How cybersecurity is being reinforced across industries

The energy transition requires increased cybersecurity. Maintaining cybersecurity is currently a cost-intensive and complex process for companies, and there is often a lack of experience and expertise. The ‘Cybersecurity in the electricity industry’ platform, which is funded by the Federal Ministry for Economic Affairs and Climate Action, unites stakeholders from the electricity, digital and cybersecurity industries to jointly develop solutions, share experiences and communicate the acquired knowledge to the public. In cooperation with the Gesellschaft für Informatik e.V. and the industry platform partners, dena published a study entitled ‘Topic roadmap for cybersecurity in the electricity industry platform’ as part of the industry platform. Friederike Wenderoth (Energy Infrastructure Team Leader) and Marius Dechand (Digital Technologies Senior Expert) explain the seven fields of action identified in the study and categorised as particularly relevant for the electricity industry.

Creating a knowledge base for classifying threats and attacks

Existing frameworks for classifying attacks, such as the MITRE ATTandCK Framework or the Cyber Kill Chain Framework, provide very comprehensive information on cyberattacks. Processing this information specifically for the electricity industry can make it much easier to access. Existing electricity industry-specific information can also be included.

Tackling the challenges of networked OT systems, including with regard to sector coupling

IT (information technology) is used mainly for business operations, whereas OT (operation technology) describes hardware and software for electrical measurement, control and regulation in grid operation. Increasing digitalisation and the networking of OT systems can provide business benefits and greater flexibility, but also new cybersecurity requirements.

Raise awareness among managers

Cybersecurity is to be made a top priority with implementation of the NIS 2 Directive (an EU directive to increase the resilience of networks and information systems across the EU). However, the perception of those surveyed is that this is often not sufficient motivation for managers to provide larger budgets for cybersecurity measures. One of the main reasons for this is the opaque nature of cybersecurity costs and the various components, combined with difficulties in estimating resources for comprehensive security. As a critical infrastructure, the electricity sector already has to fulfil more and more requirements, but cybersecurity is more than just a matter of following the rules, as new technologies are developed and vulnerabilities are found every day.

Expanding testing and training opportunities

Regular cybersecurity exercises, the expansion of testing options for the interaction of IT and OT systems, as well as test labs for integrating new software into a realistic test environment offer substantial added value for improving the resilience of companies. This offer can be specified and expanded by developing a concept for electricity industry-specific further training or cybersecurity exercises, as well as a collection of requirements for test laboratories.

Increasing transparency in legislation

There is a comprehensive set of regulations for the cybersecurity requirements of critical infrastructure operators. However, these are developed by different institutions with different roles. There are also a large number of organisations that develop recommendations for action, provide information or encourage an exchange of experience on cybersecurity.

Driving forward the standardisation of certifications

Legislation specifies the security requirements that operators of critical infrastructures must fulfil. These requirements must not only be implemented, but evidence of their fulfilment must also be provided. Certifications enable companies to prove through independent testing that they fulfil the requirements. As the Federal Office for Information Security (BSI) has not specified what form this evidence should take, there are various verification procedures in existence that are based on established international standards (ISO/IEC). The existing complexity of certificates and verification procedures means that it takes a lot of effort to find and compare the appropriate formats.

Pooling knowledge from cyberattacks

Sharing information about cyberattacks offers enormous potential for increasing the resilience of the energy sector. An institutionalised platform for trust-based exchanges within the industry as well as public experience reports can provide a structural framework for a collaborative approach to cyberattacks.

The topics and fields of action were identified in a six-month cooperative process with key players in the industry platform.  The methodology included research, surveys and a wrap-up workshop with stakeholders for IT security in the energy sector. The aim of the process was to consider the different perspectives and challenges of the various stakeholders.

The framework of the European Union Agency for Cybersecurity (ENISA) was used in the process to structure the identified topics. This framework provides a framework for Member States to assess their own national cybersecurity strategies. The tasks and objectives that ENISA assumes and pursues for stakeholders in the European Union are largely similar to those that the Cybersecurity in the Electricity Industry platform aims to achieve on a smaller scale. The topics identified were therefore organised into the main clusters of governance, cybersecurity standards, capacity building and awareness, laws and regulations, and cooperation.

Outlook for 2024

The topics were prioritised in the further course of the industry platform, together with the partners, and a work programme was drawn up. Workshops and events are planned for the resulting themed modules and more detailed studies are also being produced.

The industry platform is also currently launching the study entitled ‘CyberFit: Sensitising electricity sector managers to investments’. This guide will assist managers with no technical background with the investment required and their responsibilities under the current legislative changes