Energy Central Power Perspectives™: Cyber Security Attacks and Forecasting Future Threats to the Utility Industry, an Exclusive Interview with Anjos Nijk of ENCS
image credit: CIPRE
- Mar 4, 2019 2:00 pm GMTMar 4, 2019 1:46 am GMT
- 2580 views
Anjos Nijk is the Managing Director of the European Network for Cyber Security (ENCS). His wealth of experience and high-profile role give him an extensive view of the types of cyber security challenges facing utilities across the world in an increasingly digital world.
Ahead of Anjos's presentation at this month's SGTech conference (where he'll be discussing how utilities can monitor the evolving threat landscape and use forecasting to prepare for and minimize cyber-attacks), he was kind enough to sit down with Energy Central to share his insights in this critical field via our Power Perspectives™ series.
Matt Chester: Anjos, I appreciate you sharing your insights and answering some questions I had on cyber security in the utility space. To start broadly, can you give an overview for what types of threats are facing the utility industry today and why awareness is such an important topic?
Anjos Nijk: With the rapid digitalization of the electricity grid, new opportunities to get access to grid systems are created for various threat actor groups. We distinguish between non-targeted and targeted attackers. Non-targeted attackers include, for example, script kiddies who are just exploring what they can find and do. Utilities can prevent damage by taking good care of 'security hygiene,' such as access control, patching, and making backups.
A bigger concern are targeted attackers, such as criminals. Criminals are developing their knowledge and skills rapidly as they find "easy ways to make money." Data protection and privacy are a concern for utilities, but criminals have easier targets when they are after easy money, like for instance in banking.
The most sever cyber threat for utilities and society as a whole is a hack that causes a black-out of all or part of the electricity grid. This is a threat that mainly comes from nation state actors. The electricity grid can be considered as the largest man-built system ever, everything is connected and has to be operated within certain thresholds to prevent imbalance or even shutdowns of parts of the electricity grid. Grid operators must ensure that hackers cannot intrude into the grid systems and that new technology added to the grid is secure.
MC: How would you grade the current state of the industry in terms of being prepared to fend off any potential attacks? Are we way behind the curve or doing well overall?
AN: Given that the threat is relatively new and fast developing, we are taking the right steps, but we need to ramp up our efforts. Basically, we need to get technology in control, for legacy systems and new technology, and we need to fill the skills gap and we need to get prepared. There are various actors involved, public instances, utilities, and industry. We require those actor groups to collaborate on capacity building and information and knowledge sharing.
With the NIS Directive, Europe has made an important step, but now the challenge is to improve traditional interaction patterns like customer supplier relationships and how we organize information sharing amongst different groups, including nation states. This cannot be done from an ivory tower, so we need new collaboration approaches to involve the right expertise and skills from utilities and security experts to create more effective ways of setting standards and sharing critical information like vulnerabilities and threat analyses. A concern is how we deal with the required financial resources, as we operate in a regulated market and there are no clean-cut business cases available for the energy sector.
MC: Where are the weak points and vulnerabilities that should most concern those in the utility industry?
AN: In fact, people themselves are the weak point, in terms of lack of awareness and the skills gap. Also, the capability to collaborate is in the end a human factor. Other than that, we need to deal with legacy systems that were not designed with any security requirements in scope, but are still around in high numbers and will remain for a while given the long lifespan of these complex and expensive systems. For new systems and technology, it goes without saying that we need to make sure that they are secure before they enter the grid, but in reality this is still a big challenge. Europe is trying to resolve the latter issue by introducing certification for ICT products, services, and processes in the Cybersecurity Act. Certification does not mean security, however, so it remains of utmost importance to validate that the right security requirements are used and that the certification process will be more than an administrative burden. This will not be possible without the involvement of the right domain specialists and security experts and with highly-skilled independent testing organizations.
MC: It seems that the advent of the smart grid both opens up new cyber security vulnerabilities while presenting avenues for innovative solutions. How do you see this push/pull of new technologies playing out-- will the smart grid end up leaving utilities more at risk or more protected?
AN: My vision is that it will be more protected at the end of the day. If deploying new technologies goes at the cost of an unprotected grid and energy supply, utilities and authorities will prohibit this deployment. If not instantaneously, certainly after a major event. But there is still a long way to go for the supplying industry. The way how the energy sector deals with creation, deployment, and maintenance of good security standards, how it deals with vulnerabilities and patching, the lack of incentives for manufacturers to resolve vulnerabilities is all quite immature in comparison with the IT industry. We have to recognize, however, that challenges in the OT domain are tougher due to complexity of patching, access control, and other domain specific challenges.
MC: When it comes to individual consumers, is there anything they should be aware of regarding these cyber security threats but they largely aren't aware of right now?
AN: I think that consumers need a general awareness about security threats when they go online or deploy or use connected devices. By now everyone should be aware of privacy issues and data abuse in light of recent discussions about Facebook and other platforms, as well as computer crime. General security awareness and principles are mandatory for the modern citizen. This has nothing to do with particular smart grid challenges and should be addressed at a national level. Where things become smart grid related is in the area of PV inverters and charging points for electric vehicles, as examples of connected devices in the consumer domain. Such devices control large electrical loads and can more and more be controlled remotely. A successful cyber-attack on them could cause major disruption of the grid. Utilities and service providers have a responsibility here to assure security of the equipment and to inform consumers about the use of data. But customers themselves should be aware of the threats to their devices.
MC: I would think that a threat against any one utility serves as an equally worrying threat across all utilities-- so in that vein, would you say the utility community is collaborative when it comes to sharing information about cyber-attacks and strategies to fight them? Or is that an aspect where there's still work to be done?
AN: Utilities are willing to share information more freely than in many other domains. But there is definitely work to be done in enabling and sharing. In this respect, I refer to barriers that prevent the sharing you require. One barrier is legal constraints. In procurement T&Cs and NDAs standard practices, for example, sharing of vulnerabilities found in testing by a utility is prohibited. Now sanctions may be imposed on utilities for not reporting incidents and vulnerabilities to national authorities, this will impact processes and behavior of dealing with incident and vulnerability reporting. Then you have the barrier that vulnerabilities can be considered to impact national security and fall under state secrets regime. Besides all this, you have the notion that in most sharing platforms, the vast majority is there to get information, not to bring. We need to break down these barriers and introduce and use new concepts and processes for sharing, like vendor-based testing and opening vulnerability sharing to participants in cooperative testing activities.
MC: How do you see the role of private companies in ensuring cyber security compared with government and regulatory bodies overseeing potential threats? Is one more effective or important than the other?
AN: Like I said before, we need them all. But we have to rethink the model. We have heard the mantra of PPP for many years now and the proclamation of collaboration and sharing in the field of cyber security. We have had the FP7 and H202 models to boost research and innovation. In reality, not a lot of results were achieved from these. Yes, we have spent money in research projects, but what has it delivered in terms of patented security technology or best practices that protect our grids? Yes, we have ISACs and CSIRTs across Europe where people attend, but what is actually produced there or achieved? I think that the focus has to be much more on realization of concrete results and to facilitate initiatives that make that happen. Private initiatives on a collaborative basis can play a key role here.
MC: What are some examples of security measures that utilities are beginning to implement-- or should implement-- that might be surprising or unexpected?
AN: In my mind, the most surprising or interesting aspect I witness is the co-creation by utilities of critical security capacities like security requirements for smart metering and electric vehicle charging, security testing and vulnerability and incident monitoring and analysis. Utilities have taken ownership and decided they cannot afford to wait until regulation and standardizations come into play. This is certainly not what you would have expected from a traditional and conservative industry, but here they demonstrate how they can drive innovation.
MC: Lastly, where would you suggest someone go if they were interested in learning more on this topic?
AN: Actually, there are a few good public sources on grid security. The best account is probably Mark Elsberg's novel Black Out.
Interviewer's Note: Anjos was modest enough not to say it himself so I will for him-- another great opportunity to learn about the important cyber security issues and solutions in the utility industry will come from his presentation at SGTech Europe 2019, taking place in Amsterdam from March 26 to March 28. Anjos's presentation is titled "Monitoring the Evolving Threat Landscape: Analysing the latest security attacks on utilities, forecasting future threats and determining what security systems organisations need to put in place to minimise attacks."