The growing digitalization and connectivity of energy systems also has a downside: It increases these systems’ vulnerability to cyberattacks. The key is a holistic approach to cybersecurity.
By Judith Wunschik, Chief Cyber Security Officer at Siemens Energy
Terrorists get access to smart electric meters, trigger an area-wide power outage in Europe and spread chaos, anxiety and fear. That dystopian vision was a feature of the 2012 best-seller BLACKOUT. Tomorrow will be too late. Though the blackout scenarios that novelist Marc Elsberg portrays may be fiction, and the scope of the resulting disaster may seem exaggerated, nonetheless the tale vividly highlights one thing: our energy infrastructures are increasingly shaped by digital connectivity – and thus are also digitally highly vulnerable.
Cybersecurity long ago abandoned the point-by-point approach of keeping an eye on individual power plants, grid components and power lines. Hookups among generating, distributing and receiving systems for electricity are increasing every day – countless components connected online are being fitted together into a gigantic network. But the count of attack gateways and the vulnerability to cyberthreats are growing at the same rate. It’s estimated that the number of networked devices will climb to around 50 million this year, and grow tenfold by just 2030. Some two and a half billion industrial devices and systems will be networked together in the next two years alone.
“Cybersecurity long ago abandoned the point-by-point approach of keeping an eye on individual power plants, grid components and power lines.”Judith Wunschik, Chief Cyber Security Officer at Siemens Energy
Critical infrastructures in focus
If critical infrastructures – including power supply systems – become a target for cybercrime, the damage could potentially be far greater than just economic losses. But the financial risks themselves are already considerable. For instance, a study by the Accenture consulting firm concluded that after the banking and financial sector, the energy and power supply business is the industry most at risk of cyberattack. The cumulative value at risk for the world’s energy and power supply sector is estimated at USD 425 billion (EUR 359 billion) for the period from 2019 to 2023. Germany’s Federal Office for Information Security, BSI, recently released its situation report on IT security in Germany for the 2020 year, and notes that operators of critical infrastructures filed 419 reports of “security-relevant” attacks – compared to 252 the year before (2018: 145). And that figure does not even include the large number of presumed smaller incidents where reporting is not required, such as widespread phishing. The number of successful attacks that go unreported for reputational reasons is thought to be high.
What does this development show? Because of their core importance to our infrastructure, power generators and suppliers are an attractive target for cybercrime. In this context, the BSI mentions an increase in the observed amount of “active scanning for vulnerabilities in systems connected directly to the Internet.” The attackers are not bound by geographical national boundaries or political spheres of influence. Monetary objectives, in the form of blackmail – as in the case of ransomware attacks – may be one motive, as has recently shown up again in attacks on the IT systems at municipally operated utility companies. Which means small and medium-sized companies at the regional level especially need to be included in the appropriate precautionary measures.
But a digitally mounted attack would be incomparably more serious and more destructive if it caused physical damage, much less a “maximum credible accident,” in our real world. Imagine compromising entire power plants, transformer stations and power grids all the way down to the end consumer or industrial plants. That would bring us quite close to a scenario like Marc Elsberg’s. The fact is, the higher the level of digitalization, the more points of attack there are in our energy system – and the more important it is to take a professional approach to defeating cyberattacks.
Relevance of cybersecurity in the connected energy landscape
Conversely, cybersecurity plays a crucial role in designing a resilient energy system and guaranteeing a secure power supply. The example of Siemens Energy makes clear just how significant cybersecure products, solutions and services, throughout the energy value chain, can be for systems: about one-sixth of all the electricity generated worldwide is based on Siemens Energy technologies. That’s why cybersecurity also plays a crucial role in the company’s strategy for every business-critical process; it is an integral part of the digital transformation.
For instance, the “Charter of Trust” initiated by Siemens AG in 2018, which now lists 17 global corporations and world market leaders as its signatories, has called for binding rules and standards so as to build trust in cybersecurity – and to make our digital world more secure. The basic principles of the Charter of Trust include building up a line of defense that runs all through the value chain, and protecting it against hacking by applying secure hardware and software. Crossing corporate and national boundaries, and irrespective of business models, the hope is that this effort will lead to the development of comparable standards for applying effective strategies for cyber defense, and for protecting our health and infrastructures fast and reliably in a crisis
A holistic view of cybersecurity of course must include everyone involved and all aspects. Account must be taken of a company’s own infrastructures and production facilities and its employees, as well as customers, suppliers, business partners and the general public. Companies, especially energy companies, must become aware today of the importance of security throughout the ecosystem in which they operate. Every individual, process and product should be incorporated as seamlessly as possible into a well-protected system that permits fully cybersecure operation. After all, millions of decentralized units are already communicating with one another today. At the same time, the many intelligent systems connected by way of the Energy Internet have increased its complexity; our energy value chains, and thus our energy supply, are getting more vulnerable to attack.
“Cybersecurity plays a crucial role in designing a resilient energy system and guaranteeing a secure power supply.”
Building and strengthening digital readiness
Which is why it’s so important not only to educate and empower one’s own employees in matters of cybersecurity, but to offer products and advisory services to help suppliers, customers and partners strengthen their own “digital readiness”. Security tests, for instance of technical control and instrumentation systems and office workspaces, are a part of this; so are performing risk analyses and security requirements for suppliers, monitoring security incidents, and planning what measures to take in the event of a catastrophe. In the automation and industrial environment, the latest analytical methods are being applied to get an overview of a system’s individual cyber-maturity, its strengths and its weaknesses. The gaps that these methods reveal help identify risks and prepare suitable security concepts that address the aspects of plant, network, and system security. These are the key parameters for protecting industrial systems and critical infrastructures from internal and external cyberattack.
The key points to remember are these: digitalization not only offers a great many opportunities, but also creates new risks for the energy sector. The Internet of Energy – just like the “Industrial Internet of Things” (IIoT) – cannot work without cybersecurity. In a world shaped by more and more networking and automation, compromising a single digital terminal device is enough to infiltrate entire systems and cause vast damage. So to ensure a reliable, affordable and sustainable energy supply, we need all-around cyber protection that does not stop short at corporate or national boundaries.
December 1, 2020
Dr. Judith Wunschik is Chief Cyber Security Officer at Siemens Energy and responsible for ensuring the security of the company’s business operations, products, data and assets. She is a well-known public speaker and respected member of prestigious international security committees.
Combined picture credits: Siemens Energy
This article was originally published in the Handelsblatt Journal in Germany.