Cybersecurity 
in the 
Power Grid – A 360° View | Part 5

Welcome to the 5^th episode of our Energy Talks miniseries, called Cybersecurity in the Power Grid, in which we provide you with a 360-degree view of how power grids can best safeguard their infrastructures from cyber attacks. 

In this episode, Andreas Klien, OMICRON's cybersecurity expert, and Sarah Fluchs, CTO at admeritia GmbH, discuss the security engineering of digital products in the power grid. They explore the question, "Can power grid operators trust manufacturers for reliable cybersecurity?" 

The conversation includes insights into the pending EU Cyber Resilience Act, the significance of security certificates, the use of Software Bill of Materials (SBOM), and the importance of open communication between operators and manufacturers.

Stay tuned for upcoming episodes in our Cybersecurity in the Power Grid miniseries.

Listen to the podcast episode

Scott Williams Welcome to Energy Talks, a regular podcast series with expert discussions on topics related to power system testing, data management, and cyber and the power industry. My name is Scott Williams from the podcast team at OMICRON. 

Hello everyone! This is the fifth episode of our special Energy Talks miniseries called “Cyber Security in the Power Grid”, in which we provide you with a 360-degree view of how power grids can best safeguard their infrastructures from cyber-attacks. 

In this episode, OMICRON cybersecurity expert Andreas Klien will be your host, and a special guest will join him to discuss the question, “Can power grid operators trust their manufacturers?” So, without further delay, welcome Andreas, and thank you for hosting this episode.

Andreas Klien Thank you, Scott; it's a pleasure to host for the first time. Hello and welcome from my site to this fifth episode in our Energy Talks cybersecurity miniseries. My name is Andreas Klien, responsible for the business area of power utility communication at OMICRON and product manager of our cybersecurity products. Joining me for this episode is Sarah Fluchs, the esteemed Chief Technology Officer at admeritia GmbH, co-founder of the renowned Secure PLC Coding Project, and board member and working group convener at the International Society for Automation (ISA). So, she's convener of a standard IEC 62443 standard series and a lot of other things. It's a pleasure to have you here.

Sarah Fluchs Great. Thanks for having me. It's a pleasure to be here. 

Andreas Klien So what can you expect from this episode? Sarah and I delve into several intriguing topics. Firstly, we'll explore the EU Cyber Resilience Act (CRA) and its role in safeguarding critical infrastructures, particularly the power grid. We'll then pivot to a crucial facet of the CRA: security certificates for products, specifically Operational Technology (OT) devices. How do these certificates function, and more importantly, do they effectively enhance security? Moving forward, we'll unravel the concept of Software Bill of Materials (SBOM) within the CRA, a term that's been circulating for the past year or two. What exactly are SBOMs, and can they prove beneficial for utility operators and end users? Throughout our discussion, we'll adopt the perspective of a fictional OT security officer. Let's call him Michael. Michael is responsible for ensuring the security of a European power utility. In case of a successful intrusion, his company will be in the public eye, so it is his responsibility to make it as difficult as possible for attackers, striving to minimize the impact on the utility's public image. His role extends to compliance with local regulations, predominantly risk-based, necessitating continual efforts to elevate the organization's security maturity level. Michael also oversees incident response, conducts network threat monitoring, and navigates the complex dynamics between IT and OT colleagues. Michael's challenges mirror those faced by many IT security officers, prompting us to share insights that may offer some assistance to you. Sarah, let's start by asking ourselves the question: How big is the threat posed by cyber attacks on the power grid in Europe?

Sarah Fluchs As of our recording, notable power grid attacks in Denmark have recently come to light. I imagine Michael would be a bit worried about this information. These attacks, occurring in May, were revealed in mid-November. Despite being labeled the largest to date, the impact on users and customers was minimal due to preparedness measures in place. The incident highlighted the constant threat faced by Denmark's power grid, emphasizing the significance of perpetual vigilance. Although concurrent attacks on critical infrastructure are uncommon, the reality is that such threats persist. It's reassuring to know that preparedness can mitigate the impact, turning potential victims into empowered entities capable of weathering attacks without customer awareness.

Andreas Klien Yeah. I also found it quite interesting because this is one of the first instances where detection played a pivotal role in preventing an attack on critical infrastructure.

Sarah Fluchs Right. 

Andreas Klien I just imagine these analysts are diligently monitoring their systems when suddenly, they spot the IP addresses of a known threat actor. One can only imagine the surge in their pulses at that moment.

Sarah Fluchs Absolutely. It's a compelling example that underscores the reality of cyber attacks on power grid providers. The recent incident in Denmark serves as a vivid illustration. However, what sets this apart is that users and customers often remain unaffected. And that's a good thing. But it doesn't mean that there are no attacks. There are these attacks and critical infrastructures have to deal with them.

Andreas Klien Indeed. And I have deep respect of the vigilance and swift response of the SECTOR CERT team in detecting and neutralizing the threat.

Sarah Fluchs Absolutely. And also must respect them for their transparency in sharing insights. Their openness could potentially assist others facing similar challenges. It's a commendable case study on handling such incidents.

Andreas Klien I recall being at a conference in Copenhagen on the day they published the report. During their talk, an audience member sought more details, only to be met with a straightforward “No.”

Sarah Fluchs Yeah, it was still more information than we typically get. Given that the public remained oblivious to any impact on power supply and the attack occurred back in May, they could have opted for silence and would have easily gotten away with not publishing anything at all. The detailed report is something we can be grateful for.

Andreas Klien I agree.Now, shifting our focus back to Michael, our OT security protagonist. Michael needs to ensure compliance with a lot of different like regulations and standards by the EU or the local laws of his government. And this surely alleviates him some of his worries. What are your thoughts on this? 

Sarah Fluchs Well, there's a dual perspective. Yes, adherence to standards establishes cybersecurity basics. Implementing them sincerely, rather than just for compliance's sake, provides a foundation—network visibility, backups, intrusion detection. While this addresses some concerns, the challenge lies in the dependence on the security characteristics of the operated components. It's akin to having a cuckoo's egg in your nest; you lack control over the cybersecurity bird that emerges. The recent Denmark incident exemplifies this vulnerability, revealing that even with stringent protocols, an exploited vulnerability in a firewall, beyond the operator's control, can be the entry point for attackers. Vulnerabilities are often the manufacturer's responsibility, requiring a robust patch management process but limited control over inherent vulnerabilities in the components.

Andreas Klien Let's delve into the topic of firewalls, a crucial element that leads us to the EU Cyber Resilience Act (CRA) and its potential improvement on Michael's situation. Can you shed light on this new cyber resiliency?

Sarah Fluchs The CRA, if implemented, would mark a significant milestone, introducing a real market entry barrier for cybersecurity in Europe. For the first time, manufacturers of certain products must adhere to specific cybersecurity measures to access the European market. This is unprecedented both in Europe and globally. Unlike the U.S., which lacks a comprehensive approach, the CRA establishes a market entry barrier, not just a certification. It expands the CE marking concept, traditionally applied to safety-related products like children's toys or pressure vessels, to include cybersecurity for products with digital elements. This means products must meet designated cybersecurity requirements to obtain the CE marking.

Andreas Klien So, it's not just a certificate; it's essentially a market entry barrier, a noteworthy distinction.

Sarah Fluchs Exactly. If a certificate becomes a prerequisite for market entry, it serves as a marketplace barrier. The CRA mirrors the existing CE marking framework, expanding the existing concept of the CE marking to cybersecurity. And the CE marking is a really successful concept that we have for primarily safety-relevant products. For example, children's toys or pressure vessels, or many people know it from sunglasses. If you don't have the CE sign on your sunglasses, then you can't be sure that they really protect your eyes from UV rays. The novelty lies in extending this to digital products, making cybersecurity compliance a key criterion for market access.

Andreas Klien I've always associated the CE marking as something self-labeled. Would this now require external accreditation?

Sarah Fluchs It depends on the criticality of the product. The existing CE marking already follows a similar principle. Depending on criticality, you can either self-declare or undergo external verification.

Andreas Klien What about OT automation devices?

Sarah Fluchs The short answer is we don't know yet. We're in the early stages of defining the scope. The EU Commission released a draft text for the Cyber Resilience Act last year, including an annex specifying the digital products in scope. This has been a major point of discussion between manufacturers, Parliament, and the EU Council. The breadth of products affected is substantial, ranging from large-scale elements to more nuanced components. The CE marking, being part of the legislative framework, demands careful consideration. The risk to end-users is a pivotal factor in deciding which products fall under its jurisdiction. While the initial draft was extensive, the ongoing debate suggests a substantial reduction in the list. OT products, including IoT components, industrial automation control systems, and NIS2-defined critical components, were initially included in the draft, but the final list is yet to be published. It's certain that modifications will be made, emphasizing the meticulous risk-based approach adopted by the EU.

Andreas Klien We recently completed the certification process for the BSZ (Fixed-Time Cybersecurity Certification) from the German Federal Office for our intrusion detection system. It was a fascinating journey. There are other certifications, such as 624434-1 for the development process and 4-2 for the products, I think. So, there are several options for certifications around. Additionally, in France, there is an ANSSI certification compatible with the German certificate. Which of these certificates will be interesting to people like Michael? What do you think?

Sarah Fluchs That's a good question. The existing certificates, unlike the CE certificate, are not mandatory. Vendors can choose to enhance trust in their products by obtaining these certificates, but it's not a market entry requirement. The CE marking, on the other hand, will serve as a market entry barrier. The process of determining relevant requirements for the CE marking and aligning them with existing certification schemes is ongoing, developing harmonized European norms. These norms must be European for presumption of conformity, ensuring that adhering to these norms grants the CE marking. The certificates you mentioned, like BSI or competitive defense certificates, are in the process of standardization, with hopes that European norm 1716040 could be one of the harmonized norms for the CRA. While the timeline is ambitious, with the goal set for around 2025-2026, there's optimism about its realization. And the German BSI, of course, is working towards becoming part of the standards. So that their certificate will be usable for the CE marking. 

Andreas Klien In your article on Medium and LinkedIn, you also discussed SBOM as a measure to improve security, which also has a requirement for products to be certified. Could you explain what this SBOM term is? It's a relatively new term that didn't exist a few years ago.

Sarah Fluchs Absolutely. SBOM stands for Software Bill of Materials. It's essentially an ingredients list for a software product, detailing the libraries and other components it comprises. This becomes crucial for assessing vulnerabilities and understanding potential risks. The need for SBOM became evident, especially after supply chain attacks like SolarWinds, where vulnerabilities deep within software stacks posed significant challenges. SBOM facilitates easier identification of such vulnerabilities, providing a comprehensive view of the software components.

Andreas Klien What role will SBOM play for our fictional CISO Michael in five years? Will he use it?

Sarah Fluchs Its usage depends on whether manufacturers provide it to him. SBOM is not something the operator can create independently; it must come from manufacturers. With the increasing prescription and now a requirement in the Cyber Security Resilience Act, there's a higher likelihood of widespread usage. Michael will likely find it available, enhancing his ability to make informed decisions about the products he employs.

Andreas Klien How would an end user, like Michael, make use of SBOM in daily risk management?

Sarah Fluchs SBOM provides intricate details that gain significance as cybersecurity programs advance, resembling a sophisticated asset inventory. To fully capitalize on the available information and assets, enabling risk-based decisions through the asset inventory is the initial step. This, in turn, paves the way for delving into the depth of SBOM information.

For instance, the asset inventory aids in risk-based decisions, guiding choices like selecting manufacturers and determining essential features. As the focus shifts to SBOMs, a more nuanced exploration unfolds. It prompts questions like, "What libraries should I use to minimize risk?" or "Should I incorporate open-source libraries, and if so, which ones can be trusted?" The complexity deepens with considerations about using standard libraries and the extent of reliance on individual manufacturers in the SBOM stack.

These questions, while pivotal, come after leveraging existing data. In essence, SBOM is not the first tool Michael would use, except, perhaps, in conjunction with patch management. The journey into the intricacies of SBOM involves navigating through a myriad of considerations, acknowledging that the realm of open source encompasses a diverse landscape requiring careful evaluation and strategic decision-making.

Andreas Klien I like to draw a comparison to an ingredients list of food, SBOM allows users to set priorities based on their preferences and requirements. It offers the flexibility to decide how deep to delve into the details and tailor risk management decisions accordingly.

Sarah Fluchs That's right. Setting priorities and diving deep is key. One can choose to focus on specific aspects, like allergens, and ignore the rest. It's akin to dietary restrictions, such as avoiding E-numbers. The depth of exploration depends on individual preferences. The Software Bill of Materials (SBOM) provides an opportunity to make these decisions more visible and detailed.

Andreas Klien Engaged in the vulnerability management process, especially for our products, developers play a crucial role in assessing the relevance of a vulnerability. The complexity at this level of detail is profound. For instance, assessing vulnerabilities in components like the Linux kernel requires extensive knowledge. Obviously almost all of them, or usually all of them, do not pose a risk for the end user because they cannot be exploited, because the kernel modules may be not used, and so on. So, it is a lot of detail knowledge is required to be able to assess if a vulnerability of a component goes through to the end user. The evolving nature of opinions about these vulnerabilities adds another layer of intricacy.

Sarah Fluchs It's intriguing. Deciding the relevance of a vulnerability in products requires understanding the system context of end-users. The role and information sought from manufacturers for this assessment are pivotal.

Andreas Klien In addressing this, I can provide a concrete example from our product development. Our products are intricately linked to the station bus in substations. When granted Layer 3 access to the network, a process—operating even with standard privileges—can initiate an external TCP/IP connection. The significance lies in the fact that elevated privileges aren't a prerequisite. If the process or the device falls under your control, you gain the ability to establish a TCP/IP connection, enabling the issuance of switching commands. This seemingly innocuous action has the potential to instigate a blackout. Even without elevated privileges, assuming control of the process empowers an attacker to orchestrate a substantial impact.

Taking it a step further, with Layer 2 network access coupled with elevated privileges, a more ominous scenario unfolds. Consider the ability to dispatch ghost commands within the substation. This maneuver induces confusion in the interlocking logic. In this setup, the realm of possibility expands, making it remotely feasible—albeit unsettling—that an attack could pose a threat to life and limb. This underscores the gravity of the potential consequences that arise from vulnerabilities in network access points, emphasizing the need for robust security measures in such critical infrastructures.

Providing insight into our practices, our products, connected to the station bus in substations, necessitate assuming worst-case scenarios. Assessing risks involves understanding the device's network access, with potential impacts, even remotely, leading to life-threatening situations.

Sarah Fluchs Clarifying the risk assessment, understanding the component's privileges and internet connection, is crucial. Though assumptions are made about connectivity, advisories guide end-users on how to adapt to their circumstances.

Andreas Klien In our product development, we operate on the assumption that it's already connected to the bus in the substation. We take a precautionary stance, leaning towards anticipating the worst-case scenario. It's impractical to inquire from a multitude of customers, asking, "Are you not connecting it?" For instance, in the case of a testing device, its purpose mandates connectivity to the station bus, leaving no room for doubt.

Sarah Fluchs Perhaps my initial inquiry was phrased incorrectly. However, with proper advisory, you can guide users based on their circumstances. Confirming whether it's connected or not provides a foundation for tailored recommendations.

Andreas Klien But developers play a crucial role in assessing whether a vulnerability has the potential to bring a process under control or elevate privileges on the compromised device. It's a challenging task, and the outcome can determine the impact—ranging from a blackout to endangering life and limb.

Sarah Fluchs Yeah, but that also shows how much knowledge and how much context information you need in order to really process all the detailed information that you can get out of an SBOM and out of a vulnerability note. And then it doesn't really help just to have all that information, but you really have to have the right people looking at that. I mean, it's the same with an ingredients list, right? You have ordered list of ingredients and most of them are not bad on their own. It really depends on what perspective you want to look at them, right? So, if you have 500 vulnerabilities in the product that first of all, it doesn't tell you anything.  Judgment is essential to discern the significance of each.

Andreas Klien Yeah. It's really a complex topic and some people think the SBOM will be the silver bullet for that. But unfortunately, it's way more complex. And I think the ingredient list in foods, this is a good comparison for that.

Sarah Fluchs I mean, it's the fundamental information that you need to have in order to solve the problem. So, without an SBOM, you won't solve the supply chain problem. But it's not the silver bullet. Having an SBOM is necessary, but it alone is not sufficient to guarantee a solution.

Andreas Klien Okay. So, as of today, what would be your assessment? Can Michael, as a power grid operator, trust his manufacturers?

Sarah Fluchs I'm not familiar with his manufacturers, but setting that aside, it's a good question. However, I'm not a fan of the finger-pointing it implies. Progress in good cybersecurity doesn't come from finding blame. Rather than asking, "Can I trust you?" or "Have you done your homework?" The better question might be, "What do I need to do to enable the other party to do their homework?" It's about collaboration. Operators should share security goals, not just throw requirements at manufacturers. Manufacturers, on the other hand, should embrace transparency. Trust is built through open communication, sharing intentions, and being transparent about inclusions and exclusions.

Andreas Klien Power grid operators now care more about how secure devices are developed. Manufacturers need to realize there's a demand for secure products. Because not a lot of manufacturers care, unless somebody actually would be willing to pay money for that extra effort, of course. Both parties must be interested. Customers are increasingly concerned, and manufacturers need to respond.

Sarah Fluchs Absolutely, opening up dialogue is crucial. Both parties need to discuss goals, not just mandatory features or regulations.

Andreas Klien Looking ahead, what's your take on the future, especially with the EU Cyber Resilience Act?How will this continue? What will happen in the next years, what do you think? 

Sarah Fluchs The Cyber Resilience Act will likely be finalized before the European elections next year. There will be a period before it takes effect, during which the standardization landscape for cybersecurity requirements will undergo significant changes. The rush to harmonize norms will lead to the emergence of new standards and the solidification of existing ones. While challenges are expected due to the time pressure, at least we will quickly start that process. And I think that by its own is progress. 

Andreas Klien Thank you so much, Sarah, for being in our podcast. It was a very interesting discussion with you. I really enjoyed it. Great to have you here. 

Sarah Fluchs Me too. Thanks for having me. 

Andreas Klien And a big thank you to Scott for letting me host this episode. Over to you, Scott.

Scott Williams Thank you, Andreas, and a big thanks to our audience for listening to Energy Talks. We always welcome your questions and feedback. Simply send us an email to podcast@omicronenergy.com.

Please join us to listen to the next episode of Energy Talks. Goodbye for now, everyone. 

Listen to the podcast episode