By Akanimo Sampson
Electricity network operations are at risk of cyber-attacks, the International Energy Agency (IEA) has said. In its 2017 report, the agency said electricity systems – particularly network operations – are becoming increasingly digitalised, bringing many benefits to electricity consumers, utilities and the system as a whole.
In IEA’s latest Enhancing cyber resilience in electricity systems report, the agency is saying the growth in connected devices and distributed energy resources is expanding the potential cyber-attack surface of electricity systems, raising cyber risks.
The nature of these cyber risks is also changing as a result of increasing connectivity and automation, a shift to cloud computing and the replacement of sector-specific IT with open-protocol standards.
The electricity system is interconnected with all other critical infrastructure and services. Cyberattacks on electricity systems are therefore a critical threat to every aspect of modern societies. Policy makers, regulators, system operators and industry across the electricity value chain all have important roles to play in enhancing the cyber resilience of the system.
The agency however, pointed out that digitalisation offers many benefits both for electricity systems and clean energy transitions.
At the same time, the rapid growth of connected energy resources and devices is expanding the potential cyber-attack surface, while increased connectivity and automation throughout the system are raising cyber-security risks.
The threat of cyber-attacks on electricity systems is substantial and growing. Threat actors are becoming increasingly sophisticated at carrying out attacks. A successful cyber-attack could trigger the loss of control over devices and processes, in turn causing physical damage and widespread service disruption.
While the full prevention of cyber-attacks is not possible, electricity systems can become more cyber resilient – to withstand, adapt to and rapidly recover from incidents and attacks, while preserving the continuity of critical infrastructure operations.
Policy makers, regulators, utilities and equipment providers have key roles to play in ensuring the cyber resilience of the entire electricity value chain.
According to the report, policy makers are central to enhancing the cyber resilience of electricity systems, beginning with raising awareness and working with stakeholders to continuously identify, manage and communicate emerging vulnerabilities and risks.
‘’Policy makers are also ideally placed to facilitate partnerships and sector-wide collaboration, develop information exchange programmes and support research initiatives across the electricity sector and beyond.
‘’Ecosystem-wide collaboration can help to improve understanding of the risks that each stakeholder poses to the ecosystem and vice-versa.
‘’Information sharing can enhance cyber resilience across the system for all electricity sector stakeholders.
‘’Stakeholders should be encouraged to share information on vulnerabilities and actual incidents, be transparent on implemented policies, and share information and best practices at national and international levels.
‘’A wealth of existing risk management tools, security frameworks, technical measures and self-assessment approaches are available. Policy makers and industry need to apply what is relevant in their context and approach resilience as a continuous process rather than a one-time milestone.
‘’Policy makers and the industry should both commit to an approach based on ongoing collaborative dialogue. Governments around the world can enhance cyber resilience through a range of policy and regulatory approaches, ranging from highly prescriptive approaches to framework-oriented, performance-based approaches’’ the report said.
Approaches that are more prescriptive have the advantage of allowing for more streamlined compliance monitoring, but they could face challenges in keeping pace with evolving cyber risks.
Less prescriptive, framework-based approaches allow for different approaches and implementation speeds across jurisdictions, but they raise questions around how to establish a coherent and robust cross-country approach to cyber-security with tangible and effective impact. Implementation strategies should be tailored to national contexts while considering the global nature of risks.
‘’Cyber resilience policies need continuous review and adaptation. Further decentralisation and digitalisation of the electricity sector – especially at the distribution level (smart meters, connected consumer devices) – shifts the risk exposure to the grid edge. Effective policies need to look beyond bulk utilities and consider the entire electricity chain, including supply chains.
‘’Supply chain security is an international issue. To demonstrate security preparedness, certification or other similar mechanisms based upon existing international standards need to be institutionalised and interoperable at the global level, where deemed appropriate.
‘’Many countries and companies are developing and implementing policies and strategies to enhance the cyber resilience of their electricity systems. While differing contexts require tailored approaches, several overarching action areas can serve as the basis for achieving more appropriate electricity security frameworks for the future. These are: institutionalising responsibilities and incentives; identifying risks; managing and mitigating risks; monitoring progress; and responding to and recovering from disruptions’’, says the report.
Continuing, it said policy makers need to set appropriate responsibilities and incentives for relevant organisations within their jurisdiction.
‘’Policy makers should designate responsible authorities to set objectives, give direction on measures and assess their implementation, implement co‑ordination mechanisms between responsible authorities (both within and outside the electricity sector) to avoid conflicts between various regulatory levels, oblige regulated and non-regulated entities to implement cyber-security safeguards. Measures should aim to improve outcomes, rather than relying only on compliance-based processes that risk becoming a box-ticking exercise. The level of enforcement needs to relate to how critical the organisation is to wider system reliability.
‘’Positive incentives need to be considered to foster transparency, co‑operation and co‑ordination. Policy makers, regulators and industry: increase the level of awareness of the need for cyber resilience across the sector, including in electricity-related agencies and authorities.
‘’Policy makers need to ensure that operators of critical electricity infrastructure identify, assess and communicate critical risks, ensure designated organisations regularly conduct system-level risk analyses to identify key threat scenarios and system vulnerabilities.
‘’Utilities and operators: identify and classify assets, systems and interfaces according to their risk level (likelihood and impact) and assign security measures according to level of system risk. Policy makers and industry: facilitate public-private cyber risk information sharing.
Policy makers and industry have to collaborate to improve readiness across the entire electricity system-value chain. Policy makers and industry: provide accessible tools and guidance on cyber resilience best practices.
‘’Utilities: implement proper risk management strategies to identify capabilities and risks of their systems from both information technology (IT) and operational technology (OT) perspectives. Establishing a clear risk management strategy can help prioritise areas of work and investment decisions to maximise benefits.
‘’Policy makers, standards bodies, industry and researchers: develop facilities to test and validate effective implementation of cyber-security measures and controls. Policy makers and standards bodies: consider certification of products and services by carefully analysing criticality, enforcement options and market impact.
‘’Policy makers and industry: develop capacity building for cyber-security to ensure skills and resources evolve appropriately. This involves achieving buy-in and a basic understanding across the entire organisation. Mandatory training and certification of critical staff should be considered.’’
Policy makers need to ensure mechanisms and tools are in place to evaluate and monitor risks and preparedness, and track progress over time. This is important at the operational level for individual utilities, as well as at the level of policy makers and regulatory authorities who need to understand if strategic objectives are met.
Policy makers and regulators: develop or provide mechanisms and tools to continuously monitor preparedness. Policy makers and regulators: develop mechanisms to monitor and build knowledge around emerging threats. This is an area where partnerships and communication with the intelligence community is essential.
Policy makers, the intelligence community and industry: develop and support active threat hunting and cyber-threat intelligence mechanisms to prevent or limit the damage from high-end attacks. Equipment providers and utilities: conduct active monitoring of the supply chain to detect vulnerabilities.
While policy makers and industry are to develop mechanisms to share incident reports and other information, the report urges that resilience must go beyond preventing incidents to include effectively coping with attacks. Policy makers need to enhance the response and recovery mechanisms of electricity sector stakeholders.
Utilities: implement robust response and recovery procedures that help maintain operations in the event of a cyber-attack, with clearly allocated responsibilities to all main stakeholders. Policy makers and utilities: execute regular response exercises and capture lessons learned and adapt practices. Policy makers, regulators and industry: stimulate information logging and sharing to facilitate analysis of actual incidents.
Digitalisation and decentralisation
The report also offers practical guidance to energy policy makers and other stakeholders on increasing the cyber resilience of electricity systems. Using real-world examples, this report aims to address the following questions:
What are the greatest cyber-security risks to electricity systems today? How are they evolving?
What strategies and actions can electric utilities and other key stakeholders develop and implement to identify and manage cyber risks and recover from attacks? What sector-specific characteristics need to be considered when tailoring general cyber resilience principles and measures to the electricity system?
How can collaboration between stakeholders help to maximise effectiveness and optimise efforts? How can responsibility best be assigned and shared?
How can policy makers and other industry organisations encourage a more proactive integrated risk management approach?
What are the lessons to be learned from different jurisdictions’ regulatory approaches to cybersecurity in the electricity sector? Which approaches have so far proven to be most effective, and how can effectiveness be measured in advance of actual incidents and failures?
Various terms and concepts are introduced and discussed in this chapter. The following table defines some of the principal terms used. This report uses the “cyber” prefix to discuss digital security and resilience issues related to intentional and malicious attacks and incidents on the electricity system (e.g. cyber-security, cyber resilience, cyber-attack, cyber risk).
The report does not cover unintentional incidents or broader digital security issues such as data privacy. The intent of this report is to provide broad guidance to energy policy makers and companies to enhance resilience in the electricity sector, and does not go into technical details or cover national security issues.
