Click Image to Enlarge

The disclosure of the Log4Shell vulnerability roughly one year ago proved that cyberattacks to critical supply infrastructure systems are a very realistic threat indeed. The vulnerability in a popular logging library also presented a threat to data centres, servers and connected systems in natural gas- and coal-fired power stations. Against the backdrop of security of supply, the importance of cybersecurity is also growing in the energy industry. Given this, the German Energy Management Act (EnWG) also covers requirements that address adequate protection of the telecommunications and data processing systems required for safe network operation. In this context, operators of critical infrastructures (KRITIS) are a particular focus of interest.

Digitalisation calls for innovative security concepts

The EnWG obliges enterprises in the energy industry to implement and update an information security management system (ISMS). The objective is to keep the impacts of potential vulnerabilities to a minimum at all times. Information security management systems (ISMS) assess all applications that are necessary to ensure secure, safe and reliable infrastructure operations. The EnWG is complemented by further regulatory requirements, including the ISO/IEC 27001 and ISO/IEC 27019 standards.

ONTRAS Gastransport GmbH (ONTRAS) meets this legally and technologically challenging situation by relying on the experts from TÜV SÜD and their know-how to assess and improve the security concept for its transmission system. ONTRAS operates the pipeline network in eastern Germany, spanning roughly 7,700 kilometres.
Control and monitoring of this network are highly challenging from a technical point of view. The transmission system comprises about 450 coupling points controlled by electronic data processing, as well as huge amounts of hardware and software for infrastructure operation. Another important aspect is that the integrity of such infrastructure systems always covers both information technology (IT) and operational technology (OT). In other words, unauthorised access to data and systems must be prevented while people, assets and the environment need to be protected at the same time. As digitalisation, including digitalisation of supply infrastructures, grows in significance, an integrated approach to infrastructure integrity is becoming increasingly vital.

Click Image to Enlarge

Analysing the situation, defining targets, choosing actions

ONTRAS and TÜV SÜD developed and implemented an approach based on extended risk assessment, which examines both the cybersecurity and safety of infrastructures. At the focus of the project was a gas pressure gauge and a regulator. In step one, the project team, comprising experts from both companies, assessed the baseline situation. To evaluate the security and safety status of the transmission system at the start of the project, the project team reviewed the existing safety-risk assessment and the risk assessment from ONTRAS’ ISMS and analysed their interactions.

One challenge was that cyber-risks are harder to quantify than safety risks. In many machine safety concepts (e.g. HAZOP), the security level (SL) is thus more difficult to assess correctly than the safety integrity level (SIL). It also complicates the task of defining the required security targets, which later serve as key performance indicators of project success and may also be used to demonstrate ISMS effectiveness to official authorities. The project team nevertheless succeeded in defining the security targets for ONTRAS’ security and safety concept and determining the scope of analysis. The process included identification and analysis of possible threats and vulnerabilities.
Following this analysis, the experts developed a set of measures that they classified as suitable for risk reduction. In the next step, they looked at each of the specific risks and selected the measure most effective for improving security. An important factor in all these decisions was to keep the entire system in mind at all times, because a new measure must never compromise the function of already existing measures. This “freedom from interference” is one of the key principles for ensuring the safe and secure operation of infrastructure.

Engaging all responsible and knowledgeable parties

For long-term ISMS effectiveness, it is critical that all parties involved share the same understanding of holistic safety and security and how to achieve it. In the design phase of their security and safety concept and in a workshop with TÜV SÜD,
ONTRAS’ safety and security experts developed a common approach and understanding of their transmission system that they can use and pass on to others. The knowledge base of the specific cybersecurity and safety requirements of infrastructures needs to be as broad as possible in order to minimise human factor (HF) risks and provide impetus for further development.

To maintain high levels of safety and security, the parties responsible for these aspects should further engage in regular exchanges of expertise and experience. This is of particular importance in the event of changes to infrastructure, which may give rise to new vulnerabilities or interferences that are easier to identify in a team approach. If additional components are installed or components replaced or removed, the impacts of these actions on safety and security need to be assessed in detail. The joint project team from ONTRAS and
TÜV SÜD developed documentation that also covered this specific case. By identifying the interfaces that are particularly sensitive in terms of safety and security, the documentation also describes the potential risks involved and thus contributes to ensuring rapid and impartial reassessment of safety and security can be performed following structural changes to infrastructure. Ideally, this approach even contributes to further improvements in safety and security.
Detailed risk assessment carried out on ONTRAS’ transmission system also showed that effective safety and security measures are not limited to the IT/OT domain. The use of existing mechanical components or systems for monitoring and control, for example, plays a significant role in consolidating the security level, as these mechanical components are not vulnerable to cyberattacks. With this in mind, parties aiming to ensure a permanently effective ISMS should thus always make use of all dimensions of security and safety and give preference to an integrated approach that looks at the entire system.

Andreas Michael, Industrial IT Security Expert, TÜV SÜD Industrie Service GmbH
Michael Pfeifer, Expert for machine safety and Industry 4.0, TÜV SÜD Industrie Service GmbH
Jens Gerlach, Team Lead Automation and Electrical Engineering, ONTRAS Gastransport GmbH
Sven Kalmeier, Specialist Planning/Technology, ONTRAS Gastransport GmbH
Image and graphic TÜV SÜD