01.06.2022 | ISO certificate for process informatics of Axpo Grid AG
Cyber attacks do not stop at energy suppliers. Axpo Grid AG has launched several projects to protect the electricity grid infrastructure. It was one of the first energy suppliers in Switzerland to receive an ISO certificate for its process informatics.
Petrol shortages due to a crippled pipeline in the USA, encryption of servers with ransom demands or targeted overloading of certain websites - cyber attacks have become a real threat. The energy industry and other critical infrastructures are highly targeted by cyber criminals.
Since 2016, Axpo Grid has been addressing the topic of Operational Technology Security (OT Security), i.e. the strategies and processes for protecting critical infrastructure and data. Axpo Grid wants to improve in the area of OT Security in the infrastructure of its own supraregional distribution power line and at the same time create a "best practice", also for other energy providers. According to Ivo Müller, Head of Operations & Maintenance at Axpo Grid, there is a wide variety of possible vulnerabilities: "Unprotected connections, remote access by external manufacturers, long-lived components without regular security updates or simply a lack of awareness of cyber security among employees can weaken the security of an infrastructure".
One of the cornerstones of a solid OT security is the so-called zoning of the data network. This allows better control of data traffic. Depending on the need for protection, increased security requirements or restricted access rights can be defined for each network area. Attacks can also be caught by monitoring the activities between the devices in a network. To implement the monitoring, the Axpo project managers installed special sensors in the substations. These monitor the data networks, detect abnormal activities and send a message in such a case. In the event of a suspicious event, clearly defined processes are of great importance, Müller emphasises: "We use so-called runbooks to precisely define the processes in the event of a cyber attack. This is how we ensure that we can act quickly and correctly even in crisis mode".
While in the past all parts of energy supply plants were often combined in a single data network, this is no longer the case with defined zone concepts. The technical basis of the zone concepts are redundant switches, routers and firewalls in the plants, at the grid control centre and in the higher-level communication structure. "There are devices of different years of construction and manufacturers in the substations, which we grouped sensibly in order to implement the modernisation and security measures in stages," recalls Daniel Schirato, IT/OT Security Officer at Axpo Grid, about the challenges in implementing the project. In order to meet the high requirements for OT security, the systems are now being continuously renewed.
The work has paid off: Axpo Grid AG and its subsidiary, Axpo WZ Systems AG, were one of the first energy suppliers in Switzerland to receive the ISO standard certificates 27001 for the information security of their process IT and 27019 for supplementary sector-specific measures (Axpo Grid: ISO 27001 and 27019; Axpo WZ Systems: ISO 27001) for their OT Security. The recent certifications not only strengthen confidence in Axpo, but also commit the company to maintaining and continuously developing its cyber security to the state of the art. Last but not least, the certification also ensures the sustainable benefit of the considerable investments made.
However, Axpo Grid will not rest on its laurels, Müller makes clear: "We would like to use our pioneering role to motivate other energy suppliers. We are happy to offer our support, because the Swiss electricity grid is only as strong as each of its players". Furthermore, it can be assumed that certification will become mandatory for Swiss energy suppliers in the future, as is already the case in neighbouring countries.
Link to article in the "VSE-Bulletin" (german)
Operational Technology (OT) includes devices and systems that are directly involved in physical production processes - e.g. the protection, control and regulation equipment of a turbine in a power plant or systems of the line fields or transformers in substations as well as the communication infrastructures required for this. In contrast, Information Technology (IT) deals with commercial data processing that is not directly linked to physical processes.
With Operational technology security (OT security), industrial systems can be monitored and protected, especially against criminal attacks, e.g. via the internet. A comprehensive OT security system consists of an organisational concept and technical measures on the systems.