The power grid is becoming increasingly complex due to the integration of municipal utilities, renewable energy resources, new substations and millions of smart grid edges like smart meters and EV-charging stations. The majority of this electric infrastructure is located far away from the central control room. Therefore, control is increasingly carried out digitally via remote access. To secure these peripheral systems, distribution and transmission system operators often rely exclusively on firewalls. These might reliably detect known malware. However, with several hundred of thousands of new malware variants each day, cybersecurity limited to identifying known signatures becomes highly unreliable.
Hands down, by now there are probably a trillion articles offering advice on how to “get ready for NIS2” (just do a search in your search engine of choice). Some contain sensible tips, most simply re-list the requirements of the updated Network and Information Security directive and leave the reader in limbo.
Still, even just 1.5 months away from the EU's NIS2 directive turning into national law, many customers in the electrical sector we speak to have difficulties getting their heads around the full impact of NIS2. In particular, the extension of thorough cybersecurity to the OT networks of their grid infrastructure causes headaches. For many electric and multi-utilities this is still new territory with many blind spots and unknown challenges.
The NIS2 directive requires owners and operators of electric and multi-utilities to include their OT networks in risk management procedures and risk analysis. The target is to determine the risk exposure of their critical processes and define appropriate mitigation measures. And this is for good reason, as the results of our vulnerability assessments at IOUs, municipal as well as public utilities highlight.
Energy companies are under pressure from all sides when it comes to the cyber security of their critical infrastructure. The spiraling skills gap is set against an increasingly dynamic risk landscape and more far-reaching legislation. Nevertheless, companies must quickly find ways to set up their own operational technology (OT) security expertise.
In the latest episode of the 'OT Security Made Simple podcast' , Klaus Mochalski, founder and CEO of Rhebo, sits down with Todd Wiedman, Chief Security Officer of Landis+Gyr, to cover a range of topics, shedding light on the evolving challenges and solutions within the realm of AMI security.
The IEC 62443 family of standards is an old acquaintance to most security managers for industrial systems. For more than ten years, it has been considered THE standard for industrial cybersecurity. It also serves as a "horizontal standard" offering a sector-agnostic baseline for industrial cybersecurity, upon which sector-specific requirements, e.g. for the energy sector, could be added by industry experts. In this blog we explore its implications for the energy sector.
