Through an integrated risk assessment TÜV SÜD and ONTRAS have proved that effective countermeasures to improve cybersecurity need not necessarily involve major costs and efforts or upgrades of the IT and/or OT systems, Andreas Michael, Jens Gerlach and Sven Kalmeier tell OGN

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) is calling for increased vigilance in preventing cybersecurity attacks.

This is particularly in reference to operators of critical infrastructure like supply networks, where assessment of both safety and security is imperative.

Testing, inspection and certification (TIC) company TÜV SÜD has thus developed an integrated plan for risk assessment, which was first implemented in collaboration with pipeline operator ONTRAS Gastransport.

Since 2022, many facilities and systems at energy supply companies in Germany are now being classified as "critical infrastructure" (KRITIS) in light of updated legal requirements.

ONTRAS operates a 7,700-km long transmission network in eastern Germany

Current information on protocol can be found in the second amendment of the BSI KRITIS Regulation and the IT Security Act 2.0.

Through these, the lawmaker presents various new requirements, including implementing an information security management system (ISMS).

Additionally, "critical infrastructure" is subject to the normative requirements of the DIN ISO/IEC 27001 standard, extended by the DIN ISO/IEC 27019 standard.

The Energy Industry Act (Energiewirtschaftsgesetz, EnWG) also requires operators of critical infrastructure to fulfil a list of security criteria published by the Federal Network Agency (Bundesnetzagentur, BNetzA) for the purpose of protecting the energy supply networks, and to document their compliance.

Known vulnerabilities such as "Log4Shell" in commonly used software may serve as entry points for cyberattacks and are, therefore, classified as extremely critical cybersecurity threats by the BSI.

As problems concerning cybersecurity are relatively new within the realm of technological development, a comprehensive understanding of the subject has not yet taken root throughout the industry.

ASSESSING CYBERSECURITY OF A GAS-PRESSURE REGULATOR AND GAUGE

The integrated risk assessment includes the existing management systems of IT and OT, as well as safety and security

Leipzig-based ONTRAS Gastransport operates a gas pipeline network in eastern Germany, comprising roughly 450 coupling points and spanning around 7,700 km.

From an early stage, the company knew that a comprehensive risk assessment required examination of both data processing systems (information technology, IT) and the hard- and software used for infrastructure operation (operational technology, OT).

To this end, TÜV SÜD developed an integrated approach that built on protection of systems against unauthorised access (security) and protection of people, assets and the environment (safety).

The integrated risk assessment concept, which combines both classic safety and cybersecurity aspects, was put to the test for the first time on a gas pressure regulator and gauge at ONTRAS.

Initially, experts started by recording the status of the gas pressure regulator and gauge, and then merging existing assessments of safety risks with ISMS assessments.

Analysis focused first and foremost on assessing the quality of interaction between safety and security and on identifying areas that still had room for improvement.

In the next step, the experts organised a workshop to work out the protection goals, hazard potentials and vulnerabilities.

After analysis of the cybersecurity risks, solutions most suitable for mitigating these threats were established while also limiting the opportunity for new ones to appear.

Both TÜV SÜD and ONTRAS relied on the Enhanced Risk Assessment (ERA) to analyse the risks posed by the gas-pressure regulator and gauge.

In a final step, the experts prepared documentation outlining various aspects, including the risks and interfaces that needed to be assessed if plant components were to be changed or added in the future.

The most important elements for successful safety and security management are smooth communication among safety and security employees, and a shared understanding of their mutual influences.

EVEN SIMPLE MEASURES CAN LEAD TO SUCCESS

Integrated risk assessment of the gas-pressure regulator and gauge at ONTRAS showed that effective countermeasures to improve cybersecurity need not necessarily involve major costs and efforts or upgrades of the IT and/or OT systems.

In the case on hand, the use of certain mechanical components had a positive influence on the level of cybersecurity.

As these mechanical components are not wirelessly connected, their use does not give rise to any additional cybersecurity risks and protects the system against malfunctions resulting from possible cybersecurity manipulation.

Suppliers of electricity, gas, water and heat and service providers operating in these areas can thus use parts of their safety measures to reduce cybersecurity risks.

TÜV SÜD’s ERA aids in the systematic assessment of safety and cybersecurity risks and in deriving effective measures to enhance security levels (SLs).

Implementation of such measures is often surprisingly simple and resource efficient.

However, successful completion of the ERA depends on how management addresses the topic of cybersecurity and their commitment to driving its advancement.

This flexible method can even be applied to other sectors of industry, companies and infrastructure that do not form part of critical infrastructure.

* Andreas Michael is Industrial IT Security Expert at TÜV SÜD Industrie Service, and Jens Gerlach is Team Lead Automation and Electrical Engineering, and Sven Kalmeier is Specialist Planning/Technology at ONTRAS Gastransport.

By Abdulaziz Khattak