Comments on: Forget the skills gap, in energy cyber security, it’s a chasm EU news and policy debates across languages Thu, 30 Aug 2018 15:14:24 +0000 hourly 1 By: Mike Parr Mon, 16 Apr 2018 10:47:09 +0000 Back in the early 2000s, I wrote a report on critical infrastructure for a G7 country. There was a fair bit of it on “cyber security” with respect to gas, electricity and water. I would also add that I am a power engineer (for electricity networks) by profession and founded a UK ISP – I thus have a more than passing understanding of both areas.

The problem with this article is that in common with many it talks about “cyber security” in general terms (that said I agree with the comments about more trained people being needed). Electricity systems splits into two broad bits: the generators and the networks.

The companies that own generators (particularly unmanned locations) love telemetry & remote control. Without exception (apart from very small sub-100kW sites) such sites are served by some form of hardwired communications. IP-based VPNs and the like are one way of +/- accessing & controlling such systems. However, VPNs and such like only provides “virtual” security. If you want real security you would move to the physical layer (remember the ISO 7 layer model?) and have dedicated fibre in a hard-wired private network – expensive? well 1 metre of good quality bog paper is more expensive than 1 metre of fibre – so no.

In the case of elec networks, there are two considerations: protection systems and control systems. At a transmission level, protection systems used to be hardwired on dedicated lines. This is no longer the case. However, there is no reason why every substation down to the HV/LV substation (which is a few metres away from a telephone duct) could not be hardwired using fibre. Protection and telemetry would have their own dedicated fibres.

This would make large-scale hacking of power stations and/or electricity networks very difficult since the networks would have no connection what so ever to the public Internet. Accessing them would mean getting into a power stations or substation – a rather more risky undertaking than sitting at a computer – somewhere. Doing the above would ease the skills chasm whilst also making energy networks more secure.

None of the above is under consideration – for the most part the bean counters don’t like this style of preventative investment (come to that they ain’t that keen on education and training – hence the current shortages of people in the area)