The convergence of previously separate sectors around renewable smart grids is creating an expansive energy value chain with widely divergent cyber security practices and vulnerabilities, eroding organisational control over energy security.

A failure to consolidate cyber security practices and policies across this new diverse value chain could result in cyber-attacks causing operators severe financial and reputational damage. Fear of cyber attacks has already been found to affect consumer take-up of smart meters and poor security could hamper the success and adoption of smart grids.

The two-way communication of data between producer and consumer could bring major benefits in terms of transparency, customer loyalty, greater grid flexibility and resilience. Yet this also means smart grids are more vulnerable to the loss of personal and private data which could undermine the consumer confidence on which they depend. The growing scale of the threat is demonstrated by a recent rise in ransomware attacks targeting energy networks; from pipelines to power grids.

Weak links in the energy value chain

We are witnessing the unprecedented joining up of previously separate sectors around sustainable energy. For example, green hydrogen brings together sectors as diverse as chemicals, gas, electrolysers and electricity. Our experience here includes work with a UK city council, power and gas companies, universities and businesses to create a sustainable self-powered city which will involve cross-sector collaboration; but it’s not just us. An array of local off-the-grid producers from enterprises, local authorities and cities are also now working with an ecosystem of partners and suppliers to generate, store and share their own power. Simultaneously, smart grids are driving the convergence of the energy and technology sectors to create efficient, flexible grids that balance supply and demand based on live data. This renders energy grids dependent on the security practices of a wide variety of third-party technology companies; from cloud providers to smart infrastructure suppliers.

The result is that responsibility for grid security is increasingly dispersed among a wider array of organisations than ever before. Any infrastructure is only as secure as the weakest link in its supply chain, and this ever-expanding green energy ecosystem creates a biggerpatchwork of cyber security vulnerabilities. Many of these suppliers now need continued access to their customer energy networks to perform remote maintenance and monitoring of energy assets, creating more potential vulnerabilities. And new energy infrastructure often interfaces with legacy infrastructure which was never designed for connectivity. If the old, centralised energy grids resembled large walled castles with just a few gateways, the current energy system more closely resembles a multitude of mini castles with many intricate interconnections between them.

Edge devices create a porous perimeter

A plethora of edge devices around networks from smart meters to mobile apps is also widening the attack surface and creating a more porous perimeter around energy networks. Mobile apps now allow customers to remotely monitor and control energy consumption and employees to monitor network hazards in real-time. Networks also have an array of sensors collecting and sometimes analysing data at the edges, from smart appliances to sensors on grid infrastructure. These are made by an array of technology suppliers with varying standards of security, creating a diverse and distributed array of potential attack vectors.

This is further compounded by the fact that some manufacturers are sacrificing security for speed to market and rushing out new smart appliances with limited security features. As our energy security can no longer be centrally controlled, we now require new security frameworks to inform and incentivise best practice across an increasingly decentralised, disparate value chain.

The need for a holistic security framework

Without direct control over energy security, grid operators must use cyber security frameworks to assess business risk across all cyber, digital and data projects and enforce best practice among all partners and suppliers. These frameworks should be based on best-practice standards such as IEC 62443.

Cyber security should be baked into procurement and partnership programmes from the outset so that all potential suppliers and partners are carefully vetted for compliance with security standards. Imposing cyber frameworks on Tier 1 suppliers would create a cascade of best practice cyber security as each tier of suppliers enforces the same standards on lower tiers.

New digital or data projects should not be introduced in silos without considering their potential impact on risk across the organisation. All digital, data and cyber projects should instead be interconnected from the start so that security is baked in at design stage and risks can be continuously assessed as new technologies are added. For example, reports found that some electricity generation is vulnerable to ransomware attacks because of clean energyinfrastructure that was designed without security in mind. Cyber risk assessments cannot be a one-off exercise at implementation stage but must be monitored and managed across the lifecycle of all energy assets.

Rather than focusing narrowly on cyber risks, organisations should also get an integrated overview of business risk across all digital and data projects so that diverse digitalecosystems can be monitored and managed as a single ‘system of systems’. This requires the hiring of in-house professionals or consultants who have blended skill in cyber and digital and understand how all vulnerabilities translate into business risks. These professionals must conduct due diligence on all contracts and Service Level Agreements to ensure they do not introduce new risks to the business. For example, when signing up with a cloud provider, even a seemingly innocuous unticked box in a contract can introduce new risks to an energy grid.

Organisations also need to manage all third-party remote monitoring and maintenance of energy infrastructure with strict user permissions to validate and verify user identities before granting access to energy networks. Any service providers with responsibility for energy data or remote access to infrastructure must be strictly vetted against a checklist of criteria. Thewidening array of edge devices from mobile apps to smart meters opening new vulnerabilities to energy systems requires that all suppliers are thoroughly vetted to ensure they conduct continuous monitoring and patching of devices throughout their lifecycle.

Learning from the automotive sector

The rapid digitalisation and diversification of the energy sector to achieve decarbonisation creates a plethora of new cyber security risks. The automotive industry offers an example of an industry that is rapidly digitalising and decarbonising and has adopted robust cyber standards to ensure consistent best practice across diverse supply chains. Its Trusted Information Security Assessment Exchange (TISAX) standard ensures all suppliers and OEMs implement equally secure information security management systems at every stage of the vehicle lifecycle and every part of the connected vehicle ecosystem.

The renewable energy industry should match this effort, adopting frameworks encompassing suppliers, OEMs and energy producers that ensure consistent cyber security best practice across asset lifecycles and across an increasingly diverse energy ecosystem.

Author: Steven O’Sullivan – Head of Smart Cybersecurity at Enzen