Cyber security is becoming an ever more inseparable component of our efforts to ensure a secure and functional European economic infrastructure, especially when we consider the power sector. As the trend of a continuously growing electricity demand will probably persist, ensuring a secure flow of the commodity will depend more and more on our electric power systems' cyber resilience level.
Let us point out the cyberattack on the Ukrainian power grid that occurred in 2015. This event has demonstrated the potential impacts of such a suchlike cyber incident caused by a cyberattack on an electric grid. It has also highlighted the need to focus our attention on cyber security, particularly on the specific characteristics of the power sector that influence how we ensure its cyber resilience.
As the IEA warns, "the threat of cyberattacks on electricity systems is substantial and growing." However, we have experienced only a few successful and severe cyberattacks targeting the electricity- or generally the energy sector so far. Then why do we deem it important to focus specifically on the cyber security of the power sector? Why do we emphasize the growing importance of defining effective cyber security architecture for the European power grids?
An important part of the answer to those questions lies in the already mentioned sector-specific characteristics of the power sector. The process of cyber-securing the electricity systems is comprised of various components (such as risk management), which are sector universal. Yet, when it comes to the electricity sector, its specificities need to be considered when implementing those components. This might cause the process of ensuring cyber resilience to be relatively more complex.
Firstly, (not only) European power systems are largely characterized by a technological mix of newer and older components with a long operational lifetime. In the case of the latter, cyber security principles were rarely included in their security architecture. Nowadays, those “legacy” components transform power grids consisting of an increasing number of modern IoT devices. Such a mix of technologies with various cyber resilience levels may adversely affect the overall vulnerability of power systems unless technologically integrated cyber security measures are implemented.
Secondly, power grids are known to operate in real-time. Out of the CIA (Confidentiality, Integrity, Availability) triad thus, emphasis is being put especially on the Availability, i.e., the possibility of accessing information, data, or a computer system. Therefore, security updates must not compromise the functionality of the operational technology (OT) in question. Additionally, some traditional cyber security processes like authentication must either take only fractions of a second or are due to their response time being impossible to implement.
Lastly, we may not ignore the highly interconnected nature of the power grids across European countries. With the ongoing decarbonization efforts and related measures aimed at effective integration of variable RES, enhancements of the electricity grid interconnectivity have been increasingly taking place in terms of both the electricity and the digital layer. This, however, means that a cyber incident occurring locally might cause a cascading effect with potentially large-scale impacts, affecting several countries.
The second part of the answer to the aforementioned questions is based on the main trends within the electricity sector, which, as much as the energy sector itself, is going through some substantial changes. As we have already suggested, the ongoing integration of RES as well as of other power grid components contributes to the overall grid expansion and power generation decentralization. Yet, one of the most influential trends in the electricity sector is the large-scale digitalization of which tempo has been in recent years growing significantly. We are observing a gradual physical-cyber convergence among power system components where traditional analog communication is being replaced by a digital one. The sectoral ICT (Information and Communications Technology) layer, which has been forming for already quite some time, thus complements the physical electricity grid. The convergence is then reflected at the level of information and operational technologies (IT/OT) where OT, such as remote terminal units, are being integrated into a digital network. OT and IT of new and legacy components are thus becoming more and more integrated, resulting in an overall increase in network integration.
In terms of cyber security of the European power grids, where do these sectoral characteristics and trends leave us? When taken into account, it is not the concept of cyber security that is subject to change. It is the level of its complexity and the difficulty of ensuring the cyber resilience of European electricity systems that are changing. Discussed trends bring along not only economical, security, and other benefits. They also contribute to, e.g., the expansion of the cyberattack surface or to the intensifed concerns over the security of the supply chain, which supports power networks through the provision of specialized software, hardware, or services.
At the European level, such challenges are addressed by the NIS Directive (EU 2016/1148), which provides a legislative basis for cyber security practices and measures within key sectors, including energy. Currently, the proposal for NIS2 and Network Code on Cybersecurity are being discussed to overcome the limits of the current legislation and provide for an electricity sector-specific regulation of cyber security. Other than top-down regulation, however, we also need pertinent bottom-up activities. Regular cyber security personnel training or research initiatives such as in February 2021 opened Critical Infrastructures National Testbed Centre of Turkish SAÜ and STM, which provides an environment to develop cyber security solutions for, among other things, power grids, might help us to keep up with the changing environment in the power sector. Because it is the joint efforts that can enable us to ensure an integrated and adaptable cyber resilience of European electricity grids.
A more elaborated version of this article focusing on the Czech Republic and Slovakia is currently under review and published in Časopis ENERGETIKA.