Market view: Collaborating on security

Common standards for cyber security for energy networks would be a great benefit to both networks and vendors, and the ENCS is doing just that, say Michael John and Dr Maarten Hoeve.

In March 2015, Dutch distribution system operator (DSO) Enexis had a challenge. It was planning to tender for the supply of new distribution automation equipment and needed to make sure the technology was secure. The problem was that, without an agreed set of requirements, it was difficult to know exactly what to ask for in the tender from a security perspective. The manufacturers could build what was needed, sure enough, but without applicable security requirements available, they needed guidance to ensure they met their security needs.

Enexis wanted to find the right balance between mitigating cyber security risks and higher costs. Without guidance, Enexis ran the risk of leaving security flaws in the distribution automation equipment or having too strict security requirements that would limit the number of possible vendors.

Fortunately, as a member of the European Network for Cyber Security (ENCS), Enexis had collaborated with six other utilities and network operators across Europe to share experiences and best practices for cyber security. This created a set of aligned requirements for just this type of process. Working closely with ENCS as an impartial third party, Enexis was able to use the requirements to successfully procure equipment that met its security requirements, taking into account the criticality of the use cases involved.

The result was a more secure distribution automation system and a smoother procurement process, delivered at only marginal extra cost – avoiding the inflated security premiums usually assumed to go hand-in-hand with top security.

Specifying the requirements

In 2015, ENCS asked its members about problems they had in ensuring cyber security was properly represented during the procurement process.

The common response was that, while system operators wanted to hear about the equipment’s cyber security capabilities from the manufacturers, the manufacturers were waiting for guidance from them on what security protocols they needed to build in. With no clear set of procurable requirements on either side, the cyber security aspect of the tender was a lengthy back-and-forth process.

Another key proof point for the project was to achieve harmonisation between the distribution system operators. The adoption of common requirements would not only simplify processes but could also lead to savings. For instance, the common security requirements used by all Austrian network operators gives them more market power in relation to vendors. The aim was to harmonise these with other countries, with an eventual goal of having common core requirements that could be adapted to national needs.

Finally, ENCS wanted to ensure the resulting requirements were independent of any particular technology. This is because the requirements specify what security measures are needed, not how the measures should be implemented, meaning the requirements can be used for different technologies and communication protocols. This would give individual customers the freedom to implement security in a way that would fit with their procured solution.

Enexis had a procurement round starting soon after the project concluded. ENCS prepared a preliminary version of the resulting requirements so they could be incorporated into the process, tweaking them slightly according to the specifics of Enexis’s architecture and risk mitigation objectives.

Back in 2014, Enexis had procured distribution automation equipment for medium voltage transport systems. ENCS provided support at the time, reviewing the requirements and attending the selection interviews with manufacturers. The tender was successful, but Enexis felt that it needed an even better grip on security, and an even better way to evaluate manufacturers and their equipment, in the future.

So there was a clear benchmark for success for this tender, which was for similar distributed automation equipment in medium to low-voltage transformer substations. If the overall process proved to be easier and the resulting equipment more secure, then the requirements would have been successful.

“What the requirements gave us from the outset was some objective structure – some rigour,” says Enexis distribution system operator security officer Carlos Montes Porte-la. “Rather than having to ask each manufacturer about their security capabilities, evaluate them against our needs, then potentially go back and ask for refinements, we had a clear set of requirements from the start. They went into the request for proposal and manufacturers knew what we needed.”

The results

The project was a great success, providing two key results:

• The tender process was smoother and quicker. By having the cyber security requirements stated upfront, there was a clear idea on how to evaluate the different vendors’ solutions.
• There was a clear view on the security capabilities of the solutions offered and a level playing field was created on the security part of the requirements.

By having a clearer, more rigorous process in place from the start, Enexis was able to ensure it got the best possible cyber security requirements for the equipment. The manufacturers involved also benefitted from having upfront requirements to meet, making it simpler for them to demonstrate suitability.

Crucially, this was achieved with only a minor extra investment.

Enexis’s implementation of the requirements a success, ENCS hopes that both new and existing members can use them in future to get the most out of tender processes. On Enexis’s part, the pilot was successful and it can now procure equipment for the rest of the programme with confidence.

As grids across Europe become more distributed, automated and smart, a collaborative approach to cyber security will become increasingly important to keep grids safe.