Bridging the Gap between
Information Technology and
Operational Technology
Welcome to our new Energy Talks miniseries, called Cybersecurity in the Power Grid in which we provide you with a 360-degree view of how power grids can best safeguard their infrastructures from cyber attacks.
In Part 1 of this miniseries, OMICRON cybersecurity expert Benjamin Teudeloff talks about the increasing necessity for power providers to improve their cybersecurity practices. He gives insight into the evolving global landscape, the unique challenges faced by electrical utilities, and the importance of bridging the gap between Information Technology (IT) and Operational Technology (OT).
Lastly, Benjamin describes how OMICRON's comprehensive cybersecurity products and services are empowering power providers to safeguard their infrastructure in an ever-changing threat landscape.
Stay tuned for upcoming episodes in our Cybersecurity in the Power Grid miniseries.
Listen to the podcast episode
“I highly recommend that OT and IT colleagues deal more with the topic of cybersecurity and actively exchange with one another to have a common understanding of security issues and requirements.”
Here Are the Key Topics from This Episode:
Global Pressures on Power Providers: Benjamin discusses how political developments and global networking expose the vulnerabilities of energy utilities to cyber threats, emphasizing the growing integration of IT technology with OT assets and the challenges this poses.
European Market Dynamics: In Europe, power providers face unique challenges due to interconnection and the energy transformation. Benjamin highlights the importance of securing OT systems and networks, addressing regulatory tasks, and fostering cooperation between IT and OT teams.
Best Practices for Cybersecurity: Benjamin recommends that management pay closer attention to cybersecurity investments in relation to potential damage. He stresses the need for improved cooperation between IT and OT teams, emphasizing knowledge sharing and mutual understanding of security issues.
OMICRON's Products and Services: Benjamin discusses OMICRON's cybersecurity products and services, highlighting their effectiveness in protecting against cyber threats. He mentions their support in engineering, security assessment, incident response, and the importance of training to strengthen cybersecurity posture.
Scott: This is Energy Talks, a regular podcast series featuring expert discussions on power system testing topics. I'm your host, Scott Williams, from OMICRON's podcast team.
Scott: Hello, everyone! Welcome to our new Energy Talks miniseries titled "Cybersecurity and the Power Grid." In this series, we provide a comprehensive perspective on how power grids can protect their infrastructure from cyber threats. Welcome, Benjamin, to Energy Talks!
Benjamin: Thank you, Scott, for the invitation. I'm delighted to be here.
Scott: Thank you for joining me, Benjamin. Could you share your background in cybersecurity and your experience in the power industry with us?
Benjamin: Certainly. I'm currently serving as a sales manager for cybersecurity products and services at OMICRON. Prior to this, I had a career spanning over 12 years as a police officer with the German Federal Police. During this time, I spent nine years as a team leader in the field of IT forensics.
Following my tenure in law enforcement, I transitioned to cybersecurity consulting, where I worked for almost six years with companies such as BWC and Ernst & Young. In this role, I focused on the development and implementation of Information Security Management Systems (ISMS) in accordance with ISO 27001 and BSI IT Grundschutz. I was also involved in the establishment and enhancement of risk management systems, crafting security concepts, conducting maturity assessments, and providing support and defense for audits.
Scott: Could you share some insights into the clients you've worked with in this domain?
Benjamin: My experience spans a wide range of clients, from small state authorities to various police agencies and even a federal state parliament. I've also worked with medium-sized companies and large corporations. What makes this field particularly intriguing is the diverse approaches to cybersecurity that vary significantly by industry.
The focus on cybersecurity differs based on the sector. For example, the transport and logistics sector or the manufacturing industry has different priorities compared to a data center operator or the energy sector. Critical infrastructure is a unique case due to its societal significance.
"The consequences of downtime are far more severe for the energy sector. An email server outage may be inconvenient, but a 48-hour power plant shutdown can have serious repercussions."
Scott: Benjamin, what developments in global markets are driving power providers to prioritize cybersecurity?
Benjamin: Political developments and increased global interconnectivity have exposed the interdependencies and vulnerabilities in the energy utilities sector. Globally active hacker groups, some with high levels of professionalism, pose significant threats to energy utilities.
It's challenging to systematically counter these threats, especially as the trend toward digital substations continues. The integration of IT technology with OT assets offers economic advantages and increased efficiency but also broadens the attack surface for cyber threats. The clear separation between OT systems and the internet is becoming less distinct.
Many Asian energy utilities have recognized this challenge and are implementing conceptual plans in line with international standards like IEC 61850, where IT and OT security are explicitly considered.
I support this approach for several reasons. It embraces a security-by-design philosophy that emphasizes the quality of systems, products, and services, along with a holistic approach to security processes. This includes company-wide security risk management, security incident handling, comprehensive penetration tests, business continuity management, and emergency strategies, viewed from both IT and OT perspectives.
There are two fundamentally different approaches here. While IT security mainly focuses on risk management and information security, OT emphasizes the security of the power supply. The consequences of downtime are far more severe for the energy sector. An email server outage may be inconvenient, but a 48-hour power plant shutdown can have serious repercussions.
Scott: Absolutely.
Benjamin: In such cases, apart from the financial and reputational damage, coordinating energy supply is essential to maintain security. The challenges extend beyond the company's boundaries for energy utilities due to the interconnected power system.
This takes us back to the cybersecurity approach. Whether an energy provider works with existing facilities or incorporates security-by-design principles for new ones, the risks remain substantial. This is due to the extended lifespan of components in existing facilities, which can last for 30 years or more.
Previously, cyberattacks weren't a concern due to the separation from the internet. The industry now faces the complex task of securing older yet still functional components and systems against modern threats. Both operators and security experts must collaborate to understand the technical weaknesses of these systems, minimize them, or isolate them within the network to maintain manageable risks and ensure a secure power supply.
This is a challenging balancing act. In the event of an attack, it's primarily the engineers who must restore power supply security as quickly as possible. Both IT security and OT security must collaborate more closely in the future.
"Effective protection and operation of the power grid depend on all parties adhering to security standards."
Scott: Benjamin, how does the European power market approach cybersecurity, and are there any unique trends in this region compared to the rest of the world?
Benjamin: In Europe, energy providers operate within a highly interconnected network, ensuring a consistently high level of supply security. The German transmission grid, for instance, is part of the International Grid Control Corporation (IGCC) and is integrated with neighboring countries' grids.
The transition to renewable energies, including hydro, solar, wind, and geothermal power, presents significant challenges. Industry needs to expand transmission capacities, build hydrogen infrastructure using existing gas networks, and accommodate the injection of energy from various sources like battery storage, prosumers, and photovoltaic systems.
These changes impact supply security through increased control requirements and the integration of new technologies into the existing energy ecosystem. Simultaneously, the energy sector faces new regulatory tasks, such as the Cyber Resilience Act and its EU-inspired requirements, including discussions about management liabilities in Germany.
The unique aspect here is the friction between information security, corporate-level risk management, and grid-wide supply security. Effective protection and operation of the power grid depend on all parties adhering to security standards, from secure products to cyber-attack protection, detection systems, and business continuity and recovery plans.
In the European market, three trends are noticeable:
1. A lack of management awareness regarding cybersecurity's importance and its impact on business success.
2. Challenges in the collaboration between IT security and OT security teams, often leading to isolated efforts and inadequately considered requirements.
3. Budget limitations for security systems and consulting services, leading to one-size-fits-all solutions.
The energy sector encompasses two distinct network structures: the rapidly evolving IT world and the long-lived OT world, each with different systems and protocols. The saying "If you buy cheap, you buy twice" rings true here, where attempts to use seemingly effective IT security systems fall short in covering OT network security, leading to a flood of security alerts and increased risk.
Scott: Very interesting.
Benjamin: We're witnessing this with some of our customers. They've invested in IT security systems that, while effective in their realm, can't meet the specific security needs of OT networks. This results in security alerts that aren't given due attention and are often dismissed due to an overwhelming number of false positives, causing security analysts to spend excessive time investigating these alerts. Instead of reducing risk, this situation often exacerbates it.
"Strong internal collaboration is vital for optimizing security processes. I encourage OT colleagues to engage with IT security topics and actively seek collaboration with IT security teams."
Scott: Benjamin, what recommendations or best practices can you offer to power providers aiming to enhance their cybersecurity readiness and bridge the gap between IT and OT?
Benjamin: I recommend that company management gives greater attention to cybersecurity. It's not about acquiring deep technical knowledge but understanding the preventive and reactive value of investments in case of disruptions or cyberattacks. Specifically, how much is the company investing in cybersecurity measures and systems compared to potential damages? The CIO can provide valuable input.
I also suggest that CIOs and security audit teams pay closer attention to the technical security needs of OT security teams, comprising engineers and technicians who are experts in the OT network. Organizing regular meetings for information exchange is essential. Strong internal collaboration is vital for optimizing security processes.
As IT and OT networks become increasingly interconnected, I encourage OT colleagues to engage with IT security topics and actively seek collaboration with IT security teams. This approach fosters a shared understanding of security issues and helps budget for OT system and network security requirements effectively.
"Our lab in Austria allows us to demonstrate live hacking scenarios in a substation, providing customers with the opportunity to experience cyber attacks live and receive expert guidance."
Scott: Benjamin, beyond cybersecurity products, what services does OMICRON offer to support power providers in enhancing their cybersecurity?
Benjamin: Our customers appreciate our cybersecurity products and our extensive service portfolio. For the individual challenges of our customers in a technical, procedural, and personal implementation of their requirements, we also offer a wide range of services. This includes engineering, security assessment, asset inventory, workflow process analysis and optimization, threat management, incident response services, security concepts for OT networks, OT forensics, audit services, and training. OMICRON's approach has always been to deliver high-quality products and services.
We proactively share our expertise with our customers by taking a holistic approach to our consulting services. We can assist with the conceptual design of digital substations or analyze and optimize work and security processes. Our expert support team aids in analyzing security incidents and conducting forensic analyses in case of an emergency. Our audit team prepares audit participants for different situations and relevant questions in customer-specific training, offering guidance on how to handle audits.
To facilitate cooperation between IT and OT teams and strengthen mutual understanding, we provide two training programs: IT knowledge for OT employees and OT knowledge for IT employees. Our lab in Austria allows us to demonstrate live hacking scenarios in a substation, providing customers with the opportunity to experience cyber attacks live and receive expert guidance.
Scott: Benjamin, this hands-on training sounds impressive. Can you share any success stories or examples where OMICRON's cybersecurity products and services have had a significant impact on power providers?
Benjamin: Certainly, we've received positive feedback from our customers regarding the user-friendliness and intuitiveness of our cybersecurity products. They're easy for technicians and engineers to use, offering relevant information and reports on ACM and SOC. Our products generate very few false positives, significantly reducing the workload for everyone involved.
Recently, our product performance and the expertise of our team were put to the test when a customer implemented an IDS from various competitors and conducted penetration tests. According to the customer, OMICRON's security team outperformed the other vendors in terms of accuracy and response time. While I can't reveal further details at this time, we're pleased with this feedback. It reaffirms our commitment to maintaining high-quality standards and demonstrates the effectiveness of our cybersecurity products in protecting customers from cyber attacks.
Scott: Benjamin, as we look to the future, what do you see as the most critical challenges or emerging trends in cybersecurity for the power industry?
Benjamin: I may sound repetitive, but enhancing the collaboration between IT and OT is crucial, particularly as personnel requirements increase. The expertise of specialists within a company must be unified. Additionally, technological innovations, driven by the energy transformation, inherently introduce more security risks. The proliferation of IoT devices, in particular, lacks sufficient investment in product security, which can impact the security of the power supply.
Scott: Interesting. So, how can engineers in the power industry interested in IT and cybersecurity stay informed about the latest developments and best practices for securing power grids?
Benjamin: We offer training courses for engineers and technicians on IT knowledge for OT employees and OT knowledge for IT employees. Customers can also subscribe to newsletters tailored to their interests via our customer portal. Furthermore, we will soon launch our new cybersecurity website, providing detailed information about our products and support services. It will showcase the challenges customers face in different industries and how they can address them.
Scott: Benjamin, thank you for joining me for the first episode of our Energy Talks miniseries on cybersecurity.
Benjamin: It's been a pleasure. Thank you, Scott, for your time.
Scott: And thank you for being here with us.
A big thank you to our audience for tuning into this episode of Energy Talks. If you've enjoyed what you've heard or read and haven't done so already, please subscribe to Energy Talks on your preferred podcast platform to ensure you never miss an episode. We value your questions and feedback; feel free to send us an email at podcast@omicronenergy.com.
OMICRON boasts years of experience in power system testing and provides suitable solutions for your applications, including cybersecurity in the power grid. Visit our website at www.omicronenergy.com to find matching OMICRON solutions under "Applications." Knowledge sharing is essential to us, and you can explore the latest papers on various power system testing topics, upcoming seminars, events, webinars, and training courses on our website.
Stay tuned for the next episode of Energy Talks. Goodbye for now, everyone.