Utilities everywhere are potential targets of attack. As more devices are connected to utility infrastructure, vulnerabilities are exposed and cyberattacks become more frequent – and more damaging. Power generation and distribution are more complex and connected than ever, making mission-critical energy systems a primary target of these attacks. As a result, cyberthreat assessment is now part of utilities' daily risk analysis, and mitigating these risks requires tight collaboration between functional areas across the organization.
One reason for this is the relative ease of attacking critical infrastructure. Hackers know that operational technology (OT) is often vulnerable because many of the connected industrial devices are based on serial communication technology, which is less apt to contain adequate cyber defenses. IT infrastructure has generally been protected by a plethora of private and public sector cybersecurity agencies, consultants, products, and services. By contrast, the OT Industrial Automation and Control Systems (IACS) that utilities rely on have received much less attention until very recently. Making matters more challenging, the attacks on industrial OT systems are getting more sophisticated and more frequent as the growing use of Internet of Things (IoT)-connected devices opens broader attack surfaces.
In response, many governments and regulatory bodies are enacting stringent cybersecurity regulations to protect critical infrastructure such as electrical power systems. For example, the EU is currently defining the Network Code on Cybersecurity to set cybersecurity standards for cross-border electricity flow. It will include rules on cyber risk assessment, common minimum requirements, cybersecurity certification of products and services, monitoring, reporting and crisis management.
Major challenges for critical infrastructure operators
As the regulatory demand increases, the challenge for mission-critical infrastructure operators also increases–in addition to protecting themselves against relentless cyberattacks, utilities must be able to prove that all infrastructure systems and services meet legal and regulatory compliance standards. ISA/IEC 62443 and ISO 27001 certifications are the most relevant and widely accepted standards to ensure compliance.
Developed by the International Society of Automation ISA99 committee and adopted by the International Electrotechnical Commission (IEC), ISA/IEC 62443 is a series of standards that provide a flexible framework to address and mitigate current and future security vulnerabilities in IACSs. Portions of ISA/IEC 62443 define a set of engineering measures to guide organizations through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.1
ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS). An ISMS is a set of policies, procedures, processes, and systems that manage information risks, such as cyberattacks, hacks, data leaks or theft.2
For almost two decades, Hitachi Energy has been supporting cybersecurity management programs for critical infrastructure by delivering secure-by-design systems and services. As part of these efforts, our customers require evidence of independent ISA/IEC 62443 and ISO 27001 certifications of our grid automation products, systems and services.
Our top priorities
Hitachi Energy takes cyber- and information security seriously. We understand the growing need to protect our customers and ourselves in an increasingly complex operating environment. We serve a wide range of essential industries where cyberattacks are not simply a nuisance—they can wreak havoc on entire communities and put lives in danger. This motivates us to take a comprehensive approach to cybersecurity in everything we do in the service of our customers – from safeguarding our products and services to developing partnerships with other industry leaders. Certification to internationally recognized and globally applicable standards is a concrete way that we can provide the protection our customers and their customers require.
Our grid automation solutions are designed around people, processes, and technologies. And because cybersecurity has always been a top priority, we have received IEC 62443-2-4 certification for all our operating units worldwide. We have certified a secure-by-design reference architecture of grid automation system offerings with IEC 62443-3-3 and certified our R&D centers on IEC 62443-4-1. To supplement these efforts, we are working with a globally recognized certification service provider to gain independent, third-party proof that our grid automation products, systems and services meet the highest cybersecurity standards in terms of design, architecture and development processes. In this way, we can make an effective and important contribution to our customers to increase their cyber resilience.
In addition to ensuring peace of mind, certification brings customers another major benefit: Independent certification makes it immensely easier to provide the required cybersecurity evidence to authorities. This is a great relief, especially for smaller critical infrastructure operators such as municipal utilities or industrial companies that can’t afford their own full-fledged cybersecurity department.
Cybersecurity is always the product of many different, complementary measures, but it begins with a system that is proven secure by design. Systems must be able to constantly monitor the security status of critical assets to identify risks at an early stage and take appropriate action. At the same time, it is essential to continuously sensitize employees to current and future cyberthreats. Consistency in monitoring and awareness also make it easier to report on and prove compliance.
Here for you
Cybersecurity is a complex and multi-layered topic with contributions from many different disciplines required to build a successful and sustainable defense. To address the complexity, Hitachi Energy embeds the most secure and trusted features across our entire portfolio of grid automation products and solutions. In addition, we offer a full complement of expert-led services that can help utilities achieve a robust and effective cybersecurity program that adapts to varying needs over the entire lifecycle of mission-critical systems. One such service is our global network of Collaborative Operations Centers, which help our customers defend against and resolve cyberattacks anytime, anywhere.
Hitachi Energy is committed to keeping our customers and their customers safe from the bad actors and threat vectors that continue to target mission-critical systems. To learn more, please explore our website, or feel free to reach out to me with any questions you may have. You can also view our Certificate of Conformity for Industrial Cybersecurity Capability here.