Sungrow announced recently the Company’s implementation of the IEC 62443-4-1 industry security standard, which was certified by the international certification organization DEKRA. Sungrow says it’s now the first company with CB certification of this standard in the renewable energy industry.
The standard IEC 62443-4-1 specifies process requirements for the secure development of products used in industrial control and automation system (IACS) and defines a secure development lifecycle for developing and maintaining secure products. The standard sees cybersecurity as an ongoing process and caters to the development of IACS components that are secure-by-design. The integration of these components into an industrial environment has to be governed by defense-in-depth policies and practices.
The standard has been incorporated into the IECEE CB certification system. It is one of the best practice standards selected by the EU Network and Information Security Directive (NIS Directive). Countries including the United States, Japan, Singapore, South Korea, Australia and India have adopted the standard as their national code.
From design and development to testing and implementation, Sungrow is strictly in line with the rigorous secure product development life-cycle process, including the security management, specification of security requirements, secure by design, secure implementation, security verification and validation testing, management of security-related issues, security update management and security guidelines.
“Sungrow iSolarCloud system solution passed all requirements of the standard. We’re proud to be among the few cybersecurity companies offering a certified solution that is designed with security into products from the beginning of the development life cycle. This is all thanks to the diligent work of our dedicated technical team,” said James Wu, VP of Sungrow.
Industrial cyber security is especially vital in an agile Industrial IoT (IIoT) environment. The certification is just the tip of the iceberg regarding Sungrow’s commitment to industrial security.
“Security will always be a priority for our customers. Sungrow will continue to build and deliver certified products that address their security needs,” Wu added.
News item from Sungrow
Solarman says
Security is tantamount to success in a lot of businesses. There’s already been hacks where one drilled through the IP layer of communication to the OT layer of communication. Created a ransomware attack and was able to change the Sodium Hydroxide level injected into the Domestic water reservoir in Florida to be (100) times larger than it should be. Found old windows operating system in service that was not supported by Microsoft for years now.
A ransomware attack on a gas pipeline remote pumping site. It took a day to figure out the site was offline. Found an intrusion into the sites control software and ransomware attack basically shut down the site.
Software layers is a (good) intervention to hacking. The larger problem will always be, sloppy sub-contractors allowing high level passwords to get out to the internet at large. I imagine somewhere on the dark web, there is a bitcoin site where you can buy company passwords cheap and begin your own intrusion. Disgruntled employees are another weak link in the chain. The most robust SCADA system I worked on was using encrypted radios for site to site and site to mainframe communications (256 bit) military grade. Notice no IIoT or IP from the remote sites to the SCADA system. From the SCADA system there was a KEPWARE Historical archive that built tables of data to be shared as (deterministic read only data tables), there is the first hardware/software firewall to attack remediation. A lot of the control algorithms are set in the remote control units and have continuous high level and low level alarms. In the case of the Domestic water system attack, the remote controller unit would have shown an out of tolerance level command and would have reduced the level to normal range. A lot of these PLC or PAC units have their own security. It is inconvenient, but if set properly the only way to change the program in the PLC or PAC is to go to the remote site, with a laptop with the appropriate software and physically plug into the unit to program or test. Yeah, you can have SCADA on the (cloud), the problem there is just where is this (cloud) and how secure is it?
The low hanging fruit of entry are open WiFi ports or Bluetooth ports on IIoT devices in the field like pressure transducers, flow meters, turbidity meters and residual meters using air wave transmissions instead of hard wiring transducers directly to the remote master station. MAC addresses in these devices could be used to gain entry to the control layer or communications. In a plant situation, all of this porosity should be turned off and status should come from current wiring used as a communications backbone or a looped through fiber network (not) connected in any way to the outside World.