Roundtable Executive Report – Cybersecurity Strategies in Power Generation: Defence or Resilience?

The Energy Studies Institute (ESI) of the National University of Singapore (NUS) organised a roundtable at Singapore International Energy Week (SIEW) 2016 to discuss whether the power generation sector should focus on defending against cyber-attacks or strengthening resilience to recover swiftly after an attack.

Growing cybersecurity risks in the energy sector

In 2015, two-thirds of global investments in power transmission systems were made in the renewable energy sector. These investments will drive the decarbonisation and transformation of global power transmission systems through the use of technology such as information communication systems. However, the deployment of new information communication technologies creates new cybersecurity risks. These vulnerabilities are further heightened by cross-border integration and uneven technological developments worldwide. The growing pool of producer-consumers (prosumers) are an additional source of cybersecurity vulnerability, since they actively participate in the electricity wholesale markets by both consuming and producing electricity.

Another critical and vulnerable area lies in forecasting and demand management systems. The forecasting and demand management systems generate signals, which indicate real-time prices and demands in the electricity wholesale markets. Through the use of information communication systems, prosumers, power system operators, and power generators can all forecast and respond to electricity demands more accurately. Even though the decarbonisation of global power transmission systems bodes well for a more efficient electricity wholesale market, cybersecurity threats have the potential to create “control flow” problems if price signals and demand information are not transmitted reliably and accurately. In addition, personal data will be at risk.

Strengthening the enterprise ecosystems

The energy sector has been the most vulnerable to cybersecurity threats. Global cybersecurity reports show an increasing security threat due to the lack of awareness, weaknesses in assets control, validation input, and human interaction with systems. Among these weaknesses, the human factor remains the most dominant threat and weakness.

The other source of weakness are legacy systems that are still being used by many energy companies. For instance, security reports have found that many energy companies are still using enterprise technologies which are at least eight to 10 years old, and are sorely in need of improvements and updates. When energy companies do upgrade their legacy systems, the upgrades will often be in phases, which leaves them vulnerable to the rapidly evolving nature of cyber threats. Organisations that deploy a combination of legacy and new systems are just as vulnerable as companies that still solely rely on legacy systems.

Another weakness among energy companies is their emphasis on either resilience or defence strategies. Rather than just focusing on defence or resilience strategies, energy companies would fare better if they choose to strengthen their information system’s eco-system instead. Strengthening the eco-system requires fundamental shifts in mindset and increasing the level of consciousness on enterprise information systems security. For instance, energy companies should be vigilant in auditing their information technology vendors and the use of personal devices such as notebooks within the company’s information system domain.

Mitigating threats through cooperation

While energy companies focus on enterprise-level security, the cybersecurity landscape is being dominated by incidents, proving that the cyber capabilities of hackers are outstripping those of security experts. Increasingly, hackers require less sophisticated tools and capabilities to infiltrate information systems; moreover, these tools are readily available.

This dynamic new threat environment implies that the energy sector’s cybersecurity is a challenge that has probably exceeded the capabilities of any individual organisation. As such, there needs to be greater collaboration and public-private partnerships (PPPs) as well as between nations. The PPP model could help in three key areas: strengthening situational awareness and information sharing; coordinating cyber incident response and recovery activities; and accelerating game-changing research and development of resilient energy delivery systems.

Global decarbonisation is driving the transformation of energy transmission systems, which means that the world is becoming more interconnected as consumers, prosumers, power generation and transmissions companies become interdependent on real-time prices and information for energy demand management and response systems. However, this interconnectedness requires energy companies to be better equipped at managing the security of their information systems. In addition to phasing out legacy systems and introducing new technologies, there should be a focus on strengthening enterprise ecosystems, and that requires inculcating a new security culture and mind set. . Additionally, energy companies and government agencies should cooperate and collaborate within the PPP model and focus their collective efforts in three key areas: research and development, cybersecurity operations and information sharing, and coordinated incident management. The cybersecurity threat landscape is evolving and has become more sophisticated.It is only through the PPP model that collective cyber security action can be achieved.

Roundtable participants:

• Dr Madan Oberoi, Director, Cybercrime, Interpol Global Complex for Innovation

• Lim Thian Chin, Deputy Director and Head, CII Protection, Critical Information Infrastructure Division, Cyber Security Agency of Singapore

• Ngai Chee Ban, Operations Leader Asia Pacific, Honeywell Industrial Cyber Security, Honeywell Process Solutions

• Akhlesh Kaushiva, Programme Manager, US Department of Energy

• Matthew Wittenstein, Electricity Sector Analyst, Gas, Coal and Power Markets Division, International Energy Agency (IEA)

• Philip Andrews-Speed, Senior Principal Fellow, Energy Studies Institute (ESI), National University of Singapore

By : Energy Studies Institute, National University of Singapore