Digitalization is crucial for the renewable energy transition. Yet it also arouses a number of challenges for establishing, and maintaining, secure power systems.
To power a city the size of Hamburg, one single coal power plant suffices – with renewables, more than 500 wind turbines are required. This growing number of producers, which also tend to be more intermittent, makes balancing supply and demand ever more challenging and complex. Connected systems are needed to enhance flexibility in real time and provide incentives to producers and consumers to lower peaks, ultimately making energy cleaner, more intelligent and cost-effective.
However, the rise of cloud and IoT solutions – essentially, increased connectivity – in energy also brings the issue of security into question. With many more components, including software and various energy assets, new opportunities for attack present themselves, creating more dynamic challenges for security in energy. When it comes to IoT, systems are only as strong as their weakest link.
As in any industry, it is crucial to ensure that personal or sensitive data does not come into the wrong hands. For many companies, a data breach could severely damage not only their operations, but also their reputation. Steadfast IT systems that protect all employees’ and customers’ data are therefore key in any company.
Security in the energy industry is particularly important, however, as there would be grave repercussions if someone were to gain unwarranted access to certain infrastructure or systems and be able to influence the power grid. According to the World Economic Forum’s new white paper, ‘Cyber resilience in the oil and gas industry’, the average energy-sector data-breach cost has risen more than 13% since 2019, to $6.39 million, a significantly higher cost than the global average of $3.86 million. Because digitalization is crucial to the advancement of the industry, cybersecurity must become a key consideration for all organizations in energy.
The Texas power crisis in February 2021 is a prime example of how detrimental a sudden loss of power can be – the power blackouts caused 100 people to lose their lives, are estimated to have cost around $195bn and demand for heat triggered wholesale power costs to rise 400 times the normal amount. Imagine if cyber attackers could gain access to power systems and shut off heat during winter? In fact, the US government is taking huge steps to protect the power grid from foreign hackers, asking utilities to pay for and install technology to better detect hacks.
A significant disturbance in the European power grid occurred in January this year. If you didn’t hear about it, that’s because a robust system, automated processes and fast responses meant it went largely unnoticed. When the network frequency suddenly dropped due to an overload in Croatia, an automatic alarm was triggered. A central platform that bundled data exchange in real time automatically restarted power plants, while trained personnel took certain industrial customers off the grid and gained additional control from neighboring grids. Clearly defined and standardized responsibilities and communication enabled a stabilization of the network frequency within just a few minutes.
While not at the hand of hackers, these examples show the serious consequences of power outages. Preventing hackers from causing such damage has become critical to companies and industry-wide value chains across the globe. According to the World Economic Forum, an expanding network of digital platforms is exponentially increasing the scale and impact of potential cyber attacks. They purport that to build and maintain cyber resilience, energy stakeholders need secure supply lines, highly intelligent operations, committed partners and allies, as well as informed and engaged employees. They consider the establishment of a safety-first environment pivotal to not only securing current operations but also to enabling the industry’s continued digitalization.
To guarantee strong cyber hygiene in the energy sector, the foundational technology, such as cloud infrastructure, must first be built in a highly secure manner. Only after these systems are watertight should additional tools be used to further protect against cyber attacks. According to gridX CIO Joel Hermanns, “a proactive and holistic risk-management approach, alongside a dedicated structure that uses regulators’ compliance and protection as a minimum, must be implemented. We believe that following the principle of security by design is the best way to stay resilient against attacks. Best practices and benchmarks, such as Center for Internet Security (CIS) AWS Foundations Benchmark, are crucial here to ensure that errors or breaches are consistently avoided.”
"A proactive and holistic risk-management approach, alongside a dedicated structure that uses regulators’ compliance and protection as a minimum, must be implemented."
Joel Hermanns, CIO, gridX
As the energy industry increasingly adopts dynamic modern technology, the way we approach security must change accordingly. Joel stresses the importance of regular automated checks and periodic penetration tests to keep constantly evolving technology consistently secure and compliant. Encrypted data exchange is also necessary to ensure that unknown parties cannot read or manipulate data, as is maintaining a cyber-literate workforce by keeping employees up to date with any changes to IT standards or protocols.
As a platform and software provider, gridX always maintains up-to-date standards and tools, and uses automated testing processes to enable quick response times. By keeping our potential attack surface to a minimum – reducing software dependencies, avoiding open network ports and minimizing publicly accessible resources or servers – potential attacks can be eliminated from the ground up.
Senior Software Engineer at gridX, Philipp Franke, adds, “we combine the four-eyes principle for all code reviews, together with automated checks to ensure that all coding is implemented to the highest possible standards and any potential vulnerabilities in our development process are uncovered as early as possible.”
In addition, any data transmitted over public networks is encrypted using modern and secure technologies (usually based on TLS 1.3) – including any communication via our API, to and from gridBoxes and with partners. By following the principle of least privilege for authorization, each relevant entity is given the minimum necessary privileges to do the necessary work.
Finally, DevOps Engineer, Thomas Eck says, “it is important to use infrastructure as code and immutable infrastructure, meaning that our code is rolled out using modern tools such as Terraform, Cloudformation or Kubernetes. Ultimately, this results in a high level of reproducibility, traceability and transparency, some of the most vital components of any secure system.”
Energy systems, like many others, require a robust foundation, topped off with secure code and sophisticated tools. Systems must be regularly checked, both manually and automatically, and the right standards or protocols must be in place to ensure smooth and seamless communication. The high level of innovation in the energy industry means that as new technologies appear, they must be rigorously tested before being rolled out. Only then can the security of power flows be guaranteed, now and in the future.