THE ENERGY SECTOR NEEDS CYBER SECURITY

By Raúl Rocamora - Responsable de Sistemas Informáticos

1. Energy infrastructures are increasingly targeted by cyber attacks

2001 Russia, 2003 and 2008 United States, 2012 Saudi Arabia, 2013 Austria and Germany, 2015 Australia and Ukraine, 2016 Israel, 2017 Great Britain. And we could continue, listing other cyber attacks suffered by energy infrastructures in the last twenty years.

What already caused alarm at the beginning of this century is today considered a matter of primary importance. Especially if the cyber attacks are aimed at critical or strategic infrastructures for the normal conduct of a nation's life such as those dedicated to the production and distribution of energy. Damaging a pipeline, putting a power plant out of commission, intervening on the safety system of a nuclear plant, sabotaging the purification system of an aqueduct: these are actions that have unpredictable, even highly dramatic, consequences. It is sufficient to observe the damage that an energy blackout lasting a few hours causes in any city around the globe: blocking of services such as healthcare, water supply, transport, communications, industrial production and the financial system. Not to mention the negative reverberations on public order.

It has been calculated that an electricity cut of around six hours in winter, in a country like France, would create economic-social damage of around 1.5 billion euros [+info].

There are still some who think that what is described is just the plot of a catastrophist b-movie. In reality the episodes follow one another. The latest in March this year, in the USA, when several areas of the states of California, Utah and Wyoming were left in the dark due to a probable cyber attack on a local electricity provider [+info].

But who are cyber criminals? Those responsible for these operations vary depending on the objectives and forces deployed in the action; they can be hackers who act to obtain a monetary ransom, cyber terrorists who in doing so attack their political enemies but also sovereign states, determined to exploit new technologies to damage rival nations. Operations which - considering the potential impacts - could even be equated with acts of war (rather than simple sabotage activities).

Image 1. Main cyber attacks on energy infrastructures since 2010

Source: World Economic Forum – Boston Consulting Group

2. Digitalization of networks, increased risk

The ecosystem in which we are and will be increasingly immersed is itself a natural space for the growth and development of cybercrimes. Digitalisation, interconnections and connectivity, internet of things, big data, artificial intelligence, an ever-increasing convergence between operational technology (OT) and information technology (IT) - just to mention some key points of the 4.0 revolution - as well as innovation and progress have brought brings with it threats and risks.

Cyber security therefore appears not only indispensable but also transversal and present in all main sectors of society: productive, economic and institutional. 

And the infrastructures are no different, on the contrary.

As happens in other sectors (think of industrial production), digital transformation has given greater complexity and complexity to networks. To govern the increasingly abundant flow of energy deriving from renewables and to coordinate the increasingly numerous and advanced connected devices (smart home devices and electric vehicle charging systems, for example), increasingly decentralized and "intelligent" management is required and that takes into consideration the now many subjects involved.

As he writes [+info] Paola Girdinio – a profound expert on the topic of cyber security and today president of Start 4.0 Italian Center of Competence for the Security and Optimization of Strategic Infrastructures – “Data generated in embedded systems, created by machine-to-machine devices and IoT (Internet of Things), are growing exponentially in the electricity sector and their importance is at the heart of the system. […] IoT units installed globally by utilities have grown on average by 23% per year. With them the attacks. And not only in their number, but above all in complexity”.

3. Investing in cyber security: an inevitable choice

Cyber security is a combined action of multiple factors. And it is not certain that the continuous technological adaptation to improve security devices capable of stopping attacks or at least limiting the damage is the first. Although it may appear so.

Perhaps first of all comes the recognition of the problem by company management and/or political decision makers. It is only with the full and conscious understanding of the existence of a serious danger for the entire system (corporate, but not only) that it is possible to put strategies and actions in motion. Better if common or shared as much as possible, in order to combine efforts and strengths.

And something is moving, even if not with the same speed or uniformly. Companies, even in Italy, are starting to invest: in 2018 the information security sector exceeded one billion euros with an increase of 9% compared to the previous year. If the culture of IT security has begun to make its way among the large companies of our country, it is unfortunately still too little widespread among the most numerous subjects in our production sector, i.e. medium-small companies. In 2018, 70% of the already modest budget for IT security was used to adapt to the privacy rules imposed by the European GDPR regulation (source: Information Security & Privacy Observatory of the School of Management of the Polytechnic of Milan 2018).

However, as happens with the Digital Transformation of the production system - the Fourth Industrial Revolution 4.0 - the real obstacle is the lack of a culture of innovation and a poor strategic vision. Italian SMEs, too often prisoners of the contingency of their daily activities, do not look at training, updating and technological adaptation as indispensable tools for doing business and guaranteeing a future for their company. Cyber security first and foremost.

Meanwhile, European institutions and, consequently, national ones have placed the cyber risk issue among those of greatest importance. Proof of this is two regulatory instruments such as the NIS Directive [+info] of 2018 and the Cyber Security Act [+info] of this year; both implemented by Italy. Added to the directives, which pay particular attention to the production and energy sector, is the Recommendation of the European Commission of 3 April aimed specifically at the energy sector [+info]. The security of energy networks is one of the key objectives of the EU strategy for cyber security [+info], but it is also the duty of every democratic nation to be able to guarantee adequate levels of safety and well-being for its citizens.