With some 2.5 billion devices soon to be connected, energy systems are more vulnerable than ever to cyberattacks. The key to strengthening security, writes Judith Wunschik, is taking a new holistic approach.
Terrorists get access to smart electric meters, trigger an area-wide power outage in Europe and spread chaos, anxiety and fear. That dystopian vision was a feature of the 2012 best-seller BLACKOUT. Tomorrow will be too late. Though the blackout scenarios that novelist Marc Elsberg portrays may be fiction, and the scope of the resulting disaster may seem exaggerated, nonetheless the tale vividly highlights one thing: our energy infrastructures are increasingly shaped by digital connectivity – and thus are also digitally highly vulnerable.
Cybersecurity long ago abandoned the point-by-point approach of keeping an eye on individual power plants, grid components and power lines. Hookups among generating, distributing and receiving systems for electricity are increasing every day – countless components connected online are being fitted together into a gigantic network. But the count of attack gateways and the vulnerability to cyberthreats are growing at the same rate. It’s estimated that the number of networked devices will climb to around 50 million this year, and grow tenfold by just 2030. Some two and a half billion industrial devices and systems will be networked together in the next two years alone.
If critical infrastructures – including power supply systems – become a target for cybercrime, the damage could potentially be far greater than just economic losses. But the financial risks themselves are already considerable. For instance, a study by the Accenture consulting firm concluded that after the banking and financial sector, the energy and power supply business is the industry most at risk of cyberattack. The cumulative value at risk for the world’s energy and power supply sector is estimated at USD 425 billion (EUR 359 billion) for the period from 2019 to 2023. Germany’s Federal Office for Information Security, BSI, recently released its situation report on IT security in Germany for the 2020 year, and notes that operators of critical infrastructures filed 419 reports of “security-relevant” attacks – compared to 252 the year before (2018: 145). And that figure does not even include the large number of presumed smaller incidents where reporting is not required, such as widespread phishing. The number of successful attacks that go unreported for reputational reasons is thought to be high.
What does this development show? Because of their core importance to our infrastructure, power generators and suppliers are an attractive target for cybercrime. In this context, the BSI mentions an increase in the observed amount of “active scanning for vulnerabilities in systems connected directly to the Internet.” The attackers are not bound by geographical national boundaries or political spheres of influence. Monetary objectives, in the form of blackmail – as in the case of ransomware attacks – may be one motive, as has recently shown up again in attacks on the IT systems at municipally operated utility companies. Which means small and medium-sized companies at the regional level especially need to be included in the appropriate precautionary measures.
But a digitally mounted attack would be incomparably more serious and more destructive if it caused physical damage, much less a “maximum credible accident,” in our real world. Imagine compromising entire power plants, transformer stations and power grids all the way down to the end consumer or industrial plants. That would bring us quite close to a scenario like Marc Elsberg’s. The fact is, the higher the level of digitalization, the more points of attack there are in our energy system – and the more important it is to take a professional approach to defeating cyberattacks.
Which is why it’s so important not only to educate and empower one’s own employees in matters of cybersecurity, but to offer products and advisory services to help suppliers, customers and partners strengthen their own “digital readiness”. Security tests, for instance of technical control and instrumentation systems and office workspaces, are a part of this; so are performing risk analyses and security requirements for suppliers, monitoring security incidents, and planning what measures to take in the event of a catastrophe. In the automation and industrial environment, the latest analytical methods are being applied to get an overview of a system’s individual cyber-maturity, its strengths and its weaknesses. The gaps that these methods reveal help identify risks and prepare suitable security concepts that address the aspects of plant, network, and system security. These are the key parameters for protecting industrial systems and critical infrastructures from internal and external cyberattack.
The key points to remember are these: digitalization not only offers a great many opportunities, but also creates new risks for the energy sector. The Internet of Energy – just like the “Industrial Internet of Things” (IIoT) – cannot work without cybersecurity. In a world shaped by more and more networking and automation, compromising a single digital terminal device is enough to infiltrate entire systems and cause vast damage. So to ensure a reliable, affordable and sustainable energy supply, we need all-around cyber protection that does not stop short at corporate or national boundaries.
December 1, 2020
Dr. Judith Wunschik is Chief Cyber Security Officer at Siemens Energy and responsible for ensuring the security of the company’s business operations, products, data and assets. She is a well-known public speaker and respected member of prestigious international security committees.
Combined picture credits: Siemens Energy
This article was originally published in the Handelsblatt Journal in Germany.