Accelerating digitization and the virtual power plants of the future

We all know that digitization has been ongoing in society for quite some time. One of the challenges involved in this change in critical operations, such as electricity and water suppliers, is the digitization of vital OT systems.

These systems, also called control systems, are the core of productive operations. Digitization within industry means that previously isolated control systems are exchanging an increasing amount of information with several IT applications. This provides operations with new opportunities to improve efficiency, but it also means new challenges. We interviewed Anders Hansson, Security Advisor of Critical Infrastructure at Sectra Communications, about the accelerating digitization, cloud-based control systems and how operations can start to implement security in this rapidly changing environment.

How has the digitization of OT systems changed in the last few years?

Digitization has been going on for an extended period of time and there are two noteworthy changes that have happened in the rapid digitization of OT systems.
1. Before, IT and OT systems were two separate, distinct systems. Now digitization has connected them and they work closely together.
2. The introduction of remote connections, where external sub-suppliers can connect to OT systems.

Right now, however, digitization is accelerating even more, with cloud services being used to a growing extent. One of the largest driving forces behind this change is the comprehensive energy transition taking place in society, which affects most operations. The increased electrification and energy transition are resulting in accelerating digitization since we need to use our energy resources more efficiently. This means that cloud-based solutions for controlling and monitoring critical systems in areas such as the energy supply—as well as property automation and manufacturing—will become increasingly important.

“The use of society’s energy resources needs to be streamlined, which will mean accelerating digitization and an increased need for cloud-based services. This, in turn, means that organizations will need to manage the new security risks entailed by this transition.” Anders Hansson, Security Advisor of Critical Infrastructure.

What is a centralized cloud-based control system?

A traditional control system is an isolated function that manages a single physical process, such as delivering electricity or heat. Today an incredible number of these processes work together to solve an operation’s various needs. Within the energy sector, there are several physical processes, such as wind, solar, virtual battery storage, hydro and so on. To take advantage of all of these functions as efficiently as possible in the energy transition, we need to streamline these functions so they function together on an overarching level. As a result, operations are connecting these OT systems to a superior cloud-based central control system.

Within the energy industry, there is a concept known as virtual power plants, which are a cloud-based control system that can streamline energy production and make a significant difference in how the energy system uses the resources it needs. In a virtual power plant, the various OT systems are connected to be efficiently monitored, coordinated and controlled by a central control system. Parallels can also be drawn with other areas of society seeing the same kind of development, such as in building automation. That is another area that requires streamlined energy use and joint control systems in situations like having several properties in the same location. The manufacturing and processing industries are facing the same development, with operations requiring high-level control over flows and the entire manufacturing process.

What are the advantages of moving traditional control systems to a cloud-based system?

The current development of centralized cloud-based control systems is currently driven by several factors. Essentially the idea is to simplify and maximize the efficiency of complex systems that are built on several underlying OT systems that are spread across various geographical locations and can be handled by various suppliers. By creating a new cloud-based infrastructure, it’s much easier to get OT systems to cooperate and handle their processes on a superior level.

Within the energy sector, for example, the load on the power grid as well as access to different kinds of electricity production need to be optimized to minimize energy loss and increase the utilization rate. Today there are many different electricity producers, and as electrification increases, such as within the automotive industry, there is a growing need for a better platform for realizing and balancing the kind of functionality necessary, both today and tomorrow.

In another industry, like building automation, centralized cloud-based control can lower energy consumption. This would also make it possible to work more preventively and effectively with monitoring, operations and maintenance. The opportunity to develop new digital services is another driving factor since both residents and property owners would have greater opportunities to control their energy usage and streamline it to reduce costs.

What challenges and (security) risks can be identified in developing cloud-based control systems?

Generally, another kind of situation arises when the level of automation within information flows and processes increases, which gives rise to a security risk that needs to be managed. It doesn’t have much of an effect on information management for OT systems, but a lot of information is sent to the centralized cloud-based control system. Based on this information, the centralized control system makes decisions that generate control data for the underlying OT systems. This introduced complexity into the system, with several information flows and various entities that need to be identified, managed and protected in terms of security.

Complexity always entails security risks to a system. That is why it’s important to continuously develop a risk-based agenda from a security perspective to identify and address risks that arise early on.

Anders Hansson, Security Advisor of Critical Infrastructure at Sectra Communications.

Developing new technologies and methods as well as increasing the level of automation in society requires a risk-based approach so as to not introduce vulnerability into society’s infrastructure. Since these systems are constantly changing, risk management needs to be more adaptive than traditional risk analyses. That’s why it’s important for risk management and security monitoring to be integrated so that security doesn’t slow down development.

What is an easy way for an organization to start working with the challenges and the (security) risks identified?

The most important thing is to have security in all systems and all parts of the organization from square one. If security is introduced afterwards, it’s difficult to fix any security gaps that are revealed along the way. To make it easier to create new solutions, the European Union Agency for Cybersecurity (ENISA) allows products that meet approved security requirements to be certified. One easy tip is to invest in products and services with this certification. When developing or implementing new systems, this certification can help an organization ensure that the components being used are reviewed and approved by a reliable authority. In addition to basic security, it’s vital to identify which systems and which information that are critical assets from a risk perspective. That’s why a structured approach to risk analysis is important, as is simultaneously applying relevant security functions.

“It’s always important to find a good balance between a system’s detective and preventive capabilities when it comes to cyber threats and security risks. If done well, I’m convinced that it’s possible to build healthy, robust control systems, even if they’re cloud-based.”

Cloud-based control systems are a necessary financial and environmental development for society that also address capacity issues. There are currently no effective methods for adaptive risk management in complex, dynamic systems with several actors, which means that traditional risk analysis methods can’t be applied effectively. These systems are constantly changing and therefore require continuous risk and security monitoring so that cloud-based control can be maintained adaptively based on current information about the system’s behavior and use.

Security needs to enable the development and digitization necessary for society, which is why our task and responsibility is to build a society whose infrastructure isn’t vulnerable to cyberattacks.

Anders Hansson, Security Advisor of Critical Infrastructure at Sectra Communications.

Related reading

Related products