While cybersecurity is a growing concern for Europe’s power sector, regulations, standards and training have not kept up with the fast-moving evolution of today’s threats. A new collaboration between the European Network for Cyber Security (ENCS) and transmission system operators’ network ENTSO-E aims to address the issue.

Anjos Nijk, managing director of the European Network for Cybersecurity (ENCS), believes awareness and training requirements are crucial to cybersecurity in the power sector, but he also believes that this process does not only flow one way, from the security experts to those working in the field. It is also crucial for security experts to deepen their knowledge of the technology and processes they’re meant to be protecting.

To this end, ENCS has signed a memorandum of understanding (MoU) with the European Network of Transmission System Operators for Electricity (ENTSO-E). We spoke with Nijk about what’s involved, and how the two groups hope to boost the power system’s resilience in the face of ever-mounting challenges.

Anjos NijkCreate or modify a hyperlink.
Anjos Nijk

Q: What was the impetus for this collaboration?

Anjos Nijk: ENCS is a membership organization and its mission is to increase the cybersecurity of its members, who are the owners of critical infrastructure. We have our own security experts and team up directly with experts from each domain to identify where the issues are and work with them to address them.

When we started to do so in 2012, we found fairly quickly that it’s really important that you focus on domain expertise to combine with security expertise. So we decided to get started with a focus on DSOs, as it is obvious that the grid is an entire connected system and becomes more connected every day. The TSO community have a very important role as they are responsible for balancing, so they are a very important group for us to focus on as well. We’ve built on connections with the TSO community which initially materialized in training programmes.

When we teamed up with ENTSO-E, they identified people from the European TSOs for whom it would be helpful to get this training, both through education and raising awareness, and through hands-on exercises. This worked out well, and so a next session followed with another specialists group from European TSOs.

Q: What kinds of regulations, practices and standards are needed?

A: From the perspective of technology standards, it’s most important to address the security requirements in the right way. What happens nowadays is various standards related to national specifics. In some cases security has been looked into and in others not, or in a very limited way, so there is also lobbying from the industry because for every manufacturer it is very convenient and a good thing business-wise if their proprietary standard becomes accepted as a general standard. But this does not necessarily mean that the security is covered in the right way.

So to get this discussion to where we can address the issues from the experts, we bring security requirement sets developed by ENCS in collaboration with the operators into standardization groups – we provide experts to have discussions with other specialists so they are taken into account in new standards. So this has been an approach ensuring that our work and expertise in cybersecurity informs these regulations and standards.

Q: How will ENCS and ENTSO-E work together?

A: We’ve already worked together, and in the working group we are looking into the network code, so it makes a lot of sense to extend this collaboration.

It also has to do with requirements that we create for the systems themselves. We’ve done that in domains that are relevant for TSOs as well: for example minimum sets of security requirements that you need for substations. We’ve already done a lot in the DSO domain on security monitoring, electrical vehicle charging etc. and on other topics as well. There is quite some knowledge build-up that’s happened.

The issue is awareness and understanding, then training for people to learn where the risks are and how the hackers operate; then what to do and how to take care of the situation. We do red team/blue team training for companies using operational technology, such as SCADA systems, hands-on training in real situations where you can practice. Now, bringing it to the next level, we will be able to do simulations and create normative training programs. We’re in a collaboration with the Technical University of Delft and are about to create a consortium; submission of proposals is due for 24 August.

Q:What does ENCS already do to enhance Europe’s cybersecurity?

A: ENCS has four pillars: training, collaborative projects, testing and information and knowledge sharing.

Education and training is one of four ‘pillars’ where we develop knowledge and capabilities for what we call collaborative projects: identifying common needs of our members and then creating, in collaboration with them, concrete solutions that they can deploy. You could call it consulting, although it’s not the typical type. Then we do testing to establish security requirements: what does it mean for a system to be secure or ‘secure enough’, and how can you independently validate it through testing? Then the most important pillar is information and knowledge sharing. How amongst the community can you establish ways to share real vulnerabilities? How can we work with the industry to help address the issues faster than we do today?

Manufacturers come to us to say, ‘We have these security requirements; could you please help us address them in the right way?’ This is the standardization part that we do, which will also impact systems like substations and monitoring. We will be teaming with ENTSO-E on this one.

When it comes to regulations and standards, our activities follow on the European Commission’s Directive on security of network and information systems (NIS directive), which is an EU-wide regulation that must be converted by member states into national law by 2018. It specifies a duty to take appropriate technological and operational measures and an obligation to report incidents. This is something that is being prepared now and by various member states.

To find the best practices that you have to look into to address this requirement, we collaborate and team up with DSOs and TSOs, in The Netherlands for instance. There is a cybersecurity experts’ group within the European Commission’s Smart Grid Task Force, which is also looking into further regulatory aspects of the NIS directive and whether some topics require additional regulation. Here also we are working with the specialists from the TSOs and ENTSO-E to bring in expertise from the security and network side.

Q: Is cybersecurity for power networks an urgent requirement?

A: If we go back to 2012, when I started to challenge people in critical infrastructure and energy grids with the same question, in many cases I still got the reply, ‘Well, what can happen to the operational side of the house? Nothing has happened in the last 100 years.’ But at the latest big conference for European Utility Week, the keynote speakers were talking about cybersecurity as one of the three main topics. And in the recent hacks we’ve all taken notice of – the ransomware, the Ukraine hack – the bad guys, if you will, are making quite some progress. The sorts of threats become more complicated and more difficult to deal with, with a bigger spread. You cannot achieve security if you do not bring together the skilled people that you require.

Security as a process is really important. It has to be in the entire organization with the right level of awareness, and you have to look into the system architectures to prevent things from happening too easily. If you look at the Wannacry situation, there are grid operators that can disconnect their IT from their OT, but there is the risk that the virus might infect systems from the grid that you can disconnect. So it becomes more and more important to know what you have to do when you find such software in your own systems.

This is really the reason why there is an urge to collaborate and to bring the right people together, to find effective ways of exchanging information and building communication.

Q: Cybersecurity experts have said that the crucial question is not how to prevent a cyberattack, as even with the best efforts this may not be possible, but how to recover from one. So how secure is it possible for a power system or network to be?

A: I agree that a system cannot be fully secure. It can be ‘secure enough’. But there are number of things you can do to prevent a cyberattack from happening too easily. The challenge is how far you have to go: security is a moving target, but you cannot afford to neglect it.

For many systems out there, but also new systems being built, there are not security requirements that are part of full requirement sets. This really needs to be addressed because otherwise it’s just too easy for the hackers. Then when you think of the requirements needed to make a system secure, and how to validate them, it’s not an easy thing. You have to know and understand the domain, the processes, the technology, and also the security concepts and architectures. It’s a complicated thing that you have to fully understand to address it properly.

And, in order to know whether the requirements are implemented properly, you have to do testing. You need a system in place as well to do maintenance updates to the requirements, but you also need methodologies to deploy the systems that are updated.

Q: What are the major cybersecurity challenges for Europe’s power system and how do you see them evolving?

A: The challenges develop pretty fast, so in that sense it’s, let’s say, a dynamic. If you only look into the energy transition and the dynamics this has, the one thing that is clear is that nobody can control everything centrally anymore, and it is not possible to go backward. There have been some really important developments for security, and I will mention two recent developments.

With the ransomware that we have seen, like Wannacry, we see how much impact it can have. It was widespread and many systems got infected, whereas it was a known vulnerability so if you’d done your patching right it would not have hurt you. It was not targeted [at power systems], but the same philosophy could be targeted so it would provide the capability to take control of, say, a major substation – and then things become different because then it can do a lot of harm.

There is a trend now, on the dark web, which is becoming more significant. Critical grids are not that easily hit by malware like Wannacry, as it would be necessary to convert it from IT to OT. But there is also more attention going into reaching the OT through the IT, so in the recent findings on the Industroyer malware [viewed by security experts as ‘the biggest threat to industrial control systems since Stuxnet’] you will see an approach targeted for OT. This is the first event after Stuxnet where you can see that there is intelligence and organization going into getting through to the OT, and it’s a fact that there are drivers for hackers to do this.

We know that to do something in the OT domain, you require very good knowledge of processes and systems, and you have to understand how to get in as well as IT security concepts. This is a very limited skillset which is not very available for ‘the bad side’, and yet we can see that they are making progress. So the volume of attacks and the change in the interest area that you can see happening is what I find really important.

In the example of Industroyer, the designers built intelligent software that can make a bridge to the OT world, can get access to systems in the OT, and this is really frightening so we have to take it into consideration. And that means that security from the start is something that is important because, also in the case of Industroyer, a real infection, if it happens, will happen on the IT side. It’s a very staged approach.

Q: ENCS has done a lot of work in The Netherlands with smart charging infrastructure for EVs. This is one of a few focuses: smart metering, more general issues such as substation security, and transmission-level security.

A: The build-up of new systems connected to the grid at one side, and to IT and communication systems at the other side, brings new and unknown risks. There are hard deadlines for the deployment of smart metering infrastructure: by 2020, 80 per cent of meters in Europe will have to be smart. So this will be a new type of system and we need to know what it will mean for data and privacy, but also what kind of risks are associated with it. This is exactly the reason why we started to focus on the requirements side: to make sure that what you build in takes into account the risks associated with these new technologies.

EV charging is interesting as a topic because what you will be seeing with the Internet of Things – all kinds of connected systems – is something you can already learn about by deploying things like charging infrastructure for EVs. The particular reason why this is high on the priority agenda for grid operators is that impact. If there is a significant deployment of people driving EVs, then the power that you require for the loading becomes very significant, which means that this is going to have quite some influence on the grids themselves. By nature this means that if you want to do harm, this infrastructure becomes interesting to you.

So these together are the reasons why EV charging is, in terms of the security agenda, pretty high on the priority list, in combination with the fact that at the moment would be the right timing to address some of the issues because the domain is developing, and in some places is developing rapidly. But it also means that now it is required to take care of these issues.

Q: What is the timeline for the ENCS/ENTSO-E collaboration to produce results?

A: It’s an ongoing thing, and it is extraordinarily important, on top of what the developments are, to translate what they mean and require for the operational domain. There are new abilities on the hackers’ part and thus new risks. We cannot set a fixed date because the field is changing – it’s sort of a weapons race.