CYBERSECURITY REGULATORY BOX-TICKING IS NOT ENOUGH
While important, domestic and international standards are just the beginning of the journey to robust cybersecurity, particularly in the age of renewables, as Ben Dickinson of ABB explains...
are being phased out in favour of renewable energy sources such as wind and solar PV. Renewables add to the complexity of grid
G
control. They are inherently intermittent because the wind doesn’t always blow, and the sun doesn’t always shine. In addition, as more electric vehicles, for example, connect to the grid, so the demand for power becomes more distributed and unstable. The energy transition also has major
implications around cybersecurity. In May, the International Energy Agency (IEA) released its ‘Roadmap to Net Zero by 2050’, in which it acknowledges that cybersecurity will pose a greater risk to the supply of electricity as the proportion of renewables in the energy mix increases, and systems incorporate digital and remote monitoring in response.
Renewables: an increased threat Dogger Bank in the UK, will be the largest offshore wind farm in the world when it is completed around 2025. Renewable energy installations like this incorporate the latest digital and automation solutions that offer their operators unprecedented visualisation across their operations, allowing them to make smart, data-driven decisions that improve efficiency and sustainability. However, this increased interconnectedness
between operational technology (OT) and information technology (IT) systems makes such infrastructure more vulnerable to sophisticated cyberattacks. That is, if the right protections are not put in place. It is therefore not unreasonable to think of
lobal efforts to decarbonise energy systems and limit global warming mean coal and nuclear power plants
critical infrastructure as a potential target for ransomware attacks, whereby malicious actors remotely log into the system and threaten to damage the wind turbines or shut them down unless a ransom is paid, costing the owner millions in lost revenue. Threats such as this can be prevented or
the damage limited with foundational security controls, patching, malware protection, system backups, an up-to-date anti-virus system, and other options such as application whitelisting and asset inventory. These help companies understand their system setup and the potential threat, identify where vulnerabilities exist, and assess their risk exposure. It is vital that tailored cybersecurity platforms that are commensurate with this evolving threat are embedded from the design phase of renewable energy installations as part of the overall solution.
The limitations of regulations Domestic and international cybersecurity standards such as such as IEC62443, the NIST cybersecurity framework in the US, and operational guidance (OG) 86 set by the UK Health and Safety Executive, provide an invaluable framework for the implementation of foundational cybersecurity controls. However, important as these regulations
are, they have their limitations, and therefore should not be seen as the end point of a successful strategy, but rather the start of a journey towards a better, more tailored cybersecurity package that is part of an organisation’s wider digital transformation. In this scenario, regulatory box-ticking is
replaced by a deeper understanding of why these standards are in place and the potential
Ben Dickinson – global product manager, Cyber Security, ABB Process Automation, Energy Industries
impact they have on an individual company’s cyber threat surface. For example, IEC62443. The standard talks
about system security in terms of having offsite backup systems that are encrypted, but there are no details around which tools operators would need or procedures they would follow to achieve that. It is critical to employ domain experts – either consultants from a technology vendor like ABB, or an in- house team – when implementing a cybersecurity programme.
A holistic approach That is why ABB’s cybersecurity strategy is always conducted in line with industry best practice and regulatory standards – but is also closely aligned with individual customers’ risk profiles. A chemicals company, for example, may operate 20–30 different sites in various regulatory jurisdictions globally. Those facilities might potentially be very different in terms of what type of threat actor may target them, how motivated they are, and what they stand to gain from a successful attack. IEC62443 generally assesses the security in
a control system on a scale from 1–4, 1 being protection against a less sophisticated attacker, and 4 against a highly sophisticated attack by a nation state. Using solutions such as Cybersecurity Risk
Assessments and Cybersecurity Workplace, ABB can tailor and design the cybersecurity package based on these parameters and the potential impact on the business, maximising the client’s return on investment. Regulatory standards are key, therefore, but they cannot decide where to implement certain controls, and in what domains and subsystems. Lastly, expert support is advisable to
maintain those cybersecurity controls, detect attacks and respond effectively, along with helping the control system evolve with the developing threat landscape.
ABB
new.abb.com
SEPTEMBER 2021 | PROCESS & CONTROL 41
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70
