Cyber security for energy infrastructure

In this article, published early in December in Panel Building and System Integration,  Martyn Williams of Copa-Data UK discusses cyber security in the energy sector, and the IEC 62443 certification of their “zenon” energy automation software:

Stakes are high in the energy sector. In fact, it is one of the only industries in which cyber security is entangled with public safety and environmental concerns. Digitalisation in this sector provides huge efficiency benefits, but also presents risks. Cyber criminals are now looking for gaps in security measures, and IoT devices can provide an opportunity to infiltrate these networks.

The arrival of ISA/IEC 62443-4-1:2018

In 2017, Energy UK called for a collaborative approach to cyber security in the industry. One of the objectives was to encourage security vendors to work closely with operators to ensure products are fit for purpose.

During the same period the Cyber Security in the Energy Sector report by the Energy Expert Cyber Security Platform (EECSP) was released. The group identified 39 gaps in energy cyber security that were not covered by existing legislations. Alongside calls from trade associations like Energy UK, the report demonstrated a need for a flexible framework that addresses and mitigates current and future security vulnerabilities in energy automation.

Shortly following this, the ISA/IEC 62443 series of standards were released. Developed by the ISA99 committee as American National Standards, ISA/IEC 62443 was also adopted globally by the International Electrotechnical Commission (IEC).

What does this mean for the energy sector?

Prior to this new standard, products and services for energy automation could not be certified in relation to secure product development. The new IEC 62443 standard therefore creates the basis for comprehensive security. For the first time, the standard provides a baseline to unite all perspectives — that of the component supplier, system integrator and equipment operator.

TÜV SÜD, part of the German Association for Technical Inspection, recently awarded the new ISA/IEC 62443-4-1:2018 security standard to Copa-Data, for its software development, quality assurance and support processes used for energy automation software, zenon.

Certifications like these are particularly beneficial for the UK energy sector as entire power grids are often networked using HMI and SCADA systems powered by software like zenon. Energy grids are increasingly using centralised software to visualise and control their operations, linking critical infrastructure and the cyber world.

While this connectivity is valuable, it automatically increases cyber security risks in all networked equipment. Therefore, it is necessary that the software at the centre of it all is trusted – and this trust is certified by a third-party standard.

Intense audit

What exactly does a company need to earn IEC 62334 certification? The certification requires companies to check the potential weaknesses of their automation and control technologies, and then demonstrate they have developed effective protection measures.

The requirements are very comprehensive, and in the case of Copa-Data, required the formation of a Security Management Team (SMT) to demonstrate exceptional security issue management for the duration of one zenon release. In particular, the team introduced threat models to search for structural vulnerabilities from the point of view of an attacker.

For system integrators, achieving the certification requires testing of integration processes and the assessment of implemented IT security functions. The relevant documents will be scrutinised by the assessor, and an on-site audit plan is put in place. Next up are intense interviews, procedural assessments and technical checks.

The certificate is only considered current for one year, ensuring security in product development is regularly assessed. Businesses must re-certify annually. This guarantees that new and emerging cyber threats and loopholes are consistently managed and therefore are not able to infiltrate the software.

Power grids may be fast becoming digital jungles, but as with every trek, the best voyagers are equipped smartly and prepared for the worst. To secure their networks in today’s turbulent energy sector, it is vital that operators are armed with software that is designed in line with current industrial IT security guidelines.

Hitachi buys ABB Power Grids

ABB has announced that Hitachi will acquire its Power Grids business as part of an expansion to the existing partnership between the two companies.

Hitachi plans to initially acquire an 80.1% stake in the Power Grids business and expects to close the acquisition in the first half of 2020. Hitachi has also entered into a purchase option to acquire the remaining 19.9% stake in Power Grids, making it a wholly-owned subsidiary.

In the fast-changing world of energy infrastructure, with a shifting customer landscape and the need for financing and increased government influence, ABB believes Hitachi is the best owner for Power Grids. As a stable and long-term committed owner, with whom ABB has developed a strong business partnership since 2014, Hitachi will further strengthen the business, providing it with access to new and growing markets as well as financing. Hitachi will accelerate Power Grids to the next stage of its development, building on the solid foundation achieved under ABB’s previous ownership.

Since 2014, Power Grids has been significantly improved under the ownership of ABB. The latest results are at the target margin corridor, having more than doubled margins, with positive third party base order development recorded for the last six consecutive quarters.

ABB will initially retain a 19.9 percent equity stake in the joint venture, allowing a seamless transition. The transaction agreement includes a pre-defined option for ABB to exit the retained 19.9 percent share, exercisable three years after closing, at fair market value with floor price at 90 percent of agreed Enterprise Value. Hitachi holds a call option over the remaining 19.9 percent share at fair market value with floor price at 100 percent of agreed Enterprise Value.

The joint venture will be headquartered in Switzerland, with Hitachi retaining the management team to ensure business continuity.

Starting in Q4 2018 until closing, ABB will report Power Grids in discontinued operations. As a consequence, ABB will record $350-400 million of stranded and other carve-out related costs, which are currently predominately recorded as part of the Power Grids cost base. These will now be recognised in ABB’s corporate & other operational EBITA. ABB expects to eliminate the vast majority of these costs by deal closing by transferring them back to Power Grids. ABB expects approximately $200 million of charges in Q4 2018 related predominantly to the legacy EPC substation business reported in non-core corporate & other operational EBITA.

ABB expects to incur one-time non-operational transaction and separation related costs of $500-600 million. ABB anticipates $800-900 million related cash tax impact. The completion of the transaction is expected by first half of 2020, subject to regulatory approvals and fulfilment of closing conditions. ABB intends to return 100 percent of the estimated net cash proceeds of $7.6-7.8 billion from the 80.1 percent sale to shareholders in an expeditious and efficient manner through share buyback or similar mechanism.