Open-Ed
- As smart grid tech is rolled out around the world to modernise legacy assets and integrate renewable energy generation, it is also making the electricity network more prone to cyber attacks.
- IEC Standards provide protection but they also are challenged to keep up with the latest threats.
What is a smart grid?
Smart grids can be described as digitally enhanced electricity grids. Legacy grids need to be modernised and instead of rebuilding networks from scratch, injecting new digital tech in the existing systems is the most affordable way to prepare for new demands, such as the integration of renewable energies. More complex – and sometimes long-winded – definitions of the smart grid abound: according to the IEC Electropedia, for instance, smart grids utilize information exchange and control technologies, distributed computing and associated sensors to integrate the behaviour and actions of the network users and other stakeholders, and to efficiently deliver sustainable, economic and secure electricity supplies.
Several terms are frequently used in smart grid parlance, including automated substations, digital interfaces, networked sensors, intelligent electronic devices (IEDs), advanced two-way communications and distributed energy resources (DER). One of the most obscure is SCADA, which stands for supervisory control and data acquisition. All of these terms are defined in the IEC Electropedia, but what needs to be understood before the jargon is that, as grids add digital communications and interconnection where they were previously none, they are becoming easier to attack by cyber criminals. According to Forbes, in an article looking at the situation in the United States, “most of the US energy grid critical infrastructure components operate in a digital environment that is internet accessible. The trends of integration of hardware and software combined with growing networked sensors are redefining the surface attack opportunities for hackers.” The same trends can be witnessed around the rest of the world as we move more and more into the all-electric and digital age.
Cyber attacks are evolving
Digital publication for power and energy engineers, EE Power, lists different ways cyber criminals can impact the grid, which include denial of service (DoS) attacks, malware or time synchronization attacks, to name but a few. DoS attacks, for instance, involve flooding networks with a wide number of spurious requests, hindering real demands from being dealt with. In time synchronization attacks, real-time data can be manipulated, leading to false information being circulated – for instance, about the current energy levels in the grid. Malware can be used to infect computers and ask for ransoms, for example. The variety of ways cyber criminals can do damage is mind boggling and continuously evolving.
The pros and cons of AI
Artificial intelligence (AI) is becoming a useful tool in the fight against cyber crime, as it increasingly affects power systems. It can most notably help detect attacks and inform users about their nature. According to this article, researchers in the US state of New Mexico have developed AI algorithms which use code to monitor for cyber attack abnormalities at device, system and utility level. AI is also increasingly used as a result of the automation of the grid, enabling electricity load forecasting and for any fault detection – not only as a result of cyber crime – and can help the grid to “self-heal”.
But the downside is that it can also be used as a tool to help hack various systems. According to the Federation of the European Electricity Industry, Eurelectric, “Cyber criminals are leveraging AI to automate attacks, bypass security measures and create highly convincing phishing scams.”
The joint committee between ISO and the IEC which prepares standards for AI publishes standards which address some of these issues. ISO/IEC TS 8200, for example, specifically deals with the controllability of automated AI systems.
Tools and solutions
Most countries around the world have opted for legislation to avert cyber attacks. In the European Union, for example, the NIS 2 Directive was adopted by member states in 2024. It expands the scope of cyber security requirements to electricity, oil and gas networks. The EU also recently published the Cyber Resilience Act (CRA) to enhance security in the digital infrastructure.
Alongside regulations, IEC International Standards are key tools to ensure a cyber secure grid. As IEC cyber security and grid expert Frances Cleveland explains, “There are ongoing efforts inside my working group, responsible for developing the IEC 62351cyber security standards for the grid, which I call the ‘How to do it’ standards. The IEC has also developed the IEC 62443 Standards which tell you ‘What you need to do’. These standards are being extended to include horizontal cyber security requirements, meaning that different areas like the energy sector are modifying the base IEC 62443 Standards to reflect their more specific needs. We are working on the cyber security requirements for substations right now and will be addressing distributed energy-specific requirements. IEC 62443-4-2 can also be used for testing the cyber security of devices, such as EVs, photovoltaic panels and other distributed energy resources.”
The IEC 62351 series provides cyber security requirements as well as guidance on designing security into systems and operations before building them, rather than applying security measures after the systems have been implemented. Some of the different security objectives of these cyber security requirements include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection. The IEC 62443 series specifically addresses the industrial automation and control systems (IACS) used in critical infrastructure.
However, the time required to develop standards is a constraint and makes it difficult to keep up with the latest cyber security threats which are evolving very fast. As IEC TC 57 expert Dustin Tessier explains, “standards lag in addressing complex protections and cyber security applications, notably for single points of failure in centralized platforms.”
The ISO/IEC 27000 series is generally understood to address information security management and certification in IT specific environments – not OT-based critical infrastructure like electricity grids. But as these get smarter, the line between IT and OT is blurring. (For more on this blurring line, read Keeping the world’s critical infrastructure cyber secure | IEC e-tech)
The convergence between IT and OT explains why ISO/IEC JTC1/ SC 27 recently released ISO/IEC 27019, which provides information security controls for the energy utility industry, and covers a very wide range of smart grid related technologies, including central and distributed process control, monitoring and automation technology sensors and actuators and DER integration, to name just a few.
The case of nuclear energy
Nuclear energy is seen by many countries as a way of reducing carbon emissions and it is also useful to balance the grid as it integrates more intermittent renewables. But nuclear power plants are also becoming more vulnerable to cyber threats as they become increasingly digitized.
These threats ramp up the risks to yet another level. In a worst-case scenario, hackers could take control of operations and not only wreak havoc on the grid but also induce a nuclear reactor meltdown, leading to widespread radioactive contamination.
The IEC takes these threats very seriously and cooperates with the International Atomic Energy Agency (IAEA), a UN agency that works to promote the safe, secure and peaceful use of nuclear technologies and which sets global safety standards for nuclear energy. Experts from IEC Technical Committee 45 take part in the technical working group on nuclear power plant instrumentation and control (TWG-NPPIC), which was founded by the IAEA in 1971 to give advice on and promote research into nuclear plant technology, notably human system interfaces.
A specific cyber security standard, IEC 62645, was developed “to prevent and/or minimize the impact of attacks against information and computer programmable digital systems on nuclear safety and plant performance”.
The standard proposes a table of high-level correspondence with the horizontal IEC 62443 series, listing dozens of subclauses related to the context of the organization, lifecycle implementation for programmable digital system security and security controls. (Read more about these standards in this interview with the Chair of IEC TC 45.)
Keeping up with cyber criminals is an ongoing battle – and one which requires the joint efforts of regulators and technical experts. For the time being, the energy sector has the right tools to do so but the toolkit needs to be constantly updated as attacks get more sophisticated
Author: Catherine Bischofberger
The International Electrotechnical Commission (IEC) is a global, not-for-profit membership organisation that brings together 174 countries and coordinates the work of 30.000 experts globally. IEC International Standards and conformity assessment underpin international trade in electrical and electronic goods. They facilitate electricity access and verify the safety, performance and interoperability of electric and electronic devices and systems, including for example, consumer devices such as mobile phones or refrigerators, office and medical equipment, information technology, electricity generation, and much more.
Disclaimer: The articles and videos expressed in this publication are those of the authors. They do not purport to reflect the opinions or views of Green Building Africa, our staff or our advertisers. The designations employed in this publication and the presentation of material therein do not imply the expression of any opinion whatsoever on the part Green Building Africa concerning the legal status of any country, area or territory or of its authorities.
