European Commissioner Arias Cañete stressed the importance of sharing information on cyber security at a high-level event held in Brussels yesterday.
The meeting, which gathered EU staff, NATO, utility and software firm representatives, kicked off a work stream under the Network and Information Security (NIS) Cooperation Group dedicated to energy. The EU wants to enhance cooperation with specialised entities such as the European Energy Information Sharing and Analysis Centre on cyber security and at a technical level via expert groups.
“When we look forward to the energy world of tomorrow, it is clear that the technological revolutions underway offer a lot of opportunities for a cleaner and more participative system. But we also need to be prepared for the new risks to our energy security this entails, and we need to address them together,” said Cañete.
Digitalisation brings new challenges as well as advantages for the sector, he said. An infiltration of the electrical infrastructure of a region could cause severe disruption to vital services. Some estimate the potential damages to be as much as $1 trillion if a member state’s grid is compromised.
Software solution providers presented some of their initiatives to tackle this increasingly urgent cyber security threat.
Cristina Bentue, co-founder and COO of Continuum Security, presented the IriusRisk platform, an integrated console which implements security by design so that engineering teams can build secure applications from the start. Utility companies have a very different culture to the digital solution providers they must rely on to secure their systems. Part of the problem is that software developers do not use the same language as the technical staff, Bentue tells Engerati.
The divide between teams can be bridged by machines, which allow IT developers, security information officers, compliance and quality assessment teams to work together. The IriusRisk platform asks utility staff a questionnaire that translates answers into a language security risk people can understand.
Valuable resources and time is wasted during software development because development teams don't know how to build a secure and compliant application - this is no surprise given the increasing technical complexity and changing regulatory landscape. By clearly defining the security requirements up front, before they start writing code, and by providing them with guidelines in their language and with their tools, they can get started on the right foot, Bentue says.
Historically financial services have lead the way in terms of providing regulations and mandated minimum security for software applications. This is still not the case in the energy sector, even though the impact of cyber attacks is similar if not greater. Regulations can help improve the security of in-house developed software and also software that is purchased from third party suppliers.
OT networks are about 20 years behind IT systems in terms of security, and a major problem is that utilities do not have a complete inventory of what is connected, said Elad Ben-Meir, CEO of SCADAfence, who also presented at yesterday’s meeting. “You can only secure what you know exists,” he tells Engerati. “There is a big gap between what utilities have and what they think they have, sometimes a 30-50% gap.”
The SCADAfence platform identifies connections to a network, performs a security assessment and sets up firewalls and other measures.
Efforts to decarbonise are pushing greater digitalisation and use of smart devices, but these have low to non-existing security systems and introduce inherent risk. Some utilities are calling for further regulation so that their boards approve more funding for cyber security programmes.
The EU is implementing the Directive on Security of Network and Information Systems which focuses on the resilience of essential services, and recently passed the Cybersecurity Act of 2019 which creates a framework for voluntary European cybersecurity certification of products, processes and services.
Member states have to submit plans for the new regulation on electricity risk preparedness of 2019 this month.