EU power sector battens down hatches in cyberspace

When the lights went out in approximately 225,000 households in western Ukraine on December 23, 2015, investigations soon revealed that three regional power distribution companies had been the victim of a cyberattack. A malware called BlackEnergy caused seven 110-kilovolt and 23 35-kilovolt substations to disconnect from the grid in a sophisticated and coordinated attack. It took several hours until the households were back on energy supply. Even worse, the investigators thought that the outage might have only been a dry run to test the potential of cyberattacks for future use.

The Ukraine incident shows how crucial cybersecurity practices and controls are for the energy value chain worldwide. Austrian power supplier EVN and the group’s grid company Netz Niederösterreich GmbH have long been pioneers. So Wolfgang Löw, EVN’s Chief Information Security Officer, is confident that the company is well prepared. “We have created the necessary organizational framework to ensure that awareness of cybersecurity issues permeates all our departments, with security officers in our business segments interacting with our centralized security team,” Löw explains. According to him, the cultural shift is one of the challenges when it comes to implementing cybersecurity in the organization. “There’s the issue of awareness, and also the need to understand that grid operations and other departments are more or less interconnected, solutions can’t be treated as isolated anymore. Furthermore, the degree of interconnection will increase in the future, and therefore also the complexity – complexity is the enemy of security.”

The measures EVN has implemented are in line with the NIS Directive, which came into effect in May 2018. Its aim is to further enhance cybersecurity across the EU, focusing on critical sectors, including power supply. Its three parts seek to enhance national capabilities by establishing national computer security incident response teams (CSIRTs) as a first port of call in case of an incident; to implement cross-border collaboration between EU member states through the EU CSIRT network; and to improve national supervision of operators of essential services, amongst other issues.

The energy industry’s specific operational technology requires specialized solutions, Löw emphasizes. “You can’t just copy a security solution that works in classical IT to the operational technology environment. One key reason is that for us as a power supplier and grid company, uninterrupted supply of energy always comes first,” Löw explains. “Availability of the power control systems is our first priority, and therefore we have to implement the security measures wisely – a false positive of one of the prevention systems can affect the availability of the systems or can cause malfunction.” For Löw, that means that all projects must consider cybersecurity from the onset, following a so-called security-by-design approach. “Also, you need a close partnership with all of your suppliers in the critical infrastructure field like Siemens in order to have products and services fit into the security concepts of our energy grid.” Close cooperation over a long period of time and personal contact are the key ingredients for success in this regard, Löw has found.

Cooperation between power suppliers is equally essential, Europe-wide as well as on a national level. In Europe, the European Energy Information Security Analysis Center (www.ee-isac.eu) provides a platform to share best practices as well as information on compromise and attacks between relevant stakeholders in the industry.

In Austria, the energy and gas industry came to the same conclusion, working jointly together in the Austrian Energy CERT with the common aim of improving resilience within the sector. “The Energy CERT is the CSIRT the NIS directive calls for, but with a special focus on the operator of essential services in the energy sector,” EVN’s CISO Löw explains.

The response team is tasked with sending out early warnings, assisting power suppliers and grid operators under attack if necessary, and acting as the primary contact point if a cyberincident should occur. “In the security field, we will always be one step behind the attackers – it absolutely makes sense for the energy industry to work together and join forces with other utilities, with the vendors, and with the CERTs and ISACS,” says Löw. Especially in case of an incident, time is essential. Knowing the right details could save a lot of time – and money.

The same is true for data protection. At the end of May 2018, the EU General Data Protection Regulation (GDPR) entered into force, setting new standards for data security and control over personal data. While many standards enshrined in the new regulation do not require too many changes for any company collecting, storing, and processing personal data, the right to access personal data or have it deleted means the energy industry must build new structures for customers who want to exercise these rights.

“We have always taken the protection of customer data very seriously,” Löw affirms. He notices that customers are taking their privacy more and more seriously, which includes the wish to know which data is stored and what it is used for. “I think this awareness will become even more important in the future – and the GDPR is a good framework to ensure the necessary protection measures.” Talking about the future, Löw is positive about the preparedness of the energy industry. “Of course, you can never be content. Cybersecurity is not static, but a continuous journey.”

That also reflects in the fact that in today’s digital grids, product cycles are much shorter than in former days when grids where analog. For CISOs like Wolfgang Löw, shorter product life cycles translate into even greater cooperation. “When it comes to the development of further security measures, it makes sense for the energy industry to agree on common standards – it’s easier for the industry when you have a security catalog, like the one we have developed in Austria on smart metering. This will improve the overall cybersecurity of the system.”

2018-10-24

Marc Engelhardt, independent journalist in Geneva.

Picture credits: Hassân Al Mohtasib