A decentralised grid is more vulnerable to cyber attacks due to the connection of multiple smart devices with much lower security measures than traditional large infrastructure assets. But while cyber attacks often take place across borders, policy responses are predominantly national. The EU is seeking to coordinate efforts and engineer a more holistic approach.
The Cyber Security Act came into force at the end of June, creating a permanent mandate for the EU Agency for Cybersecurity and presenting new initiatives to further improve EU cyber resilience and response, such as implementing the directive on security of network and information systems (NIS) adopted in July 2016.
Member states have been asked to submit risk assessments to the Commission and cyber security agency by 15th July following a March recommendation on potential threats to the new 5G network. An EU-wide risk assessment is due by 1 October 2019.
The EU’s Smart Grid Task Force will publish a final report on cyber security in the smart grid environment in the Autumn, said a Commission spokesperson. This will be one of the inputs to the creation of a new network code on cyber security, which will take at least another year. In addition, a workshop will be held in the Autumn on certification for energy products. A joint Commission-industry initiative will also be launched to define a “duty of care” principle to reduce product and software vulnerabilities and promote a “security by design” approach for all connected devices.
Cyber security is complicated and takes time as it is a “moving target,” said Frederik Geerts, of the European Commission at a workshop organised by the Council of European Energy Regulators (CEER) last month. Regulators, companies and consumers all have a role to play, he said:
“It’s about technology but it’s also about the way we work, the processes and how everything goes together. Legislation alone is not going to save us and is not going to improve cybersecurity in this world. We need legislation to raise the bar and make security better but everybody needs to work on this. It’s something we will be working on this year and the years to come, it’s for the long run.”
Both power and gas sectors have challenges ahead, but the power market is more complex as its real-time nature can make typical security measures such as encryption or authentication more challenging. Further, the “cascading effect” means a potential power blackout could have serious consequences for other sectors. New technologies and smart devices are connecting with systems that are 20-30 years old and not designed for the way the network is being asked to perform.
The distribution system operator will be the infantry of the energy sector’s cyber security battle, and so regulators and managers must be made aware of the scale of the problem and the resources required to tackle it, speakers emphasized at the CEER meeting.
“The energy system is transitioning, it’s becoming more decarbonised via further electrification. At the same time, it’s becoming more digitalised and more decentralised. And these three elements themselves highlight on the one hand the significance of cyber security and on the other hand the even more important role of DSOs in the future. This is mainly because they will need to deal with a continuously expanding attack surface, which could increase their overall vulnerability to future attacks. CEER’s 2018 cyber security report raises awareness, and contributes to the establishment of a common understanding. These are essential factors to facilitate the acceptance of necessary expenditures and the allocation of funding to respond to the cyber security challenge,” said Ioannis Retsoulis, senior advisor at Eurelectric.
Increased awareness of the importance of cyber security is welcome, said Frederico Oliveira Da Silva of BEUC, the European Consumer Organisation. He gave examples of hackers using smart appliances or Internet of Things devices as entry points into otherwise secure systems, such as the widespread Ukrainian malware infection via accounting software, a 2008 incident when the control system of an oil pipeline was accessed through a security camera, information from 40 million credit cards was stolen using an air conditioning system and a casino was attacked through a fish tank.
If smart meters are hacked, something as simple as turning many thermostats to the maximum level could overload the grid, he added. Spending on systems to combat such attacks is essential: “If high level managers do not understand the necessity of cyber security and the changes that it will entail then we are in trouble.”
Challenges ahead include establishing a framework that will balance the need to share data across companies, sectors and borders, while some entities are not allowed to share information as they are designated critical infrastructure operators. All market participants will need to recruit specially trained IT personnel, although many are finding it difficult to hire qualified staff.