Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/754587
24 | 25TH NOVEMBER - 1ST DECEMBER 2016 | UTILITY WEEK Operations & Assets Market view I n March 2015, Dutch distribution system operator (DSO) Enexis had a challenge. It was planning to tender for the supply of new distribution automation equipment and needed to make sure the technology was secure. The problem was that, without an agreed set of requirements, it was difficult to know exactly what to ask for in the tender from a security perspective. The manufac- turers could build what was needed, sure enough, but without applicable security requirements available, they needed guid- ance to ensure they met their security needs. Enexis wanted to find the right balance between mitigating cyber security risks and higher costs. Without guidance, Enexis ran the risk of leaving security flaws in the distri- bution automation equipment or having too strict security requirements that would limit the number of possible vendors. Fortunately, as a member of the European Network for Cyber Security (ENCS), Enexis had collaborated with six other utilities and network operators across Europe to share experiences and best practices for cyber security. This created a set of aligned require- ments for just this type of process. Working closely with ENCS as an impartial third party, Enexis was able to use the requirements to successfully procure equipment that met its security requirements, taking into account the criticality of the use cases involved. The result was a more secure distribution automation system and a smoother procure- ment process, delivered at only marginal extra cost – avoiding the inflated security premiums usually assumed to go hand-in- hand with top security. Specifying the requirements In 2015, ENCS asked its members about prob- lems they had in ensuring cyber security was properly represented during the procure- ment process. The common response was that, while system operators wanted to hear about the equipment's cyber security capabilities from the manufacturers, the manufacturers were waiting for guidance from them on what security protocols they needed to build in. With no clear set of procurable requirements on either side, the cyber security aspect of the tender was a lengthy back-and-forth process. Another key proof point for the project was to achieve harmonisation between the distribution system operators. The adop- tion of common requirements would not only simplify processes but could also lead to savings. For instance, the common secu- rity requirements used by all Austrian net- work operators gives them more market power in relation to vendors. The aim was to harmonise these with other countries, with an eventual goal of having common core requirements that could be adapted to national needs. Finally, ENCS wanted to ensure the result- ing requirements were independent of any particular technology. This is because the requirements specify what security measures are needed, not how the measures should be implemented, meaning the requirements can be used for different technologies and com- munication protocols. This would give indi- vidual customers the freedom to implement security in a way that would fit with their procured solution. Enexis had a procurement round starting soon aer the project concluded. ENCS pre- pared a preliminary version of the resulting requirements so they could be incorporated into the process, tweaking them slightly according to the specifics of Enexis's archi- tecture and risk mitigation objectives. Back in 2014, Enexis had procured distri- bution automation equipment for medium voltage transport systems. ENCS provided support at the time, reviewing the require- ments and attending the selection inter- views with manufacturers. The tender was successful, but Enexis felt that it needed an even better grip on security, and an even bet- ter way to evaluate manufacturers and their equipment, in the future. So there was a clear benchmark for suc- cess for this tender, which was for simi- lar distributed automation equipment in medium to low-voltage transformer substa- tions. If the overall process proved to be easier and the resulting equipment more secure, then the requirements would have been successful. "What the requirements gave us from the outset was some objective structure – some rigour," says Enexis distribution sys- tem operator security officer Carlos Montes Porte-la. "Rather than having to ask each manufacturer about their security capabili- ties, evaluate them against our needs, then potentially go back and ask for refinements, we had a clear set of requirements from the start. They went into the request for proposal and manufacturers knew what we needed." The results The project was a great success, providing two key results: • The tender process was smoother and quicker. By having the cyber security requirements stated upfront, there was a clear idea on how to evaluate the different vendors' solutions. • There was a clear view on the security capabilities of the solutions offered and a level playing field was created on the security part of the requirements. By having a clearer, more rigorous process in place from the start, Enexis was able to ensure it got the best possible cyber security requirements for the equipment. The manu- facturers involved also benefitted from hav- ing upfront requirements to meet, making it simpler for them to demonstrate suitability. Crucially, this was achieved with only a minor extra investment. Enexis's implementation of the require- ments a success, ENCS hopes that both new and existing members can use them in future to get the most out of tender processes. On Enexis's part, the pilot was successful and it can now procure equipment for the rest of the programme with confidence. As grids across Europe become more dis- tributed, automated and smart, a collabora- tive approach to cyber security will become increasingly important to keep grids safe. Michael John, director consulting services and Dr Maarten Hoeve, manager techni- cal team, ENCS Collaborating on security Common standards for cyber security for energy networks would be a great benefit to both networks and vendors, and the ENCS is doing just that, say Michael John and Dr Maarten Hoeve.