EU Agency: Cyber Security is Crucial to Smart Grid Protection

The EU’s cyber security agency ENISA has signaled that assessing threats for smart grids is crucial for their protection and is therefore a key element in ensuring energy availability.

Secure governmental e-services are critical for society, e.g. health, procurement and justice. Security is crucial for gaining the trust of the EU citizens on using these services. However, there are many security challenges to overcome in order to ensure their successful deployment.

The TSP study underlines that:

Smart grids are complex “systems of systems,” storing, transporting and managing energy from production to consumers. A smart grid is de facto critical infrastructure as energy is crucial for society and for the well-functioning of the economy. By combining energy and information infrastructures, smart grids are critical infrastructures and should operate securely by respecting end users’ privacy.

The executive director of ENISA, Professor Udo Helmbrecht, commented, “An understanding of the cyber-threat landscape is indispensable for identifying which protection measures are necessary for smart grids. This report is the response to the urgent question of energy providers and stakeholders: It provides the tools to assess risk exposure of smart grid assets. In cyber security, we need common efforts and coordination to reduce impact.”

This report provides a threat landscape affecting smart grid components. It takes stock of available cyber security and protection approaches as well as good practices in the field. The study also lists internal threats affecting IT smart grid assets, including a variety of threats emanating from errors and insider attacks.

Key conclusions:

• Consider external and internal threats: in cyber security, external cyber threats constitute the main source of external exposure. This cyber threat environment originates from threat agents, using cyber threats and launching cyber attacks.
• Decompose and classify smart grid elements being exposed to threats: from electrical assets like cables, switches, routers, sensors and information to software such as  operating systems, services, hardware, infrastructure, and the persons operating the systems.
• Use available knowledge: reuse existing good practices after defining the level of desired protection.
• List the specific smart grids cyber threats, for example:
  • Eavesdropping/interception/hijacking: e.g. information leaking, electro-magnetic/radio frequency interception, sniffer attacks, failures of devices and systems, attacks, and physical attacks, and
  • The threat agents, such as corporations, cybercriminals, employees, hacktivists, nation states, natural disasters, terrorists, the new element of cyber fighters

• Assess vulnerabilities and risks in smart grids.
• Assessments to be done by asset owners: Finally, the Agency concludes that the threat exposure and risk assessment of a smart grid can only be done by the asset owner, who masters the complexity and interdependencies of the related smart grid infrastructure.