THE ENERGY SECTOR NEEDS CYBER SECURITY

By Raúl Rocamora - Responsable de Sistemas Informáticos

1. Energy infrastructure increasingly targeted by cyber attacks

2001 Russia, 2003 and 2008 United States, 2012 Saudi Arabia, 2013 Austria and Germany, 2015 Australia and Ukraine, 2016 Israel, 2017 Great Britain. And we could go on, listing other cyber attacks suffered by energy infrastructures in the last twenty years.

What was already causing alarm at the beginning of this century is now considered a matter of primary importance. Especially if cyber attacks are aimed at critical or strategic infrastructures for the normal course of life of a nation such as those dedicated to the production and distribution of energy. Damaging a pipeline, putting a power plant out of action, intervening in the safety system of a nuclear plant, sabotaging the purification system of an aqueduct: these are actions that have consequences of unpredictable, even highly dramatic, scale. It is enough to observe the damage caused by a power blackout lasting a few hours in any city in the world: blocking of services such as healthcare, water supply, transport, communications, industrial production and the financial system. Not to mention the negative repercussions on public order.

It has been calculated that a power outage lasting around six hours, in winter, in a country like France, would create economic and social damages of around 1.5 billion euros [+info].

There are still some who think that what is described is only the plot of a catastrophic B-movie. In reality the episodes follow one another. The last one in March of this year, in the USA, when several areas of the states of California, Utah and Wyoming were left in the dark due to a probable cyber attack on a local electricity provider [+info].

But who are the cyber criminals? Those responsible for these operations vary depending on the objectives and the forces deployed in the action; they can be hackers who act to obtain a ransom, cyber terrorists who in doing so strike their political enemies but also sovereign states, determined to exploit new technologies to damage rival nations. Operations that - considering the potential impacts - could even be equated to acts of war (rather than simple sabotage activities).

Figure 1. Major cyber attacks on energy infrastructure since 2010

Source: World Economic Forum – Boston Consulting Group

2. Digitalization of networks, increased risk

The ecosystem in which we are and will be increasingly immersed is, itself, a natural space for the growth and development of cyber-crimes. Digitalization, interconnections and connectivity, internet of things, big data, artificial intelligence, an ever-increasing convergence between operational technology (OT) and information technology (IT) – just to mention some key points of the 4.0 revolution – in addition to innovation and progress have brought with them threats and risks.

Cyber security appears, therefore, not only indispensable but also transversal and present in all the main sectors of society: productive, economic and institutional. 

And the infrastructure is no different, on the contrary.

As is the case for other sectors (think of industrial production), digital transformation has given greater complexity and articulation to networks. To govern the increasingly abundant flow of energy deriving from renewables and to coordinate the increasingly numerous and advanced connected devices (smart home devices and electric vehicle charging systems, for example), increasingly decentralized and “intelligent” management is needed, taking into account the now many subjects involved.

As he writes [+info] Paola Girdinio – a profound expert on the topic of cyber security and currently president of Start 4.0, the Italian Competence Centre for the Security and Optimization of Strategic Infrastructures – “Data generated in embedded systems, created by machine-to-machine devices and IoT (Internet of Things), are growing exponentially in the electricity sector and their importance is at the heart of the system. […] IoT units installed globally by utilities have grown by an average of 23% per year. With them, attacks. And not only in their number, but above all in complexity”.

3. Investing in Cyber Security: An Inevitable Choice

Cyber security is a combined action of multiple factors. And it is not necessarily the case that the continuous technological adaptation to improve security devices capable of stopping attacks or at least limiting their damage is the first. Although it may appear so.

Perhaps first of all comes the recognition of the problem by company management and/or political decision makers. It is only with the full and conscious understanding of the existence of a serious danger for the entire system (corporate, but not only) that it is possible to set in motion strategies and actions. Better if common or shared as much as possible, in order to unite efforts and forces.

And something is moving, even if not at the same speed and in a uniform way. Companies, even in Italy, are starting to invest: in 2018 the information security sector exceeded one billion euros with an increase of 9% compared to the previous year. While the culture of information security has begun to make its way among the large companies in our country, it is unfortunately still not very widespread among the most numerous subjects in the local production sector, namely medium-small companies. In 2018, 70% of the already modest budget for information security was used to comply with the privacy regulations imposed by the European GDPR regulation (source: Information Security & Privacy Observatory of the School of Management of the Politecnico di Milano 2018).

However, as is the case with the Digital Transformation of the production system – the Fourth Industrial Revolution 4.0 – the real obstacle is the lack of a culture of innovation and a poor strategic vision. Italian SMEs, too often prisoners of the contingency of their daily activities, do not look at training, updating and technological adaptation as essential tools for doing business and ensuring a future for their company. Cyber security first and foremost.

In the meantime, the European institutions and, by extension, the national ones have placed the cyber risk issue among the most relevant ones. Proof of this are two regulatory instruments such as the NIS Directive [+info] of 2018 and the Cyber Security Act [+info] of this year; both implemented by Italy. In addition to the directives, which pay particular attention to the production and energy sectors, there is the Recommendation of the European Commission of 3 April, specifically addressed to the energy sector [+info]. The security of energy networks is one of the key objectives of the EU cyber security strategy [+info], but it is also the duty of every democratic nation to be able to guarantee adequate levels of safety and well-being to its citizens.