June 15, 2018updated 18 Jun 2018 5:12pm

Smart grid cyberattacks could create multi-country blackouts, but the energy industry isn’t prepared

By Lucy Ingham

Advancements in electricity grid technology have opened the door to devastating smart grid cyberattacks, the head of Europe’s leading cybersecurity non-profit has warned.

Speaking to Verdict’s sister title Power Technology, Anjos Nijk, managing director of the European Network for Cyber Security (ENCS), said that such attacks could cause blackouts so vast they cover multiple countries, and the energy industry currently lacks the skills to cope.

“Ten years ago the energy grid was still a fully stand-alone system. Now, it gets more connected by the day,” he said. “Non-secure systems are added and existing non-secure systems get more exposure into an increasingly complex architecture of the overall grid system.

“With the current speed of digitisation of the grid systems, which is needed to facilitate the energy transition, and the speed of connecting new systems and technologies to the grids, such as smart metering, electrical vehicle charging and IoT [Internet of Things], grid systems become vulnerable and the ‘attack surface’ expands rapidly.”

Multi-country blackouts: the risk of smart grid cyberattacks

Nijk said that cyberattacks on smart grids, which are currently being deployed in many countries, could trigger what is known as “cascading”.

“This means that if a large system is damaged, other systems will be infected as well,” he said.

“This then may lead to a big-scale blackout – even beyond country borders – as the entire grid system is connected. Even other critical infrastructure such as transport and healthcare can be affected, as they all rely on energy supply.”

In this sense a large-scale attack on a smart grid could have far more severe implications than even some of the most severe cyberattacks to date.

“If the bank is hacked, you lose money: if the energy grid is hacked, you may lose lives.”

The energy industry isn’t prepared for smart grid cyberattacks

Of most concern is that the energy industry is simply not equipped to deal with the problem.

Nijk said that operators require specific skills to main security and prevent smart grid cyberattacks that were not needed to run traditional grid systems. As a result, the industry simply does not have these skillsets at the scale and level needed and is struggling to attract enough talent to meet its shortfall.

“Another main issue is the need for, and lack of, the knowledge and skillsets that grid operators require,” he said.

“Not only to integrate the new technologies in the grid, but also how to operate the new environments managing multiple technologies and increasing data volumes. To do all of this in a secure way, a thorough understanding of security concepts and how these should be applied in this fast-changing environment is needed.

“There is currently a lack of qualified staff in this domain, and these skills and knowledge are extremely hard to develop.”

What’s more, attackers themselves are getting better at taking on smart grids.

“Since the Ukraine blackouts, we know that energy grids can be brought down by hackers. So, as a grid operator you have to be prepared,” he said.

“The last few years have shown that malicious players have developed rapidly, with increasing volume and sophistication of attacks. It’s a huge challenge for the grid to keep up with the pace of the cyber attackers and technologies.”