Cybersecurity in Systems and Solutions
Increased networking of systems, standardization of communication protocols and operating systems, driven by savings in infrastructure costs and increase in operations efficiency, make digitalized power grids more vulnerable to cyber-attacks. But cybersecurity is not only a technical topic. Cybersecurity needs a comprehensive and holistic approach for the integration of systems. It needs well educated people, defined integration processes and a state-of-the art technology.
For substation automation systems, the realization of security functions is subject to a number of constraints like expected 24/7 operation without interruptions and/or long lifetime of components.
Considering these constraints, implementing these systems must be in line with the requirements of the international industrial security standards IEC 62443-2-4 and IEC 62443-3-3. All cyber security measures must follow basic cybersecurity design principles of defense-in-depth, the need-to-know principle and the holistic approach.
A secure project integration covers several steps:
- Analysis of technical customer requirements
- Consideration of customer policies
- Secure implementation
- Verification and validation in FAT (factory acceptance test) and SAT (site acceptance test)
- Secure handover to the customer
- Security services to keep the system up-to-date
This approach is also in line with national guidelines like BDEW Whitepaper (Bundesverband der Energie- und Wasserwirtschaft) in Germany or and NERC-CIP (North American Electric Reliability Corporation, Critical Infrastructure Protection) and supports the customer to meet local regulatory requirements.
IEC 62443 Certification
Digitalization and cybersecurity are two closely interrelated topics that are of great strategic importance for Siemens. With regard to the further development of cybersecurity measures for its network automation products, systems and solutions, for example, Siemens is taking a comprehensive security approach that is driven by international standards such as IEC 62443.
Siemens is the first company worldwide to have received a certificate for network automation solutions from TÜV Süd, Munich, Germany, in accordance with the international standards series IEC 62443. The secure substation framework from Siemens has been certified to IEC 62443-2-4 (requirements for system integrators) and IEC 62443-3-3 (requirements for the security functions of systems). The certified architecture is based on Siemens’ experience and knowledge as a globally active company, and the processes described in the certification ensure the necessary transparency of the security-relevant procedures in line with the standards. Siemens thus develops and implements network automation solutions for power supply companies and grid operators which are based on the latest international standards in terms of cybersecurity and have been adapted to the current security guidelines. In addition to the existing standards for cybersecurity, IEC 62443 has evolved today into one of the most future-oriented security standards worldwide. It goes further than other standards and defines requirements for all parties involved, including product suppliers, system integrators and operators.
Whereas IEC 62443-2-4 certification is based on a security concept and engineering process developed by Siemens, the secure substation framework from Siemens is the basis for evaluation in accordance with IEC-62443-3-3. This security framework is made up of products such as the station automation system SICAM PAS/PQS and SICAM AK3, as well as the operating and monitoring system SICAM SCC, SIPROTEC 5 protection devices and the Siemens Ruggedcom portfolio consisting of switches, routers and firewalls.
- Siemens is the first company worldwide to have received a certificate from an independent institute for energy automation solutions in accordance with the international standards series IEC 62443
- Effort reduction from requirement definition till realization due to standardized and IEC 62443 certified substation solutions and processes
- Maximum fulfillment of regulations with Siemens - uses and works in compliance with international standards (IEC 62443 and ISO/IEC 27001)
- Secure basis for the implementation of digitalization with the Siemens holistic end-to end cybersecurity approach in energy automation