If highly sensitive information falls into the wrong hands, the damage can be immense. To protect such information, a tight cybersecurity concept is necessary. This is what Dr. Hubert Feyrer, who holds a doctorate in computer science, tells us. After teaching at international universities, he spent ten years at Volkswagen as Chief Information Security Officer and is now a cybersecurity expert at Maschinenfabrik Reinhausen.
Mr. Feyrer, what is cybersecurity?
IT security, information security, protection of data and information, availability, confidentiality, integrity – this is initially very abstract. In concrete terms, it can be broken down into control security and protection goals which means that our systems must be ready and available for their intended purpose. Errors in the form of failures are easy to detect but these should be avoided at all costs by taking measures in advance.
In terms of cybersecurity, the protection goals of confidentiality and integrity – that data must not be accessible to unauthorized persons and must therefore be confidential – are more difficult to recognize, but just as important. If unauthorized changes take place, then the data can no longer be relied upon. Here, too, appropriate precautions must be taken in advance, but also, if possible, recognized and averted during operation.
Why is high cybersecurity important for transformers?
Transformers consist of many individual components. The trend is toward more remote control, and thus more networking, and thus in turn more attack surface that must be secured. In distant regions, remote monitoring is faster, easier and more effective than sending a technician on site.
But this requires securing access points and functions against unauthorized use, as well as detecting and defending against technical attacks. With all things digital, cybersecurity protection goals are important to ensure expected functions. And, of course, for control functions it is important to ensure that input values and operating parameters are within the defined ranges and that deviations are detected – regardless of whether they result from errors in operation or deliberate manipulation.
“Cybersecurity does not only include protection against attacks, but also the reliability of the systems.”
Dr. Hubert Feyrer
What does cybersecurity look like in product development?
There are three major areas for protecting machines from humans, whether through error or tampering: prevention, detection, response. This means that potential risks are already identified during the design stage – security by design – which are then avoided with suitable measures during development, programming and production.
But the life of our products only begins at the end of production, and new vulnerabilities must also be identified during use by customers, and any resulting risks must be assessed. If our customers’ own risks increase in their environment as a result, it is our responsibility to inform them of this and provide security updates for our products accordingly. This is where the proactive prevention of risks in development intertwines with the identification of appropriate responses in use by customers and in our product maintenance.
International standards such as ISO 27001 and IEC 62443 provide procedural models for this which comprise planning, implementation, review and continuous improvement. And so that you don’t have to start from scratch, there is an extensive catalog of topics that include possible risks and how to deal with them across departments. Everything must fit so that the chain does not break at its weakest link.
How well positioned is MR in terms of cybersecurity?
An information security management system (ISMS) is currently being set up with a focus on ETOS® and the delivery of ETOS® software updates through our MR customer portal. Along with the developers, all supporting departments are also involved: from IT to HR and from purchasing to the legal department. In the project, the current status is being checked by comparison with a catalog of measures specified by ISO 27001, and risks are being identified and measures derived.
Digitalization of power transformers — what challenges and risks does this pose for customers?
Here is an example: An ETOS® is connected to TESSA®, the MR asset management platform. The necessary encryption infrastructure is developed and coordinated with the departments responsible for the two MR products at the ends of the connection. Security in development also includes performing independent checks in the form of penetration tests and independent audits before delivery to customers. And of course, our products are also monitored after delivery to identify newly discovered vulnerabilities early on and enable their remediation through software updates in the MR customer portal.
What does the future hold?
In addition to all these technical and organizational issues, there are many legal developments, as legislators have also recognized the importance of cybersecurity. One example of this is the upcoming Cyber Resilience Act which will set EU-wide specifications for products with digital elements. Thanks to our preparatory work and many years of experience, we are well prepared here to be able to offer legally and technically secure products to the market. Of course, we remain constantly on our toes, monitoring current developments, adapting our processes and training all our developers. Because cybersecurity is a team sport that we must master together through commitment and expertise in order to offer our customers secure products and services today and in the future.