Energy infrastructures such as the power grid or oil&gas pipelines are cyber-physical systems nowadays, i.e. a combination of physical assets and information infrastructures Software systems are used to supervise, control and protect the energy infrastructure at various junctions Power generation of all types (traditional plants such as nuclear, coal-/gas-fired, as well as renewable such as hydro, wind or PV) is controlled by industrial control system software In the transmission and distribution network substations are controlled and protected by substation automation system software The entire transmission and distribution system (incl. generation, transmission and distribution and consumption) is supervised and controlled from national and regional network control systems using network management and SCADA (Supervisory Control and Data Acquisition) software Wide-area communication links are used to interconnect the various components of the infrastructure and are based on embedded software systems
With the advent of renewable energy sources, comes distributed generation and a less hierarchical power grid - including inherent capability of „islanding“ subsystems (microgrids)
Enterprise IT systems and industrial software systems are significantly different in several aspects Enterprise IT systems generally are built for the primary purpose of information processing, while industrial software systems process information with the primary purpose of running and maintaining a physical, industrial process (e.g. power generation, transmission and distribution, or manufacturing and production), which includes dependencies on physical environment (i.e. physical and cyber-security need to be complementing each other, backup sites are of limited applicability) Compromise of enterprise IT security may result in unintended information disclosure, disruption of business processes and financial losses, while compromise may result in compromise of public health and safety (incl. loss of life), environmental protection (incl. significant environmental pollution) as well as financial losses Enterprise IT systems have a strong focus on security of central servers and secondary to that relatively homogeneous client endpoints, while industrial software systems have critical functions (e.g. safety / protection , closed-loop control) on distributed field devices with heterogeneous software base (e.g. embedded real-time operating systems, Windows- or Linux-based servers and clients, multi-vendor systems) Enterprise IT systems generally have lower availability requirements (accumulated a few days of unavailability per year may be acceptable and thus downtime for maintenance is a common practice), while industrial software systems generally have availability requirements that are orders of magnitude higher (only a few minutes of downtime are acceptable per year, downtime for maintenance is extremely expensive and should be avoided at all) Enterprise IT systems generally operate in a relatively dynamic environment (i.e. changes happen continuously and not always according to a strict change management process) and the time frame of predictable behavior (or necessity for predictable system behavior) is in orders of minutes to hours if not more, while industrial software systems are usually purpose-built and operate in a very deterministic environment and manner (i.e. system behavior in all kinds of situations in pre-specified in detail) and the time frame for necessary predictable system behavior is in the range of milliseconds to minutes => this allows for better control of undesired activity in theory, however practical tools are not available on the market yet Enterprise IT systems are usually operated in a transactional manner, i.e. their primary domain objects are focused on the supported business transactions, while in industrial software systems the real-time operations of the physical process under control is the primary focus Typical responses to errors or problems in enterprise IT systems is patching and upgrading of the software to newer versions which often requires rebooting – common practice is to periodically reboot systems preventatively, while in industrial software systems the primary principle is fault tolerance and online repair (i.e. the system can gracefully degrade performance in situations of failure or can correct errors during normal, continuous system operation)
The typical high level security objectives are Confidentiality – i.e. unauthorized access to information is prevented Integrity – i.e. unauthorized modification of information or services is prevented or can at least be detected Availability – i.e. information or services are available to authorized users when needed Enterprise IT systems usually prioritize confidentiality before integrity before availability, e.g. the disconnection or discontinuation of services to prevent the disclosure of sensitive information is an acceptable control , while industrial software systems usually revert this priority to availability before integrity before confidentiality, e.g. in emergency situations the full availability of a control system must be guaranteed even if this means that access control may be violated
Critical infrastructures can fail in various aspects and the different failure modes are interdependent, e.g. the integrity and availability of the safety system is paramount for its correct operation a compromise of the safety system can lead to safety risks (if an attacker can hide unsafe process situations) or to denial of service (if an attacker can spoof a safety critical situation) availability of all system components required for supervision and control is often regulated necessity for continuing operations (loss of view or loss of control must be responded to by emergency shutdown) cyber security of physical assets has to be complemented with their physical assets