Options
2023
Report
Titel
D5.1 - Security Design
Titel Supplements
REgions project
Abstract
A VPP is a complex IT-System regarding a communication-oriented point of view. As modelled and described, a VPP consists of critical and non-critical modules. According to the Open Systems Interconnection (OSI) model, the critical modules of a Virtual Power Plant (VPP) penetrate all levels from the physical layer to the application layer. Thus, it offers a wide range of possibilities for attackers to penetrate the system - therefore this non-trivial challenge to achieve a certain security level is described. One of the biggest risks of corrupting a critical module is a destabilization of parts of the power grid. So many possibilities an attacker has, so many security measures and guidelines there are for a VPP. Most of them do not cover all aspects of a complex IT-System like a VPP nor give specific guidance on how to achieve certain security standard in practice. The IT-Grundschutz protrudes and gives a methodical procedure on how to analyse an IT-System, classifying the relevant modules and identifying specific measures to achieve a certain security standard. The guidance of the IT-Grundschutz is oriented on a practical point of view and gives companies clear tasks to secure their IT-Systems. Furthermore, the IT-Grundschutz defines requirements which are necessary to achieve certain certification e.g. ISO 27001. In addition energy industry specific guidelines based international regulations are mentioned.
Beside of the specific requirements from the IT-Grundschutz method, common aspect of different security measures are described. For instance the security by design is an important approach. Security and inappropriate access has to be managed and implemented in the very beginning of a creation of an IT-System and is not limited on the scope of software development. When following this approach, security should not be an obstacle.
For the REgions VPP, critical modules have been identified and an overview of specific requirements has been shown. For the sake of shortness, only a selection of requirements has been described since most of them are clearly defined in the IT-Grundschutz for the respective module no. Since there are multiple roles and responsibilities involved in operating a VPP, all relevant stakeholders have to be involved. Some requirements, e.g. a secure connection between assets and VPP via Virtual Private networks (VPN), as well as System infrastructure monitoring and the logging of security relevant events are described in more detail as an implementation example.
Author(s)