cybersecure protection relay test sets weren’t available in the market – but our new CMC 500 offers a solution. Test sets can be an attack vector We’ve addressed this issue by developing the CMC 500, the world’s first cyber-hardened protection relay test set. But what kind of measures were required? And what do we mean by cybersecure? Like a threat analysis for critical infrastructure, the first step was identifying potential attack vectors in test sets and addressing them step by step. The years of experience we’ve gained with StationGuard – our intrusion detection system (IDS) tailored to the energy sector – proved extremely helpful. A holistic approach was required to develop the CMC 500 for maximum cybersecurity. So, our company took the necessary steps in our processes, production, software, and hardware. These combined measures more than lived up to the concept of cybersecurity by design. Secure test hardware At the hardware level, the CMC 500 features an ISO/IEC-11889-compliant trusted platform module (TPM 2.0). This cryptoprocessor establishes the basis for several security measures, as a range of keys and certificates can be securely stored on it. This ensures communication is reliably encrypted and allows the test set to be uniquely identified – just like with a fingerprint. Attacks such as machine-in-the-middle attacks can thereby be prevented. Likewise, checks can be carried out during the boot process using secure boot and measured boot, which check the firmware authenticity and prevent the device from starting up if these checks fail. All communication can also be protected on an additional level by setting a password. Secure test software Hardened hardware cannot serve its purpose without the proper test software. Therefore, we also developed our software with a clear set of guidelines. Our Secure Software Development Life Cycle (SSDLC) process was already introduced during StationGuard’s development. It ensures high quality standards and code security, laying out our approach to potential vulnerabilities and their disclosure. Transparency is one of the essential cornerstones ensuring the cybersecurity of our products. To find out more about how we handle vulnerabilities, please visit omicronenergy.com/product-security. Secure production and repair We don’t simply rely on selected suppliers and trusted partners for production and repair, we carry out the most crucial steps ourselves. That’s why only a few of our employees are authorized to set up the CMC 500’s certificates and keys. The process is structured without interruption to prevent any manipulation while it’s carried out. Based on a hardware security module (HSM), our internally developed software «Referring to a product as having cybersecurity by design requires more than employing measures at hardware and software levels. Analyzing potential attack vectors begins with an entire company and encompasses all its processes.» 14
RkJQdWJsaXNoZXIy NTkxNzY=