Best Practices to Enhance Industrial Cybersecurity – Energy Storage System
With more and more similar cybersecurity incidents occurring in OT systems, business owners and regulators are keen to seek solutions that enhance industrial cybersecurity and allow businesses to keep functioning normally. In our previous articles, we have talked about the defense-in-depth concept that allows you to leverage the existing network infrastructure and investment to build the first line of your network defense. In this article, we will share the best practices, in which we collaborated with our global customers, to safeguard their critical infrastructure–the energy storage system for the renewable energy sector.
When it comes to renewable energy, we often think of solar or wind farms that bring cleaner electricity to global citizens. It is a great initiative that keeps driving the global economy while reducing carbon dioxide emissions. The public and private sectors are both working together to move toward this healthier future. However, one of the shortcomings of renewable energy is the difficulty of matching supply with demand. The sun does not always shine when the community needs electricity during peak periods and the wind does not stop blowing during off-peak periods. One of the ways to stabilize the power grid and offer a steadier power supply is to use batteries that can store surplus power when the supply is high and can discharge power when the supply is low.
Security Challenges of an Energy Storage System
What Is an Energy Storage System (ESS)?
An energy storage system can convert electrical energy that is generated into a form that can be stored. A common example of energy storage in the renewable energy sector is the rechargeable battery. A typical ESS in a wind or solar farm consists of the energy management system (EMS) and the power plant controller to monitor and control operations of the ESS in real time. The power plant controller aggregates the data collected from the power conversion system (PCS) and the battery management system (BMS) containers. All the equipment is placed in containers that are often deployed in harsh environments such as deserts or the Arctic where renewable energy sources such as the sun and wind are plentiful.
The ESS, as mentioned earlier, includes multiple systems to ensure the stableness of the whole process of power storage and supply. The network communication between the EMS, PCS, and BMS needs to be protected from unauthorized access and any unwanted activity that may disrupt operations. Thus, we recommend considering the potential security risks from two perspectives. The first is the overall network security boundary: is the access authenticated and authorized, and are the commands being sent as expected? The other is the communication security at the edge: is the communication and access of the device securely protected? These security mechanisms need to be designed when containers are produced at the manufacturing sites, which allows the whole system to be efficiently delivered and connected to the farm and grid.
Best Practices on Safeguarding the Energy Storage System
To dive deeper into these two perspectives, we will look at the following case studies to understand the practices that can protect both the Ethernet and serial-based networks from the edge to the network level.
Build Security Boundaries Vertically and Horizontally
To protect the communications between the renewable energy system, the power plant controller, the power conversion system and the substation system, we suggest deploying stateful firewalls with Modbus deep packet inspection (DPI) in between.
- Vertical protection: the firewalls play an important role as a gatekeeper to protect the communication in between the systems.
- Horizontal protection: the Modbus deep packet inspection engine can examine the commands going through and drop the packets that are not authorized or not listed.
As solar or wind farms are often located in remote areas, deploying an all-in-one firewall/NAT/VPN/switch solution that features network redundancy can help system integrators efficiently design the network architecture before the systems are commissioned at the field site. The NAT function can also help manage the consistency of IP addresses for the equipment in each container, reducing the hassles that arise from conflicting IP addresses.
Enhance Remote Connection Security for a Li-ion ESS
To develop seamless and secure communications between an ESS and the control center, we suggest a reliable edge connectivity solution deployed in between.
- Facilitate communications at the edge: deploy protocol gateways between Modbus serial-based batteries and Ethernet-based RTUs to ensure seamless communications.
- Secure the communications: leverage security features such as HTTPS, SNMPv3 management, and Accessible IP Addresses to ensure the communication and access of the device is securely protected, reducing risks and enhancing the reliability of remote communications.
To ensure smooth operation of the ESS, you need to pay attention to several operational conditions. Information such as battery level, power stability, and environmental conditions require constant monitoring from the control center. Therefore, a protocol gateway that has easy-to-use configuration tools can help operators collect data from a variety of serial-based field devices and incorporate it into Ethernet-based systems smoothly. In addition, secure-hardened protocol gateways that feature embedded security functions with a step-by-step security hardening guide can enhance your device security with minimal effort.
Moxa has helped customers build secure communication and networks around the world. Download the case studies to learn more.
A secure and reliable energy storage system (ESS) can help expand electricity capacity of the renewable energy sector in response to the initiative of increasing the share of renewable energy and stabilizing power supply. An ESS also plays an important role to maintain the security of critical infrastructure. In light of the whole power ecosystem, we recommend securing the network and communications by defining the network security boundary to determine who can access a network and what information they can pass through it. In addition, to enhance the reliability of the power storage and management system, it is imperative to ensure the security of communications in between the devices that connect the batteries and sensors inside the containers.
The MGate Series protocol gateways provide a variety of protocol conversion options for your ESS applications. Our protocol gateways are designed based on the IEC 62443 standard to enhance your device and connectivity security when you are connecting critical field data to IP networks. In addition, our MGate protocol gateways feature easy-to-use configuration and troubleshooting tools, which simplifies device deployment and makes maintenance easier for engineers.
The EDR-G9010 Series industrial secure routers help enhance cybersecurity not just forming perimeter protection but also preventing lateral (east-west) movement of malicious or unauthorized traffic. Featuring the deep packet inspect engine, the EDR-G9010 Series can recognize industrial protocols such as Modbus TCP/UDP and DNP3 traffic to protect the communication between the ESS and substation.
Nyheter från Cat AB
Här är W4, en uppgraderad NPort WirelessUppgraderad modell, anslut dina seriella enheter –såsom exempelvis PLC:er, mätare och sensorer– till ett trådlöst LAN. Ha koll på var de är och hur de mår samtidigt som du kan lägga till en del nya säkerhetsfunktioner såsom Secure Boot.
Liten, pålitlig, snabb och ändå anpassad för industriers kravGo Beyond the Limits With the EDS-2000/G2000-EL Series Industrial Unmanaged Switches, Minimal Size, Maximal Durability!
Öka hastigheten i dina nav med 3.2 hubbarMoxas nya USB hubb är ett nav som kan skapa upp till 7 anslutningar och ge 5 Gbps på var port. Med extern strömförsörjning matar var port 900mA, industriklassad utrustning, läs mer om UPort 400A serien.
Ny medarbetareVälkommen Stefan Edlund, Business Development Manager på Cat AB!
Senaste nyhetsbrevet från Cat ABNyheter och tips från Cat AB, så heter vårt nyhetsbrev som kommer ut 1-2ggr/ månad med någon extra utgåva när... Läs mer »
NAT-102 Moxas nya adressöversättare med brandväggNYHET! NAT-102, Moxas industriella adressöversättare med brandvägg kan hjälpa er att få tillgång till fler IP-adresser via privat adressering, men de kan även användas för att skapa lika interna nätverk eller för att öka datasäkerheten.
Moxas svar ang. sårbarheter och Realtek AP-Router SDKMoxa svarar på sårbarhet funna i Realtek SDK där många hundra tusentals enheter världen över kan ha drabbats, Moxa har i dags dato (2 december 2021) ej funnit att sårbarheten kan användas i Moxas befintliga sortiment eller i produkter vilka omfattas av garantitid.
Moxas svar angående sårbarhet och InterNiche Stack (INFRA:HALT)Ett antal sårbarheter(14) har hittats i flera HCC Embedded’s InterNiche stack (NicheStack) samt i NicheLite. Ingen av Moxas produkter i sortimentet eller med giltig garantitid anses påverkade vid dags dato (2 dec. 21).
Nya avsnitt Security TalksSecurity talks med Moxas Jesse och Thomas Burk, Mitsubishi Electric Automation (tidigare chef för OPC Foundation). Hör med om säkerhet, få koll på nya förkortningar och lär av erfarenheter inom cybersecurity.
Lilla biblioteketI lilla biblioteket har vi börjat samla artiklar och publikationer som vi på Cat tycker är intressanta. Kom gärna med tips och idéer