As the energy sector becomes increasingly connected and digitised, there are many potential obstacles at play. Cybersecurity is, by far, one of the biggest.
Vaiva Seskeviciute from E.ON Innovation chats with Andreas Breuer, Vice President Research and Development of Energy Networks at E.ON, and Aurelio Blanquet, Board Advisor at EDP, about the growing importance of cybersecurity in the innovating and digital energy market of today.
Aurelio: Cybersecurity is a crucial topic and will continue to be as far as digital systems become increasingly evasive in our critical infrastructure. Cybersecurity plays an essential role in all industries because we need to ensure the reliability of the systems they run on. Besides reliability, it’s also about trust. We have to make our systems so secure that our internal users, customers and suppliers can trust them when they interact with them. Cybersecurity is a foundational pillar for digital trust.
It became important when we increased our digitalisation and innovation efforts and mainly when we started using a more open standard and platforms to develop this new digital era. This openness is not a weakness but a risk that must be properly managed.
Andreas: The more players connect to our infrastructure and actively participate in the energy system, the more complex it becomes. When our customers, for example, want to be connected to the grid with photovoltaics or battery storage, we have to make sure that the confidentiality, availability and integrity of this connection is guaranteed.
Therefore, cybersecurity is an essential part of our energy system. And its importance grows with digitalisation of infrastructure and integration of new innovative components into it.
Aurelio: Cybersecurity is as strong as the weakest point in a security chain. This means that all the issues related to technology and communications and digital - from tech to people - are all just as important as one another to ensure a tight cybersecurity ecosystem. Otherwise, a weakness will always remain.
I think that the main challenge is the design of the products. Thinking about cybersecurity from a design standpoint is a huge challenge because it's difficult from both a technological as well as an investment perspective regarding how to deal with our legacy systems. We still have a lot of these in industry. Most of our operational technological systems were designed and considered taking into account a high-level of reliability. However, cybersecurity and the way it has been redefined today was not considered at the very beginning. How do we make these legacy systems secure without replacing them all? It would be a ‘mission impossible’. It's a big, big challenge for our engineers and our investment plans.
Andreas: We always need to be on eye-level with the developments happening in the rest of the world because there are always new possibilities for attackers. EUTC provides a European platform for information, communications and technology – it's about describing standards and proving them. We also use the platform to learn about new innovations, test them and find the possible weak points within them.
This association is a great starting point to discuss new standards, new rules, being better in touch with the processes and asking questions like 'how to deal with our infrastructure and service companies in day-to-day life?’. And it's not only about technology, but also about understanding of how aware people are of the risks.
Aurelio: The main issue when it comes to cybersecurity is human behaviour, for example, people's awareness when receiving spam or a phishing attack. People can easily fall into a well-designed phishing trap, and that's what happened - it was spam mail that wasn't detected by the usual mechanisms that our company has and so the virus spread on our servers.
It was also a very well-timed attack. This was our main lesson, that nowadays these attacks are well planned. It could have happened in February but it didn't, it happened in March, when the world had started to work from home, which meant that even our employees that had never worked from home before had to be connected to our corporate network and data centres from a remote location. This was the most vulnerable moment as the company.
It happened after an employee opened a mail link. Of course, the attackers asked us to pay millions of euros to unencrypt the information, but we didn't give in. What had happened was a crime and was dealt with by the authorities. Luckily, we were able to continue to work from home and recover the data thanks to some of our past investment decisions that ensured the backup of all of our information.
Andreas: There are regularly incidents at E.ON and other companies in the industry. Fortunately, we have been able to impede the better part at an early stage so far. In general, it's a daily job to be aware of the risk and know that there are always attacks. We have, over the past years, learned a lot about hardware and software security and about the processes which have to be looked at end-to-end and how people use these technologies.
As Aurelio mentioned, a chain can only be as strong as its weakest link and so it isn't always just how a certain piece of hardware or software has been designed. It can also be about the people dealing with them. It's a holistic approach not only focused with technology but also how to use that technology in a very complex system.
Generally, though, I don’t think you can protect yourself 100 percent in cybersecurity.
Aurelio: Yes, I think that's a very, very important point. We cannot assure 100 percent security, but we can aim to ensure 100 percent awareness of the risks, of our vulnerabilities, and of our ability to react and recover as fast and efficiently as possible.
While the impact levels can be different, we need to be - and I think we are - prepared to face those situations.