From your experience, what kind of problems do energy providers face when it comes to introducing and implementing cyber security measures? What could potentially be their biggest obstacles?
Often the basic architecture of IT systems is not up-to-date and may offer ways for hackers to get into the system. Therefore, it is crucial that the basics are well-structured and updated. The obstacle to this could be limited knowledge about evolving cyber-threats or the quality of the vendors who deliver IT solutions to companies.
What kind of actions should the energy sector take in order to be “cyber secure”?
Firstly, the people who are operating critical systems should be aware of potential and evolving threats. It is becoming vital to test systems against potential attacks, because cyber-attacks are getting more sophisticated and more difficult to trace. Sharing of information between energy companies, about their successes and also their failures, is essential for longer term resilience.
GDPR and NIS regulations have been in place since the end of May. Do you believe that the energy sector is ready to take the cyber security measures prescribed in these regulations?
The energy sector is going through several transitions at the same time: decarbonization and decentralization of energy production are driving the sector to make significant changes, and as, a part of it, all energy companies are digitizing and automating their activities and consumer interfaces. At the same time, all the new regulations have to be integrated into this process. There seem to be more difficulties in countries where the government has not developed basic supporting secure IT infrastructure for government services that could also be used by companies. In such cases companies have to address these issues by themselves, which is not an easy task.
Much is talked about the energy trilemma (energy security, energy equity, and environmental sustainability) as the basis for energy sustainability. Do you think that the European energy sector is prepared and doing well according to that index? How has the energy sector changed because of it?
This is a challenging question. The recent Energy Trilemma report from the World Energy Council (trilemma.worldenergy.org) reveals how successful countries have been at tackling all these dimensions over the last 20 years. There are very few countries that have improved their performance in all aspects of the trilemma. The main emphasis in Europe has been on environmental sustainability, but the performance on energy security and equity has hardly changed. And we can now also see the effects of this policy with the yellow vest movement in France, and difficulties in some countries in guaranteeing the security of electricity supplies.
Has the Energy Trilemma had an impact on cyber security companies? If so, what is the main impact it has had on them?
Cyber threats may be one of the reasons why energy cannot be supplied to customers, and once something of that kind happens, it will have a huge effect on countries. This risk is increasing with digitization of the sector. In order to guarantee stable energy supplies, the energy companies have to pay more and more attention to cyber-resilience issues to avoid blackouts due to cyber-attacks. In the short term, such a blackout may mean a loss of revenue for energy companies; in the long term, it would lead to the loss of customers, if they lose trust in their energy supplier. So, there is a huge market for cyber security companies delivering trustworthy systems to energy companies.
In the event of a cyber security emergency (e.g. a country’s power supply completely fails), what kind of concepts are available in Europe? On whom does the onus fall?
The critical part of each energy system is the grid. Transmission and distribution system operators must work more closely together to avoid emergencies and also act together if they happen. These companies are in the front line in the fight against cyber crime all over Europe and the world.
The World Energy Council has more than 3000 member organizations located in over 90 countries. What kind of cyber risks will your members face in the next couple of years?
As already stated, the transformation of the energy sector has already started. It has to be managed in such a way that no lights will go out. With decentralization of the energy system, we will have far more participants in the market, which means many more entry points for hackers. All these systems should be made “bullet-proof” and all relevant people need to be aware of the potential cyber threats associated with these developments.
On its website, the WEC provides a number of tools for companies and governments to use to address this kind of disruption that may change the future of the energy sector. With our reports on resilience, we provide information about the evolving risks, including cyber risks.