At a glanceLocal governments around the worldare taking regulatory action againstthe prevailing threat of cyber securityattacks. To give but one example, theGerman IT Security Act was issued onJune 12, 2015.

The rising need for protection againstpotential cyber security attacks arisesfrom an increased interconnection ofoperational technology (OT) as well asgrowing demands with respect to dataprocessing supported by the integra-tion of the operational technologywith information technology (IT).

The term critical infrastructures desig-nates organizations or institutions withhigh importance for their communi-ties. Outages or disturbances affectingthese critical infrastructures will leadto lasting shortages of supply, signifi-cant impact on the society and econo-my.

In Germany, operators of critical infra-structures are obliged to follow legalrequirements such as the IT SecurityCatalog, which requires the implemen-tation and certification of an Infor-mation Security Management System(ISMS) and taking appropriatemeasures to protect critical infrastruc-tures.

The ChallengeHow to appropriately protect apower systemThe protection of a power system hasdifferent priorities compared to tradi-tional IT environments. In IT, the high-est priority is always on confidentiality.In operational technologies, availabilityis more relevant. A system must beavailable in order to protect systemsand humans from harm at any price.With the merge of operational tech-nology and information technology,the power systems are facing risksfrom known and new threats.

A cyber attack against these infrastruc-tures can have severe consequencesfor the system operator:

· human harm or loss

· degradation or disruption of opera-tion

· breaches of legal or contractual re-quirements, financial loss

· loss of know-how or licenses

· loss of reputation, customers andmarket share

An Information Security ManagementSystem defines rules and processes forsteering, controling, maintaining andoptimizing cyber security within an or-ganization, but it does not clearly de-fine which aspects should be covered

in a protection concept and how it canbe applied to an operational environ-ment such as a substation.

Our solution: A holistic approachSiemens‘consulting approach considersall elements of a company:

· PeopleAwareness and understanding ofcyber security needs and require-ments

· ProcessesRequirements regarding prod-ucts/systems, operations and organ-ization, covering the complete life-cycle

· TechnologySupports the fulfillment of process-es and achievement of the protec-tion goals: availability, integrity,confidentiality

Cyber SecurityConsultingA holistic approach towards a securepower system

siemens.com/power-technologies

As people work with processes, sup-ported by technology, any security as-sessment needs to consider all of thesethree elements.

The methodology used in Siemens’consulting approach is based on theNIST framework which follows interna-tional security standards and recom-mendations (IEC/ISO27k, IEC 62443,BDEW Whitepaper, NERC-CIP).

Applying this methodology to a powersystem operator, the following cybersecurity functional areas are relevant:

· Identify - Understanding the busi-ness context, the resources thatsupport critical functions and the re-lated cyber security risks.

· Protect - Protection of critical infra-structure services, e.g. energy sup-ply by safeguarding the critical as-sets of an overall system.

· Detect - Identification of occurrenc-es of cyber security related events.

· Respond - Taking action against thedetected cyber security relatedevent. It supports the ability to con-tain the impact of a potential event.

· Recover - Creating plans for resili-ence and restoration of business es-sential services that were impaireddue to a cyber security incident.

Our consulting approach is based onthe well-proven Compass® method byfollowing a clearly structured process.Results can be derived quickly. Theseresults are the basis for creating highcustomer value.

The Compass methode includes thefollowing phases:

· Orientation: Comprehensive andobjective analysis of the current se-curity status in the process envi-ronment

· Destination: Definition of the as-pired security level and propositionof concrete measures

· Routing: Roadmap including profit-ability analysis and recommenda-tions for implementation

· Navigation: Continuous customersupport during the implementationof security measures

The approach and the methodologyare applied with the domainknowledge of Siemens experts workingin the energy management domain.This guarantees that appropriatemeasures are defined and applied dur-ing the process.

ISMS implementation exampleAn Information Security ManagementSystem (ISMS) defines the principlesand rules within a company to achieveconsistent information security.

The first step in implementing an ISMS,is to understand the business contextand to identify the critical businessprocesses and assets.

Based on gap and risk analysis, a pro-tection concept and implementationplan has to be carried out where asso-ciated business risks are addressed inall NIST functional areas.

HerausgeberSiemens AG 2016

Energy Management DivisionFreyeslebenstraße 191058 Erlangen, Deutschland

Kontaktieren Sie uns:power-technologies.energy@siemens.com

Änderungen und Irrtümer vorbehalten.Die Informationen in diesem Dokumententhalten lediglich allgemeine Beschrei-bungen bzw. Leistungsmerkmale, welcheim konkreten Anwendungsfall nicht immerin der beschriebenen Form zutreffen bzw.welche sich durch Weiterentwicklung derProdukte ändern können. Die gewünsch-ten Leistungsmerkmale sind nur dann ver-bindlich, wenn sie bei Vertragsabschlussausdrücklich vereinbart werden.

Published bySiemens AG 2017

Energy Management DivisionFreyeslebenstrasse 191058 Erlangen, Germany

For more information, please contactpower-technologies.energy@siemens.com

Subject to changes and errors. The infor-mation given in this document only con-tains general descriptions and/or perfor-mance features which may not alwaysspecifically reflect those described, orwhich may undergo modification in thecourse of further development of theproducts. The requested performance fea-tures are binding only when they are ex-pressly agreed upon in the concluded con-tract.