A more secure supply chain through certification in EPES

Trust, but verify

Industrial automation and control systems (IACS) in the energy infrastructure (e.g. SCADA) are vulnerable to cyber security incidents. Digitalization, increased integration, and convergence of Information Technology and Operational Technology (IT & OT) are opening new avenues for cyber-attacks. To counter that, asset owners and operators must be confident that available countermeasures are effective, and security barriers are robust. Cyber-risks must be acceptable for all systems, including future, existing, and possibly obsolete systems. Securing complex installations of distributed control systems requires a holistic approach and robust barriers have to be in place from the ground up, including secure supply chains.

Major international standards, such as the ISO 27000 series for IT security, the NIST Cyber Security Framework, and ISA/IEC 62443 family of standards for OT are evolving and gaining acceptance. The ISA Security Compliance Institute, an operational group within ISA, set out to provide certification for IACS components and systems, as well as product development organizations, on the basis of IEC 62443 and its relevant chapters.

There have been multiple works in the past few years addressing how to apply the IEC 62443 standard in a practical way. DNV GL has also created recommended practices to define practical approaches, developed with the involvement of major asset owners, automation vendors, and regulatory authorities.

There is still a need however, for improving existing and developing new practices to secure the supply chain for large scale OT deployments and retrofits, including handover practices between suppliers and asset owners. Therefore, our aim is to help improve technical requirements and internal cybersecurity standards employed by asset owners, to increase trust in supplier products, while also enhancing verification regimes. We employ the combined expertise of functional safety experts, for instance proficient in IEC 61508, with cybersecurity subject matter expertise from numerous vulnerability assessments and penetration tests in critical infrastructure.

This approach starts with assessing the gaps between a company’s OT security requirements, and the leading standards and best practices. Followed by defining the applicable baseline requirements and certifications, focusing on the additional measures needed to cover the company’s individual OT cybersecurity needs.

When the baseline and additional measures to achieve the desired level of security, including supply chain security and handover procedures (e.g. HIL) are defined, companies have the possibility to assess cyber-readiness of their suppliers and vendors. This measure of cyber-readiness, or maturity, should typically focus on multiple properties, such as software development processes, manufacturing site cyber- and physical security, storage areas, shipment channels, subcontractor practices, on-site deployment practices, procedures of handover to operation, and vendor support in operational phases including patching and response services.

Importantly, assessors and verifiers should be to work together with the asset owners and suppliers, to find and follow up closure of gaps, and ultimately to ensure vendor cyber-readiness, and supply chain robustness to benefit EPES.

PHOENIX participants will contribute in Standards Development Organizations with respect to the cyber security and privacy issues relevant for EPES. Based on the modelling of threats and countermeasures conducted in PHOENIX, particular focus is on secure and seamless interoperability and operation. The proposed PHOENIX Cybersecurity Certification Centre will provide the necessary certification capabilities, in accordance with the relevant standards, to qualify systems, platforms, and smart metering products, as well as help suppliers demonstrate adherence to industry consensus specifications for security characteristics and supplier development best practices.