In this Help Net Security interview, Anjos Nijk, Managing Director of the European Network for Cyber security (ENCS), discusses cybersecurity in the energy sector as it modernizes with renewable sources and smart grid technologies.
Nijk also addresses the need for international collaboration, the impact of IoT on security, and the emerging technologies that can enhance the resilience and reliability of critical energy infrastructure.
As the energy sector undergoes significant modernization, particularly with the integration of renewable energy sources and smart grid technologies, how do you perceive the role of cybersecurity in ensuring the resilience and reliability of energy infrastructure?
The availability of energy infrastructure has long been the primary metric by which grid operators are evaluated by authorities in regulated markets. This can’t be done without resilience and reliability. As a result, managing reliability is central to the core of their operational processes and organizations (OPOs).
Due to the energy transition, the digitalization of grids has become an important potential fail factor that could even cause blackouts. Therefore, cybersecurity has become a business-critical priority. In recent years, grid operators have been working to integrate IT and cybersecurity skills into their OPOs.
However, connected infrastructures, such as renewables and EV charging networks, fall outside the direct control of grid operators, and can also cause blackouts in the grid. Tampering with the control of connected infrastructures through hacks or exploiting vulnerabilities in the supply chain poses a real and major risk to the resilience and reliability of energy infrastructure.
With the digitalization of the energy sector, there are various cybersecurity issues that have a direct impact on the resilience and reliability of the entire energy infrastructure.
How does the Internet of Things (IoT) impact energy infrastructure security?
IoT is driven by innovative, high-tech companies and start-ups, predominantly European, that are fully focused on building customer base and market share. Cybersecurity is typically not a priority until it becomes a barrier for doing business, meaning that cybersecurity maturity levels are low. We see this over and over again when we test IoT components and systems, and conduct risk assessments.
Connected infrastructures for renewables, in many cases, are operated by new companies or even residential users. They don’t have a background in managing reliability and, generally, have very limited or no cybersecurity expertise. Despite this, they all oversee internet-connected systems that are digitally controlled and therefore vulnerable to hacking. The cumulated power controlled by many connected parties also poses a risk of blackouts.
The concern is about the suppliers, especially for consumer equipment, as it is not possible to impose security regulations on consumers. The Cyber Resilience Act tries to address suppliers but is likely not sufficient.
So, we need to implement technology to maintain control, but also need to create the conditions for residential users, operators and integrators to securely install, operate and maintain their infrastructure.
Reflecting on recent cyber incidents that have impacted the energy sector, what key lessons can be drawn to enhance the cybersecurity posture of critical energy infrastructure?
Of the 200 incidents reported in the energy sector in 2023 by ENISA, only 8 targeted the OT domain, according to public sources. Cyber attacks on OT systems, while less frequent than attacks on business IT systems, pose a distinct and pressing challenge for the energy sector.
These OT attacks can have a significantly higher impact, as evidenced by the Ukraine 2015/2016 incidents. Such operations require a high level of skill, placing them in the domain of nation-state actors with motives distinct from those of criminal hackers. Their complexity and potential for widespread disruption highlight the need for robust security measures tailored to both IT and OT environments.
The energy sector is interconnected across borders. What role does international collaboration play in mitigating cybersecurity risks? Are there successful examples?
International collaboration is crucial in addressing the cybersecurity risks posed by interconnected energy grids. By sharing knowledge, harmonizing standards, and coordinating joint incident response efforts, countries can collectively enhance their preparedness and resilience.
There are various formal international collaborations, such as ENTSO-E and the DSO Entity SEEG, coordination groups like WG8 in NIS, and partnerships between experts and authorities in groups like NCCS. International exercises led by organizations like ENISA and NATO further support these initiatives.
In addition to these formal collaborations, informal partnerships, such as ENCS, play a pivotal role. ENCS facilitates trusted information sharing among members from different nations, fostering the development of harmonized standards and best practices. These insights are then forwarded to formal legislative and standardization bodies, strengthening global cybersecurity efforts in the energy sector.
What emerging technologies are most promising for enhancing the cybersecurity of critical energy infrastructure? How can machine learning be leveraged to detect and respond to threats?
So far, the performance of machine learning, particularly in the domain of OT intrusion detection, has been below expectations. There is, however, a clear opportunity to create better visibility into what exactly is going on in the OT domain and to analyze what constitutes (part) of malicious acts or advanced persistent threats.
We don’t see “silver bullets”, but instead an understanding that the technologies and their potential impacts is what matters most. It is more about people and expertise than technology. Existing technologies are good enough to secure OT; the problem is finding people that can use them well.