• The cyber resilience challenges included ensuring business continuity, the complex and diverse threat surface, third-party involvement, and mismatched resources and requirements. 

• DNV Cyber created a bespoke security reference architecture for the utility’s operational technology systems. 

• The solution met current business needs, served as an action plan for the future, and addressed industry-specific concerns.

A major European electricity distribution systems operator (DSO) aimed to develop a reference architecture covering the cybersecurity needs of its operational technology (OT). The request was driven by trends impacting on management of electric grids: rapid innovation, technological complexity, data sharing and interconnectivity, rising cyber-attack sophistication, and the sector’s attractiveness as a cyber target. 

Security maximizes benefits from digitalization for improved efficiency, increased operational accessibility, productivity, sustainability and safety in energy industries. The DSO believes that cyber resilience in complex networks can be achieved effectively only through an architecture approach. 

The architecture would need to enable secure communication between business applications and electrical network, including remote switching and monitoring up to substation level. This would ensure continuity of operations and the integrity of key critical assets while maintaining ability to deliver electricity on time. This requires data networks that integrate, manage, and balance the central distribution grid and decentralized supply resources.  

Working closely with the DSO, DNV Cyber applied extensive knowledge of OT systems, the electricity sector, and vendor technology, in a collaboration that enabled the client to achieve its goals through: 

• A future proof and risk-based solution 

• Reference architecture that was scalable and flexible to accommodate future growth. 

Solving four key sets of challenges

Working closely with the DSO, DNV Cyber defined key challenges as the need to ensure business continuity, the complex and diverse threat surface, third-party involvement, and mismatched resources and requirements. 

Business continuity: There was high demand for maintenance support to remote substations. So, a security reference architecture was required to ensure the ability to deliver electricity reliably and continuously. The reference architecture should also be able to maintain system integrity and accommodate future growth. 

Threat surface: Operations depended on OT systems including ageing infrastructure, legacy systems needing special treatment, and standard OT communication protocols lacking dedicated security mechanisms. The DSO was also integrating new technologies (e.g. big data, industrial internet of things, and mobile wireless connectivity) into its industrial networks. 

Third parties: The DSO’s control and communications systems are connected with partner organizations and third parties. The company also has complex and diverse relationships with external service providers. 

Resources vs requirements: There had been an explosive rise in cyber threats and campaigns targeting the power sector. Further, the client sought to remain in compliance with an expanding range of standards, including the Network and Information Security Directive (EU NIS). These factors increased demand for specialist knowledge and skills, which many of the DSO’s employees lacked. 

Counting the benefits of the DNV Cyber/DSO collaboration 

DNV Cyber began by evaluating existing OT architecture to identify weaknesses, pinpoint risks specific to the sector, and propose a roadmap for a security reference architecture. Some requirements addressed were secure separation between process controls and other systems, ability to securely exchange data from IT and OT with other domains, and service-oriented infrastructure building blocks that are simple to deploy and manage. 

The next step created a bespoke security reference architecture for the OT systems. It involved reviewing the functional requirements and translating them into concrete, versatile, scalable and industry-specific technical objectives. 

DNV Cyber’s engagement yielded positive results by meeting current business needs, serving as an action plan for the future, and addressing industry-specific concerns. The security reference architecture could be applied to all the existing assets regardless of size or complexity. 

The reference architecture supported the DSO’s current requirements and provided the scalability and flexibility to accommodate future needs, including business reference architecture; data reference architecture; application reference architecture; technical reference architecture; OT-relevant data standards; and risk-based security architecture requirements. 

A designed and implemented architecture is believed to improve the DSO’s bottom line over the long term by streamlining its OT network and security philosophy, making it leaner and more manageable. It will make the customer’s OT systems easier to operate securely and less dependent on third-party service vendors. As such, the reference architecture services help to provide continuous and reliable supplies of electricity while reducing cost of ownership.