Menu Close

News

Standardisation and Certification in EPES

by Grigore Stamatescu, ICT Consultant, TUV Austria Romania (grigore.stamatescu@tuv.at)

Emerging Electrical Power and Energy Systems (EPES) act as a reliable backbone and springboard for tackling many of the current economic, environmental and societal challenges. They are mainly composed of distributed energy resources, transmission and distribution infrastructures, and increasingly advanced end-users and prosumers, which play an active and increasing role in the management of the electrical (smart-)grids. The Industrial Internet of Things (IIoT) paradigm which vastly increases the capabilities of sensors, automation, control and protection devices across the grid, through increased local data processing and ubiquituous communication, has also opened a gap between heterogeneous generations of such devices in terms of cybersecurity vulnerabilities. As an example, bridging legacy ICS/SCADA systems towards interoperability with new software-intensive solutions, represents just one of the potential points that a malicious entity might target in an attack scenario. By integrating and further extending state-of-the-art technologies in machine learning and artifical intelligence, advanced cryptography and blockchain-based infrastructures, the ELECTRON platform will support such next generation, resilient, energy systems. The key role of standardisation and certification is thus emphasized as: to foster wide, sustainable, adoption of such technical and process innovations across the various stakeholders in the energy domain. A standard is a common, documented reference framework designed to harmonise an industrial activity. Resulting from a consensus, it is developed – generally at international level – by a working group, bringing together experts from different backgrounds: authorities, industry, academia, civil society. Prominent standardisation organisations, directly relevant to the EPES sector, that initiate, oversee and eventually publish the results of the standards development process include: International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), CEN/CENELEC, European Telecommunication Standards Institute (ETSI), National Institute of Standards (NIST), IEEE Standards Association (IEEE SA), and others. Subsequently, certification involves checking whether a company, a person or a product meets certain requirements specified by a national or international standard. A certificate is the result of a successful assessment by an objective and independent third party. One timely example is the certification of machine learning systems [1], where a criticality ranking, certification process and an audit catalog for such applications is proposed, through a collaborative effort between TUV Austria and the Johannes Kepler University Linz. This domain-agnostic certification process includes the following steps: GAP analysis, kick-off/scope definition, documentation review, process audit (interviews), technical inspection, audit report, certificate issuance, monitoring audits and re-certification. The ELECTRON project objectives and developments lay at the interface between EPES, cybersecurity and certification and standardization, for the efficient, broadly applicable and widely-adopted technical solutions regarding (cyber-)protection of the energy sector, as shown in Figure 1.
Figure 1: ELECTRON Roles for EPES Cybersecurity Certification and Standardization

Risk assessment and management is of paramount importance in critical infrastructures and especially in the power and energy systems since the transition to a decentralised energy system was accompanied by the exposure of the EPES to external threats such as worms, viruses, trojan horses, and data privacy breaches. We have observed a lack of  common practices of how to effectively apply them and a lack of standardised and common used approachd to undertake the design, the implementation, and the maintenance of the energy-related devices, services, and processes. As a result, there is a need for integrating risk assessment with certification of products, devices, and services, where each EPES/ICS product, device, and service will be effectively and uninterruptedly authenticated and authorised before entering the grid, while supporting the manufacturers accountability and transparency.

It had been observed that, while many research efforts, EU and national projects, and enterprise-oriented group tasks are working on cybersecurity test cases and pilots, only few of them contribute to standards and policies for technical and business topics of electric power systems. A set of security procedures, in a well-organised way of deployment (e.g., institutions or authorities) is needed, which will capitalise the added-value of the ongoing test cases, simulations, pilots, use cases, and demonstrations across EU and worldwide in order to strengthen the standardisation and certification of the best-practices, effective validation and demonstration results, and the development and establishment of cybersecurity directives.

Finally we refer to several several applicable standards to the field of EPES cybersecurity:

  • ISO/IEC 27001 – Information Security Management [2]
  • ISO 31000 – Risk management [3]
  • ISA/IEC 62443 – Series of standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS) [4]
  • IEC 62351 – Series of standards include cyber security technologies for some communication protocols specifically : IEC 60870-5 protocols (including IEEE 1815 (DNP3) as a derivative standard), IEC 60870-6 (ICCP), IEC 61850 protocols (including client-server, GOOSE, and sample values), IEC 61970 and IEC 61968 (Common Information Model – CIM) [5]
References:

[1] Winter, P.M., Eder, S., Weissenböck, J., Schwald, C., Doms, T., Vogt, T., Hochreiter, S. and Nessler, B., 2021. Trusted artificial intelligence: Towards certification of machine learning applications. arXiv preprint arXiv:2103.16910. Available on-line: https://arxiv.org/abs/2103.16910

[2] https://www.iso.org/isoiec-27001-information-security.html

[3] https://www.iso.org/iso-31000-risk-management.html

[4] https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards

[5]https://syc-se.iec.ch/deliveries/cybersecurity-guidelines/security-standards-and-best-practices/iec-62351/