Earlier this year, Europe’s cybersecurity organisation the European Network and Information Security Agency (ENISA) admitted it is unprepared for the advent of the Internet of Things, lacking the know-how, budget and manpower to secure millions of connected devices such as smart meters.
In July 2015, ENISA’s director of operations Steve Purser told European Union news service EurActiv that the agency’s coverage of technological change is minimal.
“I have one, perhaps two people who are experts in clouds. I have one person in industrial control systems. That’s quite a weak basis for the future,” said Mr Purser.
ENISA said last month that despite a “limited budget”, the agency has added I0T to its 2016 work plan “as an estimated €640 billion is at risk as hacking and cyberattacks reach new heights”.
So where does that leave European energy suppliers embarking on smart meter rollouts and investing in other grid-edge technology? What is the best approach to combating malicious threats?
Metering & Smart Energy International spoke to Massimo Rocca, head of information security at Enel Italy, to better understand the European cybersecurity landscape and how the global energy utility is gearing up to combat threats to data and infrastructure.
‘Concrete’ cybersecurity threat
When asked how real is the cyber threat for European utilities, Mr Rocca said it is “concrete”.
The challenge for an energy company, however, is to identify the intended effects of a cyberattack, he said.
“We have huge background noise in the identification of cyber threats. Enel’s global IT security infrastructure identifies more than 100,000 events a day.
“For this reason it is very complex to understand if a security event is a common incident or a deception made to hide another type of threat that is focused on our assets or people.”
Enel, a multinational electricity and gas operator present in 30 countries, isn’t your average utility and is able to share experiences across its information security departments.
The energy company has coordinated most of its global cyber security initiatives from Italy, which acts as an industrial “lab” for developing and testing solutions and policies that are rolled out in other countries.
Rocca said this is due to the way the utility has been targeted in Italy in the past five to 10 years, constituting a “remarkable scenario” in the European context.
“We have faced many phases [regarding the sources of attacks] that we haven’t experienced in all the other countries and for this reason we started to work on ICS security more than five years ago, with a particular attention to Italy.”
On the subject of who is carrying out the malicious attacks, Rocca said Enel Italy is being targeted from many different audiences. “Organized cyber crime has been targeting us. From our analysis, we are quite sure that it happened in the past and is impossible to exclude that this is still happening.”
Where to position your defences?
But as many global utilities working in distributed energy environments will know, technology evolution is overcoming the traditional cybersecurity paradigms, said Rocca.
“There is no point protecting your infrastructure by investing primarily on the perimeter of IT networks, as the majority of players, including Enel, used to do before smart grids.
“We are facing a revolution in common IT and OT departments but it is a gradual process. We are moving to new paradigms of industrial control systems and doing our own proof of concepts, for example testing the implementation of technical standards, such as the IEC 62351.
He adds: “This is the best we can do to identify the right balance to provide resilience and manageability.”
Cooperate against cyber threats
On the subject of collaborating against cyber threats, Enel’s Rocca says that energy companies need to understand that they can’t rely on their own protection and need to engage public and private partners.
Rocca maintains that cooperating with the European private and public energy sector is essential to mitigate cyber threats.
He said: “It’s impossible to face all these threats as a single power company. We have to cooperate to amplify our range of solutions and our range of possible strategies to handle the situation.
“EU countries have all approached the problem in their own way resulting in differences between country to country and this approach may pose some risks, since we all know that vulnerability resides in the weakest ring of the chain”.
He added: “This is why at a European level, we join most of cyber security initiatives and keep up with European Commission directives and regulation.”
Enel is also a stakeholder of the European Energy Information Sharing and Analysis Centre (EE-ISAC), which aims to create a network for sharing cyber security data and experience.
The private-public partnership is a joint initiative of four major European utility companies together with technical universities, governmental bodies and security technology providers.
Commenting on the creation of the knowledge-sharing initiative, Rocca said it is an important first step to improve the level of cooperation but he warned that it will need pan-European commitment and real support to make it a long-term success.
EE-ISAC will hold an Open House Member Meeting at European Utility Week, taking place this week in Vienna, Austria, with speakers from Enel, Alliander, ICS-ISAC and the CRISALIS Case Study.