Control system cyber security and governance
Protecting critical infrastructure in the digital age
Cyber intrusions, intentional or unintentional, can have a significant impact on service continuity and safety. The control of utility processes and systems is becoming increasingly complex. The critical nature of the utility infrastructure also has made it a target for sabotage, hackers or even unintentional break-ins.
Evolving role of the control system operator
As more information and control systems are automated, the operator's role is increasingly to record, interpret and abstract information concerning the system as a whole. Much of this information is complex in nature.
Securing control systems, preventing cyber security breaches
Security assessments and penetration tests have identified vulnerabilities in SCADA, distribution control and other utility control systems. There have been cases of both intentional and inadvertent cyber impacts on utility control systems.
DNV is highly experienced in working with control systems, control room ergonomics and knowledge of task and information analysis. We are helping utilities worldwide assess the susceptibility of their control systems to hard-to-detect security breaches. And we are helping utilities gain a better understanding of appropriate levels of security for each system.
We can help provide the solutions you need for efficient operation of automated production processes including:
- perform risk and reliability analysis
- perform security assessments
- develop checklists for security assessments and regulatory compliance
- assist in secure computer architecture development
- develop control system security procedures.
Tailored solutions to protect critical infrastructure
DNV understands your operation and the energy industry, not just the technology. We offer deep expertise in the areas of EMS, DMS, SCADA and GIS, utility communications and market design. And we help utilities develop cost-effective, practical security solutions that the meet the needs of utility SCADA, EMS, and DMS systems.
Information technology and operational technology continues to converge for these systems, and that convergence gathers pace. In this environment, there is a need to understand and manage a complex set of associated business risks, and to demonstrate compliance with mandatory standards, all whilst ensuring that the required service levels are delivered. The framework within which these critical systems management is defined, controlled, assured, measured and improved is known as Critical Systems Governance.
DNV assists Critical Infrastructure Operators such as electricity and gas transmission system operators in understanding the principles and developing the governance models which take into account the needs for overall risk management through an appropriate combination of:
- asset management
- service management
- quality assurance (cyber)
- security management.
DNV's control system cyber security solutions include:
- the development of control system governance models and control system security policies and procedures for SCADA/EMS/DMS applications
- cyber security support to utilities throughout the project lifecycle for SCADA/EMS/DMS and DCS/PLC implementations, from requirements, through procurement, design and development, to factory acceptance testing
- cyber security support to utilities for factory acceptance testing of SCADA implementations
- cyber security policies and procedures conforming to the NERC cyber security (CIP) and other standards and recognized best practices for critical control systems
- security guidelines for remote access to control systems
- control system architecture reviews, including security versus performance trade-offs
- risk assessment methodology, including cyber-specific issues
- fossil and/or nuclear plant instrumentation and controls for security or performance enhancements
- security test bed support and vendor coordination
- cyber security support with industry protocols such as ICCP, UCA and DNP
- support in understanding and dealing with third party control systems cyber security risk.