Wärtsilä improves energy management cybersecurity with major certification

Energy infrastructure is increasingly vulnerable to cyberattacks. With the certification of its GEMS PPC system, Wärtsilä can offer customers peace of mind and added value to their own systems.

Energy infrastructure is increasingly vulnerable to cyberattacks. With the certification of its GEMS PPC system, Wärtsilä can offer customers peace of mind and added value to their own systems.

Wärtsilä has become the first company in the industry to achieve The International Electrotechnical Commission (IEC) 62443 cybersecurity certification for its GEMS energy storage technology. As a result, power plants around the world can now add cybersecurity certifications to the list of benefits of Wärtsilä’s GEMS Power Plant Controller (PPC) system.

The IEC 62443 series consists of a number of standards and reports that define procedures for the implementation of electronically secure systems across a range of industries. In total, Wärtsilä attained two IEC levels: the 62443 4-1 (SDL) at the Maturity Level 2 and the 62442 4-2 (Device) certification for the PPC at the Security Level 1. The certifications show that the GEMS PPC product and software development processes have met a stringent set of cybersecurity requirements.

“We pursued certifications because we deal with critical infrastructure,” says Murat Bayraktar, Senior Software Architect, Wärtsilä. “Everyone is more aware of cybersecurity threats and we are receiving increasingly sophisticated questions about them from customers.”

Threats towards consumers might receive the most attention in the news, but industrial control systems – including in the energy industry – are frequent victims of cyberattacks. In March 2020, the European energy transmission system was hit by a cyberattack, and just a few months later the UK’s power grid middleman Elexon was targeted. Similarly, Honda was hit earlier this year by a sophisticated attack aimed at its industrial control systems. The situation was bad enough that Honda factories halted operation in North America, Europe and Japan.

“We are involved in renewable energy and energy storage, and 10 years ago this was a small piece of the energy market. Years ago, I had one customer tell me he was more concerned about a truck hitting a transformer than a cyberattack on our storage system,” explains Sen Zhang, Senior Vice President of Engineering, Wärtsilä. “Now things have totally changed and renewable energy sources make up a huge percentage of the market. Today our customers are very concerned with cybersecurity threats.”

Managing complex energy systems with GEMS

As cybercrime continues to escalate, energy systems around the world are also in constant evolution. Intermittent energy, such as that provided by solar and wind, now provide more and more of the energy used in homes and businesses. This places strain on grids as they synchronise ever-changing energy supply, storage and demand. Renewables and energy storage continue to grow, making the energy systems of the future even more dependent upon sophisticated energy management platforms like GEMS.

GEMS is an energy management platform that monitors, controls and optimises energy systems. It uses machine learning and real-time data analytics to calibrate what type of generation is needed at a specific time, such as renewables, energy storage or thermal generation assets. It is a cutting-edge solution and a major advantage for Wärtsilä in the energy industry.

The GEMS PPC is one critical component of this platform. It conducts intelligent power control and optimised energy management operations for power plants. The PPC can also help power plants increase flexibility and efficiency, saving time, money, emissions and energy.

Wärtsilä GEMS

GEMS is an energy management platform that monitors, controls and optimises energy systems.


The serious business of cybersecurity

Such an important system needs to be protected from cyberattacks. There is no such thing as a 100% secure solution, but the energy industry has developed a set of standards for cybersecurity. The IEC 62443 standard specifies security capabilities for control system components.

“We chose to earn two certifications: one for the product itself and one for the development process,” Bayraktar says. “This shows that not only is the PPC solution certified, but our development process is certified as well. We have firm security practices built in to our process. When we add new features or make architectural changes, we always review them from a security perspective.”

To gain the certifications, Wärtsilä used the certifying organisation exida, a world leader in automation cybersecurity. The experts at exida worked closely with Wärtsilä for an extended period of time to be certain that Wärtsilä’s solution and processes were secure. The certification process includes analysis of engineering procedures, documentation review, product design and device validation testing to demonstrate cybersecurity.

“We worked nine months to receive the certifications,” Bayraktar says. “All of us learned a lot during the process, and we were able to identify gaps in both the product and process. Many of us earned personal cybersecurity certifications ourselves.”

Energy management cybersecurity 2

Adding big value for customers

The GEMS team didn’t want the certifications simply as decorations to hang on office walls. They add real value to Wärtsilä’s energy customers.

“It is common for a potential client to come to us with a long list of specific cybersecurity questions. It takes a lot of time and effort for both us and the client to go through them all,” says Bayraktar. “But now the majority of those questions are answered by the certifications and are verified by a third party, exida. I’ve experienced first-hand how this helps customers. I show them the certification documentation and explain how their specific security concerns are addressed.”

Governments around the world are well aware of the threat to energy systems, and many encourage or require energy companies to prove the level of their cybersecurity.

“For example, cybersecurity compliance plays prominently in the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP),” explains Zhang. “Now our customers can show that they are using our system which is already certified. If they are using certified solutions it makes it easier for them to achieve NERC CIP compliance.”

Making security central to future work

Zhang stresses that cybersecurity certification is a process, not an event. The GEMS PPC solution has been certified, but it takes serious effort to maintain that standard. Moreover, cybersecurity is important throughout Wärtsilä, and many other solutions could earn certification. “Our team now has experience, so we can explain the process and how we have implemented cybersecurity into how we work,” Bayraktar says.

Wärtsilä’s Energy Storage and Optimisation unit is also interested in advancing their certifications. The GEMS Power Plant Controller is only one of their solutions. GEMS also has a Grid Controller which conducts intelligent grid control and optimised power management for microgrids, while Fleet Director provides centralised, real-time visibility into a global fleet of power plants. Moreover, these solutions do not work in isolation.

“GEMS PPC is part of a whole network,” says Zhang. “The network might include Wärtsilä engines, GEMS and solutions from our partners. Our next step might be getting the entire control network certified cybersecure.”

GEMS PPC certification details

62443-4-1

This certification specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development life-cycle and includes:

  • Security requirements definition
  • Design
  • Implementation (including coding)
  • Verification and validation
  • Defect management
  • Patch management
  • Product end-of-life

62443-4-2

This cybersecurity certification provides detailed technical control system component security requirements, including:

  • Identification and authentication control
  • Use control
  • System integrity
  • Data confidentiality
  • Restricted data flow
  • Timely response to events
  • Resource availability

Source: International Society of Automation

Written by
David J. Cord