The power industry has evolved consistently in recent years, its advanced digital transformation offers numerous benefits for both customers and utilities. At the same time, its rapid growth is also causing an expansion of potential cyberattacks making more and more pivotal the role of cybersecurity for the future of the grids. Gennaro Fiorenza, Head of Cybersecurity, illustrates how Gridspertise is responding to these potential threats.
The regulation scenario in the EU
The European Union is acting on different fronts to enhance cyber resilience, fight cybercrime, and generally strengthen cyber diplomacy and defense. In the grid scenario, specifically, the Network Code on Cybersecurity has been recently adopted by the European Commission. This significant initiative aims to enhance the cybersecurity of cross-border electricity flows in European countries. It establishes a framework for cyber risk assessment, sets common minimum requirements, and includes certifications for products and services. In addition, the Network Code outlines procedures for monitoring, reporting, and managing crises in the event of cybersecurity incidents.
On March 11, 2024, this initiative was adopted. There is another important date for the EU regulation on cybersecurity: by October 17, 2024, the 27 Member States must adopt and publish the measures needed to comply with the Network and Information Systems (NIS) 2 Directive. This latter will be adopted by the following day (October 18). The NIS 2 is the regulatory framework established to ensure a uniform and elevated standard of cybersecurity across the EU, it replaces and repeals the former NIS directive. This act ensures that each Member State guarantees that entities deemed as essential and significant adopt suitable, technical, operational, and organizational measures to mitigate risks to the integrity of network and information systems. These measures need also to curtail the possible repercussions of the incidents and cover the widest range of potential threats.
Finally, the Critical Entities Resilience Directive (CER), which replaced the former in 2008, mandates that each State Member implement specific actions to guarantee the continuous delivery of key services crucial for the society, the economic stability, and the internal market. These sectors, among them the energy and electricity subsector, need to lower vulnerabilities, and it is pivotal for them to identify possible and significant risks that can interrupt the vital services they put at the disposal of the Europeans.
Internet of Things/ Operational Technology Threat Landscape
IoT/OT refers to different key players, which have been listed in the document redacted by ENISA, the European Union Agency for Cybersecurity, EU Cybersecurity Market Analysis – IoT in Distribution Grid. In a more recent issue, ENISA has published a new document that forecasts the possible threats related to AI in the electricity grids (Cybersecurity and privacy in AI – Forecasting demand on electricity grids). This latest update has added new threats to the existing ones, expanding the attack surface for cyber criminals who can target smart grids by trying to steal valuable data from smart meters or take control of the power grid.
Cyberattacks against grids are generally increasing, as pointed out by the IEA, International Energy Agency, power utilities are one of their favorite targets.
An attacker can cause a malfunction or take control of devices and demand a ransom. They can also gain direct access to distributor systems. Ransomware is considered a main threat according to ENISA Threat Landscape 2023. Potential attacks like these on an infrastructure can have led to a ripple effect: reputational and economic damage (disruption of services), possible safety issues and detriment to the distribution network infrastructure.
In addition, the leak of personal data can have severe consequences for both the end customer and the company. For end customers, it can lead to a feeling of invasion of privacy, and in more severe cases, theft. For the company, it can result in a tarnished reputation and economic repercussions such as fines and penalties.
These are just a few examples of a much broader threat landscape in the digital grid. By any means, we can say that the energy companies need to be ready to respond to threats that have not yet been concocted and could be as dangerous as the previous ones.
In the last Cyber Resilience Forum Romania, we recalled some of the latest cyber-attacks related to the power market, confirming that they are real and they no longer belong to the pages of science fiction novels.
Here are some examples of the relevant IOT and OT cyber events that occurred during 2021 and 2022. During April 2022, Ukraine’s power grid seemed the target of Industroyer 2, a more targeted version of the Industroyer, a malware created to destroy power grids. In the same period, cyberattacks were the cause of the shutdown of the IT systems of the German wind turbine maker Nordex. And a ransomware attack forced to close the largest fuel pipeline in the US, the Colonial Pipeline.
In June 2022, one of the largest steel companies in Iran was forced to halt production after falling victim of a cyberattack, which also affected two other plants. This wiper malware (a threat that intends to erase the hard drive or the memory of the computer to delete data and programs) was claimed by a hacktivist group, Gonjeshke Darande and brought damage that consequently started a major fire in one of the factories. This attack hit 70% of the Iranian steel factories. Operations were suspended for three days and targeted the largest producer in the Middle East, Mobarakeh Steel Company.
According to ENISA’s Smart Grid Threat and Landscape and Good Practices, the threats digital grids suffer are the following ones: natural events (such as flooding, and earthquakes); physical damage (environment-related or consequence of terrorist or vandalism activity); compromise of functions and information (e.g. malware, tampering with software, identity theft, and abuse of rights); interoperability (losing control on the supply chain); technical failures, such as Denial of Service, such as DoS or denial of control action; loss of essential services (failure of telecommunication and network equipment); unauthorized actions, and disturbance due to radiation.
To this list, we should add the human factor. To achieve zero cyber incidents, manage emerging vulnerabilities, and support the customer along the entire lifecycle of our products, we need to not undervalue the human threats that are as dangerous as the above-mentioned ones. As pointed out by the Verizon 2023 Data Breach Investigation Report, 74% of breaches are linked to the human element, while 83% involve external actors, and originate outside the organization and their partners.
To avoid these episodes from repeating, companies and utilities must necessarily invest in cybersecurity, manage risks, and adopt 'secure by design' solutions
What companies should do
To respond to these threats, companies are called to increase the level of cybersecurity in their organization, products, and infrastructures. Help should also come from a policy perspective. Regarding it, the European Commission is working on the Cyber Resilience Act which aims to ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties. Smart energy solution providers and smart metering product manufacturers, aware that their products are used as part of mission critical infrastructure, have to develop a robust and a highly secure product and services, assuring a high level of confidentiality, integrity, availability and trust between all critical components.
How Gridspertise is protecting its customers’ business?
Gridspertise’s goal is also to protect the customers' business, increasing the cyber resiliency of their infrastructures, combining our solutions and expertise. Gridspertise commitment to cybersecurity is also demonstrated by the ISO/IEC27001 certification, the international standard to manage information security, obtained in 2022, just one year after our foundation.
Moreover, Gridspertise has published a cybersecurity framework inspired by the NIST Framework and other international standards. It is composed of seven processes: Cybersecurity Governance, Cybersecurity Risk Assessment, Cybersecurity Risk Treatment, Cybersecurity Engineering, Cybersecurity Assurance and Vulnerability Management, Cybersecurity Incident Management, and Cybersecurity Awareness and Training.
Our framework is built on two main principles, the risk-based approach and cybersecurity by design with the goal of protecting organization infrastructure and guaranteeing the security of the products.
Focusing on Gridspertise products, “Cybersecurity Requirements” are defined for each class of devices during the design phase, taking into account both International Standards and Laws and market drivers. The requirements cover hardware (anti-intrusion mechanisms, hardening, hardware acceleration for encryption, etc.), software (access control, monitoring, encryption, network security, virtualization, wireless security, etc.) and process (patching, documentation, testing, etc.). Throughout their entire lifecycle, the devices are periodically tested by our cybersecurity team to check the presence of possible vulnerabilities and provide security updates to its customers.
Additionally, thanks also to its collaboration with specialized partners, Gridspertise could provide additional cybersecurity services assisting utilities in securely integrating our devices into their infrastructure. Through this comprehensive approach, Gridspertise empowers customers to adopt the solutions while helping them maintaining the highest standards of cybersecurity and resilience.
About Gennaro Fiorenza
Gennaro Fiorenza is the Head of the TLC and Cybersecurity Solutions in Gridspertise, the newco of the Enel group who provides solutions and services for the DSOs’ grids digitalization. Before joining Gridspertise in June 2021, for almost 15 years, Gennaro covered different roles in Enel Grids and e-distribuzione, always focused about OT communication network design and Cyber Security. He led the communication network design and implementation of all the large delivery Smart Grid projects in Enel and, according to the internal organizational framework, he was the cyber security focal point of the largest Italian DSO. Previous to his work at Enel, Gennaro was a Solution Architect in Wind Telecomunicazioni S.p.A., an Italian Telco, and a System Engineer in Ansaldo Trasporti S.p.A., working at Italian high-speed railway infrastructure. Gennaro received a M. Sc. Degree in Electronic and Automation Engineering, from Politecnico di Napoli, Università “Federico II”.