TÜV NORD. Data can get into the wrong hands if hackers target data during digital transmission, and the digital meters themselves and other components can also be subject to manipulation.

Requirements for IT Security

The German Cyber Security Act, the Ordinance for Critical Infrastructure (KritisV) and also the IT Security Catalogue of the German energy network agency, Bundesnetzagentur, specify extensive IT Security requirements for energy producers and transmission and distribution network operators. One basic demand of the Security Catalogue is the introduction of an Information Security Management System (ISMS) based on the ISO 27001, ISO 27002 and ISO 27019 series of standards. Specifically in the case of electricity and gas network operators, this must be established and certified by 31 January 2018.

The integrity, authenticity, confidentiality and availability of the data must always be guaranteed. As it is planned to use “smart meter gateways” throughout Germany, gateway manufacturers are obliged by law to contribute to IT Security. In Germany, only those gateways may be used which fulfil the Protection Profiles (PP0073 and PP0077) of the Common Criteria and BSI TR 03109 standards. As the smart meter gateway as communication unit plays a central role within the supply and distribution system, the standards specify that the communication links are encrypted and may only be used by authorised system participants and devices. The differing security requirements for operators and manufacturers show that new approaches are needed for the establishment and certification of IT security measures.

Comprehensive risk management with “Security4Safety”

“In order to counteract the increasing risks of cyber attacks on the smart grid, an integrated approach to functional safety – in other words to safety, and IT security – is needed” explains Dreier. “For example, a successful attack on a network operator which affects the power supply to an area or town directly affects security of supply for consumers.” It is vital to ensure both the IT security and the safety of plants, installations and products to an equal extent. For this reason, TÜV NORD has combined the sectors “IT-Security” and “Functional Safety” and developed the “Security4Safety” service. Weaknesses in systems are identified by means of a cyber risk assessment, the risk of disturbance and damage is assessed and necessary IT Security measures are based on this. In addition, certification of processes, safety management systems and components is offered to manufacturers of automation and drive technology as well as IT service providers on the basis of ISO IEC 62443. This new standard is the first one dealing with IT Security within so-called IACS (Industrial Automation and Control Systems) and will certainly become increasingly important in the future.

About TÜV NORD GROUP

With over 10,000 employees, TÜV NORD GROUP is one of the largest technical service providers, offering its advisory, service and inspection expertise in over 70 countries throughout the world. Areas of activity include Industrial Services, Mobility, Training and IT. TÜV NORD GROUP occupies a unique position in the sector based on its work in the fields of natural resources and aerospace and is firmly committed to its guiding principle and watchword: “Excellence for your business”.

Share this page