Professional Documents
Culture Documents
Wef Securing The Electricity Value Chain 2020
Wef Securing The Electricity Value Chain 2020
Electricity Ecosystem:
Securing the Value Chain
WHITE PAPER
DECEMBER 2020
Cover: Getty images/metamorworks
Contents
3 Executive summary
5 Introduction
16 3 Appendices
17 Appendix A: Taxonomy
23 Acknowledgements
25 Endnotes
Executive summary
The electricity industry has evolved rapidly from across the industry’s value chain. The effort was
majority large generation assets, top-down energy initiated by the manufacturing company members
distribution and one-way digital communication, and then refined through consultation with the
to a type of customer-centric energy consisting of broader community.
decentralized, agile, resilient and secure collections
of real-time, networked assets. This report aims to share the newly proposed
electricity industry value chain responsibility model
As a result, effective and sustainable measures (Figure 1) and provoke further dialogue and action
for protecting the electricity industry supply and on this topic.
value chains now go beyond securing individual
products or systems, driving the need for an The report contains three sections:
adaptation of roles and responsibilities, from
procurement and design through to retirement. – The first section introduces the drivers of
An isolated approach will no longer suffice to change responsible for the evolution of roles
secure and achieve a resilient ecosystem. Industry and responsibility across the electricity industry
stakeholders must address their individual as well value chain.
as their shared responsibilities.
– The second section redefines roles and
The World Economic Forum’s Systems of Cyber responsibilities across the value chain.
Resilience: Electricity community, comprised of
senior cybersecurity executives from the electricity – The third section provides key reflections on
industry ecosystem, created this report to redefine securing the value chain.
the cybersecurity-related roles and responsibilities
Product Operations
Value
Chain PR O D U CT SU PPLY SO LU T IO N D ESIG N CO MMISSIO NING O PERAT IO NS
R O LES1 2 3
ASSET Opportunity to enhance the security of the overall Ensure security in Ensure secure roll- Ensures security whether using internal or Retire
OWNER process through dialogues with relevant environment & design out external resources to operate
stakeholders.
SYSTEM Ensure security in Ensure secure roll- Ensure security as per contractual Retire SY ST EM
INTEGRATOR environment & design out agreements LI FEC Y C LE
1 4
Product Development Manufacturing OT support (including FAT) OT support E x ten ded O T s u pport Secondary
PRODUCT Design Technology
E nsure se c urit y in E nsure se c ure roll- out O T s ecu ri ty con tracts PRO DUC T
SUPPLIER e n v i r o n m e nt & d e s i g n LI FEC Y C LE
Primary
Primary Technology support (e.g. transformer) Primary Technology support Technology
CYCLE
~ 12- 24 months ~ 6 – 12 months ~5 – 50 years
R ANG ES2
Yuri G. Rassega, Three key drivers of change are responsible for the stakeholders means that regulators are faced
Chief Information evolution of the value chain as illustrated in Figure 1. with the competing challenges of providing
Security Officer, medium-term clarity in a fast-changing context
– Evolving electricity industry: Up to 15 years where 100% security is never guaranteed. The
Enel Group
ago, electricity networks were considered incorporation of standards into legislation or
slow moving bulk systems. Today, they are regulation offers some flexibility on this topic,
in the middle of a global evolution of energy but changes occur in terms of years.2
systems, with energy generated, stored
and distributed closer to the final customers – Rapid change of cyberthreat landscape:
through the acceleration of distributed In this interconnected and new cyber-
renewables and energy storage technologies. social world, digital information drives real
Digitalization allows customers and electricity events and components increasingly make
system operators to control where, when autonomous decisions. This nonstop innovation
and how electricity is being used. New and and improvement of existing technologies,
more energy uses are being electrified (e.g. coupled with the velocity by which criminals
transport, heating of buildings). Nonetheless, and intelligence agencies can acquire and
real transformational change of such critical exploit these opportunities, allow for a
infrastructure takes decades (e.g. construction continuous stream of new types of previously
of large-scale grid infrastructure still takes at unconceivable attacks.3,4 Predictability and
least 10 years in many countries). controllability are a matter of proper systems
design and operation, including increased
– Global regulatory environment: Regulators cooperation across the ecosystem. Without
are challenged to keep regulations current adaptation, previously secure systems and
given the rapid and evolving threat landscape. environments become insecure.
The importance of a stable environment for
Roles
A common understanding of the different roles is roles identified in the relevant standards, and in
important to ensure cybersecurity across the value particular IEC 62443,7 this model considers the
chain. Each entity can play single or multiple roles following roles:
throughout the value chain. Taking as reference
The electricity Entity that designs and produces a final product or sub-system to
ecosystem entities Product supplier
be sold to asset owners. The product is built from components of
can play different
roles throughout various suppliers and in-house developed components and software
the product or originating from different supply chains.
system lifecycle.
The proposed responsibility model outlined in Figure cybersecurity programmes (see Appendix D)
1 aims to clarify the shared responsibilities of each are recommended to drive accountability and
role throughout each phase of the product lifecycle. ownership in the different phases of the value chain:
Each role should adhere to general ecosystem and product security programme, supplier management
phase-specific responsibilities. A set of associated programme, industrial security programme.
Every part of All stakeholders in the value chain should ensure – Evaluating suppliers based on defined criteria
the value chain cybersecurity foundations and best practices8 and security requirements linked to the criticality
has a clear play are enforced on products in the different phases of the products and services provided, and their
of the value chain. The responsibilities below are respective lifecycles impact across all phases.
to protect, detect
applicable and recommended to all stakeholders
and respond in our
and roles to ensure cybersecurity maturity across – Establishing cybersecurity requirements for all
digital ecosystem. the ecosystem. proposed solutions as part of the procurement
process. Vendors which do not or cannot meet
Christophe Blassiau,
Ensure security by design: Each entity is these standards should be excluded from
Senior Vice-
responsible to: consideration.
President, Digital
Security and Global – Secure the infrastructure, services and – Including buyer audit rights to assess vendor
CISO, Schneider- environments to ensure the integrity and adherence to contractual commitments and
Electric availability of digital assets (on which businesses requirements.
may critically rely on).
Implement security policies consistent with
– Ensure products or services are adequately industry best practices, such as ISO 27001,9
specified, designed, developed and ISO 20243,10 IEC 62443,11 NIST CSF, 12 NIST
manufactured, including the required Secure Software Development Framework (SSDF),13
cybersecurity protections (to be maintained, Business Software Alliance Framework for Secure
updated or upgraded along their service life) to Software14 and set up business continuity and
prevent becoming a vector of compromise to disaster recovery procedures.
customers or downstream peers.
Provide training and support knowledge sharing
– Develop defenses-in-depth based on the and awareness activities across the value chain.
assumption that systems will be breached,
and ensure timely detection and response on – Provide and support internal as well as
suspicious events, as well as communication to ecosystem wide training opportunities.
relevant entities across the ecosystem.
– Create mutual trust in the ecosystem,
Embed cybersecurity into the supplier and secure economies of scale, through
management process. The procurement process collaboration and knowledge sharing
needs to start considering security from vendor opportunities.
selection to the terms and conditions in contracts by:
– Support training offered to the involved players
– Developing sourcing decisions through to develop the required knowledge and skills in
multistakeholder input (e.g. include sourcing, security throughout the value chain, including
legal, engineering, operations, product security security operations and configurations.
and risk management).
Solution design
2. Secure the solution design and commissioning phases
and Commissioning
Cybersecurity The product phase includes product supply In addition, product suppliers should implement a
has to be built activities such as product design, development and product security programme (Appendix D) which
in by design at manufacturing (Focus Area 1). The product supplier integrates security into product development
every stage and is solely responsible to ensure the cybersecurity processes from the outset and manages the cyber
requirements of the products and services provided. and business risks from the design phase. The
component of the
It is good practice for the product supplier to seek product security programme ensures that security
electricity value
feedback by engaging in dialogues with relevant is considered in the product development process
chain, rather than stakeholders from the inception of the product to prevent delays in the delivery to the market
a bolt on approach development phase. and customers.
to power systems.
In today’s The second focus area is the solution design and ensure that the future security state of the product
interconnected commissioning phase (Focus Area 2). This phase and system is taken into consideration at the outset
world, it is crucial is where part of the cybersecurity responsibility of the design process. This responsibility starts with
to look beyond transition begins, from the product supplier to the definition of the cybersecurity requirements for
those integrating and operating the systems. the future system being defined by the asset owner
one’s own risk,
Upon handover of the product, the relevant and/or system integrator, often in collaboration with
and manage
product supplier is responsible for both primary the product supplier.
third-party risk. and secondary technology support throughout the
Only through value respective stated product life. Once these requirements are defined, the system
chain collaboration integrators can drive component selection
may resilience be For this phase to be adequately managed, within the design process. During this phase,
achieved. asset owners should have established a supplier product suppliers should provide support and
management programme during the procurement training to ensure the effective configuration of
Kai Hermsen, process. Beyond evaluating the vendors, this the system and that asset owners are able to
Global Coordinator programme should also define the requirements operate independently the security configurations.
for the Charter to securely integrate the product into the This shared responsibility continues through
of Trust, Siemens broader system. final commissioning, with a ramp-up security
responsibility adopted by the asset owners.
Product suppliers, system integrators, asset owners
and asset (less) operators must collaborate to
Asset owners
System integrators
– Ensure cybersecurity requirements agreed during the procurement phase are realized
in the system integration and commissioning.
– Enforce a secure and agile solution design of systems by setting the foundations for
the execution a comprehensive industrial security programme.
– Perform the commissioning and delivery of the system to the asset owners, with a
gradual transition of security responsibilities shifting from the system integrator to the
asset owner when the system is commissioned.
Product supplier
– Support asset owners and system integrators with the effective configuration of
security capabilities offered in the target system’s environment.
– Provide the OT product support, including vulnerability management, quality fixes
and security patches from the solution design phase through commissioning and
throughout stated product life, following the product security programme.
Operations phase
The operations phase aims to ensure security in which operationalizes both the technical and
two focus areas: non-technical cybersecurity activities needed in
the operation of an industrial environment.
– System operational security. The asset owner
is responsible for the operational security – Product operational security. The product
aspects by providing a failsafe and secure supplier should provide cybersecurity support
environment to operate products (Focus and remediate vulnerabilities for the product
Area 3). This is typically accomplished via an throughout the stated product life (Focus Area 4).
industrial security programme (Appendix D),
2
Incorporating security in the design phase of systems
in an electricity network requires a comprehensive
industrial security programme from the asset owners,
in conjunction with operators and system integrators,
to manage the cybersecurity risks.
3
ecuring the operations phase is a shared
S
responsibility that requires (A) secure products
(product supplier) to be integrated (B) into a secure
system and operated (C) in a secure context – asset
owner and asset (less) operator.
4
Ensuring product security support from handover of
the product throughout the stated product life.
*Relevant product supplier is responsible for both primary and secondary technology
support throughout the respective stated product lives. Primary technology support (e.g.
transformer) is not described in detail in this report as the cybersecurity-related implications
are focused on the secondary technology (or OT) support.
Term Description
Supply chain The supply chain represents the end-to-end processes and
network of required entities for transforming raw materials into
final products.
Principle Description
Principle EI3: The board ensures that its cyber resilience posture and
efforts extend beyond compliance, towards a holistic risk
Going beyond
management approach and are supported by adequate
compliance funding and resourcing.
Responsibility Description
The product security programme is a process supply chain to ensure a secure supply of parts
of managing cybersecurity risk to the vendor and services used for product development
organization throughout the process of bringing and manufacturing (as described under supplier
products to market. The cost of bringing a product management programme below).
or solution to market is the driving factor. The result
is that product companies have traditionally ignored – Design reviews: Review and validate developer
the longer-term maintenance of the installed base of direction in architecture (all) for security quality.
product from the standpoint of cybersecurity. Feedback to net new requirements.
The challenge of product security is further – Threat modelling: Evaluate and report
exacerbated in the critical infrastructure space theoretical attack vectors for exploiting the
for three reasons: criticality of impact, operational product/point system, system or system of
lifecycle duration and limited possibility of delivering system. Feedback to net new requirements.
security updates. These challenges pose unique
issues for both product supplier and asset owner – Secure coding: Ensure modern security coding
as neither of them can be entirely successful in the practices are followed. Training may be required.
cybersecurity space in a vacuum.
– Static/dynamic code analysis: Tools used
To address the challenge, product suppliers must to ensure that secure coding guidelines and
adopt a product security programme to govern practices are followed.
product development from the standpoint of
security, as well as to manage the cyber and – Testing: Validates everything to this point (i.e.
business risks from the design phase. From the requirements, design, coding, etc.).
standpoint of product development, there are
a number of stage gates that are introduced to – Secure manufacturing: Building the product
ensure cybersecurity quality and cybersecurity with security and integrity at the forefront.
values are included:
– Product security incident response team
– Security requirements: No backdoors, signed (PSIRT): This is the function where the
and validated code/firmware, all security organization has the ability to ingest third-
compiler options enabled (DEP, ASLR, etc.), party information regarding product security
least privilege. integrity. A PSIRT capability represents a large
mitigating risk factor for vendors and is often
– Lifetime security management: Plan and the first interaction between a vendor and third
design for the provision of security support parties when considering the disclosure and
throughout the stated product life. vulnerability management processes.
– Supplier management programme: The IEC 62443 standard clarifies further the
Product suppliers should maintain a supplier responsibilities of all involved parties and should be
management programme for their upstream applied across the industry.
While product suppliers are responsible for When buying products or services, asset owners
bringing products to the market which adhere and product suppliers (for their upstream supply
to adequate cybersecurity standards, they also chain) need to perform a risk-based approach,
need to remain profitable. Cybersecurity is a by including standard cybersecurity requirements
necessary cost avoidance requirement that in the tender process and ensure that they are
requires adequate funding. The market has to met by all potential bidders before their offers are
recognize its value and be willing to incorporate evaluated by their procurement team, weighing in
it in the overall process in the same manner as the risk score along with other criteria. Moreover,
other compulsory requirements related to safety considering the cascading effects cyber risks might
or sustainability for instance. In the absence of have on the entire value chain, vendor evaluation
a regulatory mandate (even if this is changing in processes across the entire ecosystem shall take
many countries), products with poor cybersecurity into consideration the management of cyber
features may likely enter the market, due to price risks coming from the supply chain by prioritizing
pressures, increasing ecosystem-wide exposure products (including raw components) and suppliers
to cyberattacks. Compensating measures may that have internally adopted holistic and robust
be deployed afterwards by asset owners and/or practices to cybersecurity, and by ensuring that
system integrators, with increased complexity, less residual risks are identified and communicated to
effectiveness and at a higher cost. the executive committee and board.
The industrial security programme is a concept of controls can be bypassed by exploiting human
managing cybersecurity risk to the asset owner beings who are not properly trained and controlled
organization starting from the design phase as per by governance mechanisms. The inverse can also
the E2: Resilience by design principle,17 throughout prove true.
the process of operating an industrial environment.
For many organizations, such practice may well be Secure product in secure environment
included in the overall cybersecurity programme.
The purpose of creating an industrial cybersecurity It is often reported that cybersecurity is a “team
programme is to right size the investments in sport” and nowhere is that truer than in critical
governance and cybersecurity controls and adhere infrastructure sectors. Context is needed to ensure
to the defined enterprise’s risk tolerance. the end-to-end security of systems is designed
into the design phase and maintained throughout
Balanced security their lifecycles. This disparity in available features
and capabilities inherent in products versus their
For industrial environments, there is a core concept implementation drives a divergence between the
of a balanced security programme. This is a vendors and asset owners. Additionally, even if
concept that closely mirrors technical controls the vendor cybersecurity value has been provided
(i.e. firewall rules, file permissions, etc.) to non- and implemented by the asset owner, it does
technical controls (i.e. policy, procedure, guidelines, not equate to a secure system. The completion
etc. general governance). This concept reinforces of a defense in depth strategy is a prerequisite
human behaviour to align with technical direction, to ensure a secure power system. This further
serving to shift the overall maturity and culture of underscores the need for balanced security
the environment. Security programmes that are not programmes, as well as the transparency and
balanced often lead to a false sense of security. For collaboration of vendors, system integrators, asset
example, an attack vector exists where technical owners and asset (less) operators.
Pierre-Alain Graf – Senior Vice-President, Global Security, Hitachi ABB Power Grids, Switzerland
Enel, Italy – Mario Bocchiola, Francesco Ciancarelli, Aniello Gentile, Yuri G. Rassega
European Union Agency for the Cooperation of Energy Regulators, Sloveni – Stefano Bracco
Institute for Security and Safety (ISS), Germany – Guido Gluschke, Swantje Westpfahl
Office of Gas and Electricity Markets (Ofgem), United Kingdom – Mohammed Zumla
Filipe Beato – Project Lead of Cybersecurity Industry Solutions, Centre for Cybersecurity