As the electrical grid becomes digitalized, it has become a prime target for cyberattacks. Digitalization allows for better energy management through real-time monitoring and adjustment of the grid, which is beneficial both climatically and economically. However, the end of the isolation of electrical systems increases their vulnerability. A cyberattack on a grid operator could endanger society through a domino effect impacting other critical infrastructures, such as shutting down hospitals and even paralyzing the economy,
Having secure electrical installations has long been identified as an issue, leading authorities to push energy sector actors to secure their installations, which France has done since 2013 in France with the military programming law. However, the increasing sophistication of attacks and the growing number of actors involved in the electrical grid require revising and extending controls, requirements, and regulations to maintain good cyber maturity in the long term. To achieve this goal, collaboration among all stakeholders in the ecosystem – energy solution providers, grid managers, and other involved parties – appears to be the strategy to follow.
Approaching security from design to operation
With the development of renewable energies, new digital products, such as solar panels, electric vehicle charging stations, and other related products, are being integrated into the electrical grid. Like the original electrical systems, these new products were not necessarily designed with a secure-by-design requirement, offering hackers new, more accessible entry points. While it is increasingly accepted that secure-by-design is essential for achieving cyber maturity, it is a necessary but not sufficient condition.
Considering the very high number of product or automation exposures on the Internet and lessons learned from field experience, secure-by-design can only bear fruit if accompanied by proper configurations throughout the equipment’s life cycle, which is called secure-by-operations.
Security maintenance has become crucial for protecting information systems, incorporating, for example, vulnerability monitoring and securing remote access for maintenance that is not performed on-site. In practice, if there are configurations with security flaws, they are most often unobserved due to a lack of knowledge and training of operators on the subject, who are more electricians than IT specialists.
Elevating, optimizing, and diversifying cyber skills of employees
Given this observation, it is important to understand that the cyber maturity of the electrical grid can only be achieved by putting humans at the center of the equation. Understanding cyber threats requires education on risk. For employees in industrial and electrical sectors, training and awareness must now be accompanied by the development of a cyber culture for a full understanding of the issues.
A business approach is also to be considered in the electrical distribution sector, where we mainly deal with electromechanics, historically distant from connectivity and digitalization issues. The goal is to create bridges between different worlds, with very distinct missions and experiences: electricians, electrotechnicians, automation specialists, and, of course, cybers experts. IT teams can also get closer to OT professionals and vice versa to create synergies and apply more relevant solutions.
Moreover, the shortage of digital skills has regularly been raised as a major problem for the future of cybersecurity. Given the societal impacts of a cyberattack on the electrical grid, it is even more urgent to work on developing training that combines operational technology expertise, the electrical sector, and cybersecurity.
Towards an integrated and collective approach
To rethink the role of the human factor in cybersecurity, a global and unified perspective must be favored. The electrical grid has its own characteristics and specific protocols. Electrical security encompasses a set of technical and organizational practices that must be implemented. Electrical operators are expected to handle cyber issues, ensure secure installations and equipment, and take action in the advent of an incident.
Given such a prominent level of requirements, building cyber resilience cannot rest on the shoulders of a single employee. The interconnection of critical infrastructures and the inflation of the number of partners involved in the management of transmission and distribution networks risk hindering collective cyber maturity. For example, the failure of a subcontractor can jeopardize the entire ecosystem, making the electrical grid more permeable to cyberattacks.
In line with the spirit of the Network and Information Security Directive (NIS2) from the European Union, this new situation makes the supply chain the most relevant space to think about a cyber strategy adapted to secure critical electrical installations. Securing the electrical grid is a societal issue whose success depends on the commitment of all to achieve a collective effort where everyone knows their role and responsibilities.
The viability of the electrical grid can only be considered considering the cyber threats generated by its recent digitalization, adopting a new paradigm combining secure-by-design and especially secure-by-operations, placing humans at the center of considerations, and thinking at the level of the entire supply chain. Ultimately, a model change, based on a holistic vision of security, including safety and cybersecurity, appears as a horizon towards which to strive for a sustainable and resilient digital transformation.
About the author
Samuel Braure, Cybersecurity Leader – France & BeNe
Samuel Braure has been responsible for cybersecurity for France and Benelux at Schneider Electric since January 2023. As CISO, he oversees issues related to IT and OT and is responsible for executing Schneider Electric’s cybersecurity strategy in the region, facilitating the management of cybersecurity as a business risk. Samuel joined Schneider Electric at the end of 2012, where he developed an interest and specialization in cybersecurity as the subject gained importance.
Add a comment