AssetManagementBites #18 from Solar Asset Management Best Practice Guidelines

May 18, 2020

Welcome to the #AssetManagementBites.

Every Monday we will be sharing with you one of the numerous recommendations, best practices and advises (“bites”) from the “Solar Asset Management Best Practice Guidelines Version 1.0”.

The document was developed by SolarPower Europe with the contribution of Alectris. The “Solar Asset Management Best Practice Guidelines Version 1.0” is a resourceful guide addressing the commercial and financial management of solar investments, balancing the risks, opportunities, costs, and performance benefits. The document aims to encourage asset managers to keep their services consistent and at the highest level.

Bite #18

Chapter 9: DATA MANAGEMENT AND HIGH-LEVEL MONITORING

 

9.6. Cybersecurity [part 1/2]

In order to enhance cybersecurity, the Asset Manager typically performs also periodic audits on the main suppliers (the O&M contractors in particular) who have access to relevant data and connectivity of the plants. The audit mainly aimed at ensuring that the personnel is properly trained in relation to procedures for data protection (e.g. policies related to passwords, protection of access to relevant devices) and can detect and avoid possible cyber-attacks.

 

In addition, as part of the risk mitigation activity, the asset managers support plant owners in identifying and activating insurance policies that also cover the risks of indirect damages (i.e. missed productions) deriving from cyberattacks. Since such attacks, in some extreme circumstances, can even determine plant outages that may require a long period of time before being solved, an insurance coverage is particularly relevant to avoid the exposure to significant revenues losses.

 

Ultimately the role of the Asset Manager is often to raise awareness about the importance of cybersecurity as it relates to the management of the plants.

 

Since PV plants will at least include inverters and power plant controllers (and monitoring systems) and these are expected to be accessible from (i.e. connected to) the internet to enable surveillance and remote instructions by operators, they have significant exposure to cybersecurity risks.

 

Cybersecurity comprises technologies, processes and controls that are designed to protect systems, networks and data from cyber-attacks. Effective cyber security reduces the risk of cyber-attacks and protects organisations and individuals from the unauthorised exploitation of systems, networks and technologies.

 

Cybersecurity is a vast area and multiple measures are imaginable. The following hints may help as a starting point:

Keep it simple: If possible, the number of network devices should be reduced to a minimum.

• As a recommendation, traffic of the network devices may be monitored in order to detect abnormally high use of bandwidth.

Physical access to the network devices should be secured and a secure password policy should be implemented. The use of standard passwords should be especially avoided, and all factory setting passwords should be changed.

Access from the Internet should be controlled via strict firewall rules:

    • Port forwarding should not be used because this is a big security gap. Only router ports that are necessary should be opened.
    • Remote access should be limited to the necessary use cases.
    • The use of VPNs (Virtual Private Networks – a secure connection built up from the inside of the private network) is necessary.
    • VPN access to the site from outside is a minimum requirement.
    • A VPN server or VPN service which works without requiring a public IP on-site should be preferred.
    • Each PV plant should have different passwords.
    • Documentation should be kept up to date to be sure that no device was forgotten.
    • Different roles should be used to the extent possible (e.g. read only user, administration access).
    • Professional (industrial grade) hardware should be used; only such hardware provides the security and administration functions plants need to be secure.

 

Vulnerability management should be implemented (i.e. identifying and remediating o r mitigating vulnerabilities, especially in software and firmware) by:

    • Improving insecure software configurations.
    • Keeping the firmware and software of devices up to date.
    • Using anti-virus software if possible and keeping it up to date.
    • Avoiding wireless access if it is not necessary.
    • Auditing the network with the help of external experts (penetration tests).

 

Keeping companies safe:

    • Passwords should not be stored in plain text format, password managers should be used (e.g. 1Password, Keepass etc).
    • Employees should be trained on IT security awareness.
    • Not all employees should have access to all plants. Only those should have access who need it. This way damage can be prevented in case one employee is hacked.
    • Management of leaving and moving employees: in case a plant overseeing employees changes positions or leaves the company, the respective plants’ passwords should be changed.

 

It is therefore best practice that installations undertake a cyber security analysis, starting from a risk assessment (including analysis at the level of the system architecture) and implement a cybersecurity management system (CSMS) that incorporates a plan-do-check-act cycle. The CSMS should start from a cybersecurity policy, and definition of formal cybersecurity roles and responsibilities, and proceed to map this onto the system architecture in terms of detailed countermeasures applied at identified points (e.g. via analysis of the system in terms of zones and conduits). These detailed countermeasures will include the use of technical countermeasures such as firewalls, encrypted interfaces, authorisation and access controls, and audit/detection tools. But they will also include physical and procedural controls, for example, to restrict access to system components and to maintain awareness of new vulnerabilities affecting the system components.

 

As minimum requirements, loggers should not be accessible directly from the internet or should at least be protected via a firewall. Secure and restrictive connection to the data server is also important.

 

The manufacturer of the data-logger and the monitoring platform should provide information on penetration tests for their servers, any command protocol activation channels and security audits for their products. Command functions should be sent using a secure VPN connection to the control device (best practice). Double authentication would be an even more secure option.

 

For further information, beyond t he scope of this document, please look at the EU Cybersecurity Act (EC, 2019) and the European Parliament’s study “Cyber Security Strategy for the Energy Sector” (EP, 2016).

 

 

 

Previous #AssetManagementBites

 

About ACTIS ERP

ACTIS ERP is an innovative Renewables’ Enterprise Resource Planning Platform dedicated to empowering end-owners and stakeholders of renewables’ assets, Asset managers and O&M service providers with full control of their portfolios through the award winning, one-stop solution providing comprehensive and integrated Real-time Monitoring, Service Management, Asset Management, PPA Billing, Project Management and many more tools. ACTIS helps you achieve the maximum performance of your assets by streamlining operations and consolidating Technical, Operational and Financial Reporting, increasing efficiency and reducing your costs.

ACTIS meets the requirements of the Asset Management Platform described in the Solar Asset Management Best Practice Guidelines Version 1.0″. Moreover, ACTIS was certified with the Solar Best Practices Mark developed by SolarPower Europe.

To learn more about our oftware request ACTIS demo!