The Danger of Hacker Attacks: What Must Companies Bear in Mind?
PV systems, air conditioning technology, storage systems and electric vehicles are linked and exchange information — fully digitally. The energy transition is in full swing; linking different energy sectors is gaining in importance. Companies like SMA have to meet the challenge of making this data exchange as secure as possible to prevent cyber attacks such as the attack on the energy supply system in Ukraine in December 2016. We talked to Marek Seeger, Information Security Officer at SMA, and Dr. Ingo Hanke, Technical Manager Product IT Security, about how SMA is preparing for digitalization and cyber-security requirements.
What risks does the increasing digitalization of the energy supply entail?
Marek Seeger: First of all, digitalization is a great opportunity — particularly in the area of energy supply. The coupling of different sectors has just about been made possible and benefits consumers and users in particular. On the other hand, threats to IT systems and distributed industrial IoT structures (Internet of Things) have significantly intensified in the last decade. The energy sector is not exempt from that. Massive, targeted attacks with a criminal or terrorist background are now almost daily fare.
What challenges do companies have to face now?
Dr. Ingo Hanke: In the past, SMA products were the subject of weak point analyses carried out by various security researchers, who thereby raised public awareness of the topic. As one of the most important market participants in the area of photovoltaics worldwide, we are aware of these risks and have taken them very seriously from the outset. We defined our basic policy for dealing openly with security weaknesses at an early stage. We constantly work on the necessary countermeasures and also proactively implement new procedures. At the same time, external service providers regularly subject our products to penetration tests. These involve using the same methods that hackers use. These voluntary technical cyber security tests help us uncover any weak points early on and ensure adequate IT security.
What exactly does SMA do to take account of the increased digital requirements and requirements in terms of data-protection law?
Marek: As early as 2010, SMA invested in implementing a secure communication platform for real-time communication over the Internet. This has been part of the standard scope of delivery for SMA products since 2011. In addition to this, a company-wide overall strategy to protect against cyber security threats was developed. SMA created various positions within the company that are exclusively dedicated to dealing with the topic of IT security. In this way, we ensure that we can respond to all activities affecting cyber security quickly and efficiently. And, of course, we constantly enhance our technical expertise in the area of cyber security. To that end, we created the innovation field Cyber Security. This is an internal committee of experts that assesses security issues and actively develops new security solutions.
What does that specifically mean for the security of SMA products?
Ingo: SMA is the first manufacturer to develop a technical innovation in the area of system communication and is the only one to offer it in this way for PV system technology. Specifically, the latest versions of our firmware enable communication within the system that is fully encrypted.
This provides our customers with additional protection against hacker attacks. We have already been using encrypted communication between the PV systems and our monitoring solutions (e.g., Sunny Portal) as standard for many years. The SMA Sunny Portal, the world’s largest monitoring portal for PV systems with 400,000 registered systems, is also regularly examined by external security experts.
SMA is actively involved in the association work of national and international organizations relevant to cyber security and the utility grid, e.g., in the network technology / network operation forum of the Association for Electrical, Electronic and Information Technologies (VDE), the SunSpec Alliance and the Open Web Application Security Project (OWASP).
We are happy to answer questions from our customers about cyber security at any time. E-mail: information-security@SMA.de
Feel free to contribute!