EU agency mulls cybersecurity measures for ‘vulnerable’ smart grids
European Union smart grid operators and energy providers need common cybersecurity measures to help them guard against attacks, says a new report by Europe's information security agency ENISA.
The report, released on Wednesday (19 December), proposes a set of appropriate measures to allow smart grid providers to head off any potential threats.
Smart grids and smart meters operate through a series of millions of interconnected nodes, so they have stoked fears they could be vulnerable to hacking, terrorist attacks and even burglary, a source involved in drafting the ENISA paper told EurActiv.
A transmission system operator (TSO) - which manages energy distribution at regional or national levels - would have to implement the measures at their highest level of sophistication, for example.
“This technical guidance addresses smart grid networks and services which are critical and whose malfunctioning would have a significant impact on society”, the report says.
“You attack a TSO and there is no electricity in an entire city”, the same source said. "It could be anarchy".
A McAfee report from earlier this year called power grids a “prime target” for cyber attack.
“The objective of these measures is to improve cybersecurity in the smart grid system”, the source added.
‘The weakest link’
ENISA proposes 39 different security measures, which are organised into three levels of sophistication depending on the seriousness of the threat posed.
The measures cover issues including security governance and risk management; third-party management; secure lifecycle process for smart grid components and operating procedures; personnel security, awareness and training; physical security; information systems security; and network security.
The report encourages smart grid stakeholders such as providers and national and EU regulators to cooperate and find a consensus for a minimum set of security measures.
“ENISA issued this report in order to assist the member states… providing an indication of a minimum level of security and resilience in the member states with regards to the smart grids, thereby avoiding the creation of the ‘weakest link’,” the report says.
“It is a key issue to ensure that the roll-out of smart grids for distributed energy generation into future electricity grid is done in a secure way”, ENISA Executive Director Udo Helmbrecht said in a statement.
“We hope to see smart grids in the forthcoming Cyber Security Strategy of the EU”, he added.
ENISA, based in Crete, says the document will be updated regularly as more information becomes available. They will also map risks and threats across the EU.
A German power utility specialising in renewable energy was hit by a serious cyber attack two weeks ago that lasted five days, knocking its internet communications systems offline, in the first confirmed digital assault against a European grid operator, EurActiv reported.
A smart grid is an upgraded electricity network utilising two-way digital communication between producer and supplier, ‘intelligent’ metering and monitoring systems.
Smart grids offer clear environmental, social and economic advantages but their dependence on computer networks and the internet makes them acutely vulnerable to cyber-attacks, according to the EU’s European Network and Information Security Agency (ENISA)
Another 2012 ENISA report offered 10 recommendations for protecting grids from cyber-threats, including:
- An improved EU and member state regulatory and policy framework;
- The development of a minimum set of security measures by ENISA, in collaboration with member states and the private sector;
- Security certification schemes for smart grid components, products and organisational security;
- Empowering the Consortium for Electric Reliability Technology Solutions to advise on cyber security incidents affecting power grids.
- Early 2013: Final approval of EU energy infrastructure package expected by European Parliament and EU Council of Ministers.
- By end 2013: LIst of projects of common interest to be finalised.
- 2014: Planned entry into force of 'Connecting Europe Facility' (CEF), under which infrastructure will be financed.