Cybersecurity for Substation Automation

Cybersecurity has become a critical aspect of the power industry’s grid modernization. Today’s electric energy automation and operational technology (OT) control systems interconnect with multiple networks, systems, and locations, which has increased operational efficiencies tremendously. However, these interconnected digital system also has introduced cybersecurity concerns previously known only to office or enterprise IT systems. Furthermore, global challenges - such as more published vulnerabilities, a growing number of cybersecurity incidents targeting industrial control systems, and the increase in digitalization - have made it more complex to secure the electric energy OT automation and control system infrastructure.

Cybersecurity is an integral part of product development at Hitachi Energy. From the outset, our grid automation products are designed with comprehensive, cybersecure measures. We have a well-defined Security Development Lifecycle program and implement multiple secure processes, including handling requirements, security training for software developers, threat modeling, in-house and external security testing. Our reliable, secure customer solutions also include built-in security features, such as individual user accounts and detailed security event logs.

When delivering a system, threaded throughout the project lifecycle, the project organization is responsible for the cybersecurity of our system delivery. Project execution embeds cybersecurity within processes during the design, engineering, acceptance testing, and commissioning phases. This approach is designed to deliver critical infrastructure solutions with the appropriate security properties and to securely execute projects.

Hitachi Energy provides several offerings to help you manage the risks of cybersecurity exposure throughout the life of your industrial automation and control system:  

• ASSESS: Hitachi Energy carries out a cybersecurity assessment and an interview with you to understand your processes and procedures. A detailed cybersecurity assessment report is then produced and provided to you along with a set of recommended actions for improved cybersecurity specific to your system.
• IMPLEMENT: We provide recommended actions for you to implement based on the cybersecurity assessment and our domain expertise. Upon agreement, Hitachi Energy implements the recommendations for your system, ensuring your critical systems are more secure.
• SUSTAIN: By appointing Hitachi Energy as your cybersecurity partner; you enter a care agreement that ensures you benefit from our huge domain expertise across the globe. Your power systems will be regularly assessed and monitored by the Hitachi Energy cybersecurity service team for any potential cybersecurity infringements.

Cybersecurity is a constantly evolving target. Any cybersecurity measures that have been deployed need to be maintained continually. Plus, the effectiveness of your cybersecurity measures need to be assessed periodically in order to manage and reduce the risk of cybersecurity exposure. As an extension of our project delivery, Hitachi Energy offers security services that are focused on maintaining and increasing cybersecurity in the installed base of our grid automation systems. In addition to technical solutions, we provide training, consulting, and cybersecurity risk assessment solutions for any industrial automation and control systems.

The assessment provides technical and organizational analysis and proposes optimized measures to reduce cybersecurity risks at the installation. We offer a three-stage approach to optimize and maintain your system: ASSESS - IMPLEMENT - SUSTAIN

Hitachi Energy takes cybersecurity seriously and is committed to achieving certification to international standards in cybersecurity.

Hitachi Energy has successfully obtained certifications in:

• IEC 62443-2-4 sets the requirements for service providers that are involved in delivering industrial automation and control systems. 
• IEC 62443-3-3 describes the requirements for an industrial automation and control system based on the security level. Our substation automation reference architecture that is based on our offerings is certified. 
• IEC 62443-4-1 specifies the requirements for a product developer’s security development lifecycle. The requirements apply to our R&D unit that spans multiple countries developing our products. We received certification as well in IEC 62443-4-1. 
• ISO 27001 is an international standard on how to manage information security. It details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Hitachi Energy globally received certification in ISO 27001.

For Hitachi Energy, attaining and maintaining certification to these standards is the ideal combination for both Information Technology and Operational Technology.

At Hitachi Energy, we are committed to providing our customers with products, systems, and services that clearly address cybersecurity and minimize risks. The proper and timely handling of software vulnerabilities is one way we help you minimize cyber risks. Thus, we have established a formal vulnerability handling policy in relation to cybersecurity. 

This rigorous multi-step process is aligned with international standards, namely ISO/IEC 29147 and ISO/IEC 30111, and is applicable on a company-wide basis. Please refer to our Hitachi Energy Software Vulnerability Handling Policy document (PDF).

For any reported vulnerabilities, we publish the cybersecurity advisory in our Cybersecurity Alerts and Notifications page.

Hitachi Energy’s intense focus on cybersecurity was rewarded in 2021, when we were accepted as a Common Vulnerabilities and Exposures (CVE) Numbering Authority.