The availability of metering data means that the meter should function correctly and that there is reliable communication between the meter and the backend system. Meters are usual- ly reliable if not tampered with (see integrity above). Still, they may be attacked by hackers if the meter is accessible from the Internet, so meters are often protected by a firewall or commu- nication using a dedicated communication channel, such as a GSM, 4G, or 5G modem. Moreover, communication may fail if the normal connection between the meter and the DH organi- sation fails; this is particularly relevant for Internet communica- tion that may be subjected to Denial of Service attacks, where the backend system is overwhelmed by network traffic from unrelated sources. Availability is primarily addressed by storing data temporarily on the meter so it can be retransmitted if the server did not receive it. This addresses most transient failures in the communication infrastructure. If high availability is re- quired, separate communication channels may be employed; this is known as communication redundancy. Confidentiality of meter data primarily relates to the commu- nication between the meter and the backend system and is normally addressed by standard cryptographic means. Protection of Customer Data The protection of customer data is a standard data protection problem, which the CIA triad was developed to describe. Confidentiality is ensured through access control, where only users who have been authorized to access data will be allowed to do so. This raises an interesting privacy issue when utilities wish to share data for different purposes, such as allowing the development of apps to calculate average temperatures and DH usage and compare this to the average in the neigh- bourhood. Due to GDPR, such sharing is difficult without suffi- cient anonymization, which is difficult to achieve. Finally, data should be encrypted at rest, particularly if stored in the cloud. Integrity of customer data is usually achieved through the same access control mechanism as confidentiality. Encrypted data at rest can be integrity-protected by the same integrity mechanisms used to transmit meter data mentioned above. Availability of customer data is mainly achieved by maintain- ing several copies on separate local storage servers or copying data to the cloud. Regardless of the solution, it is important to encrypt customer data before they are written to the local disk or cloud storage solution. Controlling the District Heating Network Controlling the DH network requires correct, complete, con- sistent, and timely input from the sensors installed. The first three properties can be achieved by the same mechanisms as the collection of billing information. However, the timely trans- fer of operational parameters from the sensors is necessary for the correct generation and distribution of heat in the network; this is why availability should be prioritized over integrity and confidentiality. Availability of the communication channels en- sures timely communication of measurements from the sen- sors installed in the network to the backend system and con- trol commands from the backend system to the actuators that control the physical distribution of heating in the network. The timeliness requirement means that storing commands local-
ly and retransmitting them again later, when communication channels have been re-established, is unacceptable, so subsys- tems must either be designed to enter autonomous operation if control signals are lost, or separate (fully redundant) commu- nication channels must be built into the system. Integrity and confidentiality of the control signals, parameter settings, and software updates exchanged between sensors, actuators, and the backend system can be protected by the same cryptographic means used to protect the integrity and confidentiality of billing information mentioned above.
Implementing Security in District Heating Systems
DH is a socio-technical system involving people and technolo- gy, so cybersecurity solutions must address organisational and technological concerns. Organisational Considerations Organisations must consider all risks that arise from their use of IT, regardless of whether this is from sensors and actuators embedded in artefacts of everyday life, such as thermostats, pumps, meters, or other remote-controlled infrastructure, or it is from administrative systems used for forecasting, billing, or administration. As mentioned above, implementing NIS 2 means that boards of critical infrastructure companies, such as DH utilities, must have sufficient cybersecurity qualifications to define risk management strategies and oversee the imple- mentation of policies and controls to address cybersecurity issues. In addition to security education and training efforts, responsible organisations will run general security awareness programs to reduce the risk of employees becoming victims of social engineering, where an attacker tricks the employee to disclose sensitive information or provide access to protected resources or computer systems. The goal must always be to increase the organisation’s ro- bustness against cyber-attacks through developing security incident and disaster recovery plans (so-called playbooks) and running periodic exercises to ensure that all aspects of the plans are still relevant and feasible and that everybody in the organisation knows their role. Developing a good playbook requires a thorough risk analysis, which should also include a threat model. Risk analysis focuses on the cause and effect of unwanted events in the system (aka. security incidents), whereas threat analysis focuses on a threat agent’s motives, means, and opportunities; typically, an external hacker, but in- sider threats are also considered. Risk analysis Risk analysis is a mature area that has developed over centu- ries in public safety and the insurance industry. In most cases, the risk analyst will focus on security incidents and estimate their likelihood and consequential costs. Some potential secu- rity incidents may be well known and understood; this helps estimate the likelihood and consequence, but cybersecurity transcends natural hazards and must deal with an intelligent and motivated adversary. This means that systems must be an- alysed regularly with an eye to what can possibly go wrong, in addition to examining things that have gone wrong in the past or gone wrong in other systems. Standard risk management
25 www.dbdh.dk
Made with FlippingBook - Online magazine maker