Three questions for Paulo Antunes, Siemens Energy Application Manager

Rate this item
(0 votes)
Friday, 22 March 2019 11: 35

TI Safe - The industry of the future requires that companies are increasingly interconnected. In your assessment, what are the main risks of digitizing power grids and how can they be mitigated?

Paulo Antunes - We are really experiencing the Internet of Energy (IoE) revolution, in which we see more and more connected power devices in cloud systems, as well as a huge array of protection equipment accessible through LANs (Local Area Network of local area). Companies do this in order to extract value from the information on these devices so they can be more efficient and competitive. However, the more devices connected, the greater the exposure surface and hence the greater the risk of cyber attacks. That's why cyber security is so important to the IoE revolution, because all this technology will only gain scale if people rely on this system if it is secure.

There are several risks involved in power systems, the most dangerous of which are related to the possibility of someone taking remote control of a substation or power plant. And, thus, act to carry out a wide shutdown in the electric power supply. Like the recent blackout Venezuela, due to failure in the hydroelectric Guri, that supplies almost 80% of the country. President Nicolás Maduro attributed the lack of electricity supply to a cyber attack (still unproven). There is also the classic case in Ukraine in which a blackout officially awarded by the US Department of Homeland Security for hacking attack.

At Siemens, we consider that an energy system requires a holistic approach, including:

  • Safety equipment and systems
  • People trained in cyber security
  • Appropriate processes for control and use of cyber security technologies.

The solution depends on each installation and client. We understand that there is no single answer. Thus, the phases of a project go through:

  • Infrastructure evaluation of the energy automation system
  • Implementation of security measures
  • Maintaining cybersecurity over time

Siemens is very attentive to this issue and about a year ago signed a document called Charter of Trust, together with several multinational companies. In this document, there is a commitment to cybersecurity to be on the agenda of CEOs and core of enterprises, with 10 principles for a more secure digital world. More information is available on the website:

TI Safe - How can reliable and robust power automation networks be architected in this advanced manufacturing scenario?

Paulo Antunes - Siemens makes use of the international standard IEC-62433 to define the safety mechanisms of its electrical energy automation projects. This standard defines how protection and deployment of such systems should be made. We also use the principle of in-depth defense in defining a secure system, the principle of secure design in the definition of network topology and architecture, and the principle of least privilege in defining the roles of users in the system. To achieve the required level of security, we have combined a number of security measures. They are applied according to the reality of each company and in a way not to interfere in critical telegrams used, for example GOOSE:

Access control and credential management

  • Logging
  • Hardening
  • Patching
  • Malware protection
  • Secure Remote Access

Our products are being developed with a number of embedded cyber security features, such as:

  • RBAC - Role-based access control with central user management.
  • Logging with cyber security central alert management
  • Digitally signed firmware with crypto-chip usage
  • Encryption in protocols for sensitive information traffic
  • Safe storage of sensitive information inside the equipment

Thus, we immediately address two points of our holistic approach:

  • Secure equipment
  • Appropriate processes for using cyber security technologies

TI Safe - How does the automatic cyber security checking tool of Siemens Power Automation Systems work?

Paulo Antunes - The tool we use is called Siesta (Siemens Extensible Security Testing Appliance). It is a solution that supports us in the execution of projects and can be applied in the following phases:

  • Infrastructure evaluation of the energy automation system
  • Implementation and confirmation of security measures

The solution has a number of built-in routines, which tests the existing system against standards and implements best practices for configuring equipment to detect vulnerabilities and configuration errors in solution components. The result is a report in "Farol" format, classifying the level of problems found in red / yellow / green. This serves as a basis for defining the security measures that must be applied to ensure cyber risk mitigation in critical energy infrastructures.

Lido 2411 times Last modified on Thursday, 25 April 2019 16: 51

Copyright © 2007-2020 - IT Safe Information Security - All rights reserved.