Cyber Security Assessment

Security assessment of two operational SCADA systems

Customer
A Distribution System Operator in Asia-Pacific
The DSO operates and maintains a gas and electricity network. For the electricity network, more than 6.000 substations are in operation.

Background
Cyber-attacks becomes an increasingly threat to the critical infrastructure. Outages of the electricity grid will have direct consequences to the nation. Not only economic damage, but without electricity other critical services like transport, medical attention, food, water supply, etc. will be disrupted. Causing a lot of chaos and possible loss of life. This DSO has a high reputation and cyber security is one of their top priorities. They perform an annual security scan on their automation equipment to close the security issues. This process refers to the ISO 27001 certification that they have retrieved. While industrial automation and control systems are very different as IT, this DSO requires an external company that has the knowledge of their type of systems to perform a good check.

Project
The project comprises different elements to be checked. A full cyber security assessment was carried out on two SCADA systems that are in operation. The assessment consisted of the review of the documentation, processes, network architecture and system architecture. After the review, a technical assessment has been carried out. This assessment checked all the target systems (like network equipment, work stations, servers, peripheral devices, etc.) on hardening, installation and configuration. It required to have access to these target systems. The last part of the project consisted of a vulnerability scan of the targeted systems using Nessus and a penetration test on both SCADA systems.

Services
DNV provided an end-to-end cyber security assessment that consisted of all the different parts required by the project. With our deep domain and digital knowledge, we bridged the gap between information technology and operational technology to enable operators of critical infrastructure, their people and their systems to be prepared for, protected against, and able to respond to the risk of cyber threats. The approach of this service limits the operational risks, so it is possible to assess the live operational systems.

Benefits
The full SCADA system has been assessed including the interfaces. Due to the combination of our deep domain knowledge, the findings and recommendations are in line with the way of working, culture and automation systems. Therefore, the customer has been able to implement changes easily. This has been strongly acknowledged by the customer, while generic IT cyber security approaches do not always work. The cyber security awareness, documentation and secure system implementation has been improved.