Throughout Europe, grid operators are hard at work to implement new cyber security regulation. But in this drive for compliance, it is critical to keep an eye on the real risks, and make sure the regulatory measures mitigate them.
The NIS Directive has already seen many grid operators identified as “operators of essential services” (OESs), at which point companies are expected to take appropriate security measures as well as notify serious incidents to their relevant national authority.
It is heartening to see such focus coming from European and national governmental bodies on cyber security. But of course, any new regulation brings challenges for those in the industry. The energy sector is used to being tightly regulated, but cyber security requirements are new. Most grid operators see the need for better cyber security, and are very willing to meet the requirements. But they are looking for clarity from regulators on what the requirements are and which of their systems are in scope.
An important question that grid operators have is how to assess the risks of nation state actors. They see the rumours of nation state activities in the news, like the recent articles on US malware in the Russian grid. But grid operators do not have the intelligence capabilities to determine the likelihood of such incursions in their own systems. So, they cannot determine what security measures are appropriate to counter them. Governmental bodies and regulators could help grid operators in better assessing these risks.
Detecting incidents through security operations
To notify incidents under the NIS directive, they of course first need to be detected. Many grid operators are therefore setting up day-to-day cybersecurity operations to actively monitor their grid.
One challenge there is technology. There are still far fewer technologies designed to monitor operational technology (OT) systems than IT ones, and we must continue to combine the best available technologies to do so. We must also make sure that security systems are fed the best possible information, for example by increasing and improving the use of monitoring sensors in substations.
However, it is not just about technology. Clear processes for incident detection and response are needed to sustain a high level of security operations. But most critical are people. There are still few experts in the sector that combine in-depth knowledge of OT systems with an understanding for security. Grid operators are struggling to find the right personnel for their security operations centres and other specialist roles.
A continuous investment in training is needed to fill this skills gap. Many grid operators already have good awareness programmes to have their employees understand the risks. But what is needed now is more in-depth training in the skills that grid operators need to securely design, maintain, and monitor their systems.
Besides the NIS directive, new regulation is coming through the EU Cybersecurity Act. One of the goals of the act is to create certification schemes for ICT products, services and processes. We expect that the European Union Agency for Cybersecurity ENISA will soon start work on candidate schemes for the electricity sector.
Certification creates an opportunity to create a harmonised market for security in the EU. This can drive down the costs of secure products, while at the same time increasing their quality, as vendors can create more focus in their security roadmaps. Grid operators are quite familiar with electrotechnical certifications, and are successfully using them when procuring new systems.
But cyber security certification is hard. Security certification can certainly be helpful in guaranteeing minimum standards for simple products and processes, but for more complex systems it can be ineffective or even dangerous. If a product or system is certified against the wrong requirements, it can still be insecure, so that the certification gives a false sense of security. Moreover, the manufacturer has met the requirements expected of them and has no incentive to further secure the system or component.
Also, threats are constantly evolving, so that even if the underlying standards are fit for purpose in June, they may not be by July. Regulation will not move as quickly as the threats. Certification should therefore include vulnerability management on the vendor side, and the possibility to perform security updates.
Utilities should therefore approach certification as a minimum requirement, a way to ensure they start constructing their smart grid systems with good building blocks. Grid operators then still need to design good security architectures, and continuously monitor and maintain the security of the system as a whole.
At ENCS, we are focusing on publishing security requirements as a guide to utilities taking responsibility for security of their grid systems. We are also continuing to develop testing capabilities to ensure systems and components are up to scratch.
Europe in the crosshairs
These are all priorities that deserve our focus – but we can’t lose sight of the context either. The headlines may focus on the US and Russia when it comes to preliminary steps to cyber conflict, but Europe must take these threats just as seriously. Countries like the Netherlands and the UK have already identified nation state actors behind certain compromises, and our utilities must be as wary as any others.
After all, the threat landscape is not just constantly evolving, it is constantly growing. As more of our grids are connected and digitalised, there is both a greater attack surface and a greater incentive for attacks. Recent progress is good, but we have to ramp up our efforts.