Keeping the smart network cyber-secure – SPE

Grids are becoming smart around the world, although some countries are investing more than others in modernizing their electricity grids. According to online data portal statistically, cumulative investments in electricity grids This is expected to increase across all regions between 2024 and 2050, with the largest amount coming from the Asia-Pacific region. But as this happens, cyber attacks on the power grid are also increasing. A report from Tech Monitor indicates that the average number of weekly cyber attacks on utilities, measured in 2024, has quadrupled since 2020. Most of these do not cause widespread damage or disconnections to the power grid. Nevertheless, awareness must remain high and measures must be taken to thwart them.

What is a smart network?

Smart grids can be described as digitally enhanced electricity networks. Old networks need to be modernized and, rather than building networks from scratch, injecting new digital technology into the existing systems is the most affordable way to prepare for new demands, such as the integration of renewable energy sources. More complex – and sometimes long-winded – definitions of the smart grid abound: according to the IEC ElectropedicsFor example, smart grids use information exchange and control technologies, distributed computing and associated sensors to integrate the behavior and actions of network users and other stakeholders, and to efficiently deliver sustainable, economical and secure electricity supplies.

Smart grid parlance often uses a variety of terms, including automated substations, digital interfaces, network sensors, intelligent electronic devices (IEDs), advanced two-way communications, and distributed energy resources (DER). One of the most obscure is SCADA, which stands for supervisory control and data collection. All of these terms are defined in the IEC Electropedia, but what we need to understand before this jargon is that because networks add digital communications and interconnection where they weren’t before, they become easier to attack by cybercriminals. According to Forbesin an article about the situation in the United States: “Most critical infrastructure components of the US energy network operate in a digital environment accessible via the Internet. The trends of hardware and software integration combined with growing network sensors are redefining the possibilities for superficial attacks for hackers.” The same trends can be seen around the world as we move further into the all-electric and digital age.

Cyber ​​attacks are evolving

Digital publication for power and energy engineers, EE powerlists several ways in which cybercriminals can influence the network, including Denial of Service (DoS) attacks, malware or time synchronization attacks, to name a few. For example, DoS attacks flood networks with a large number of false requests, preventing the actual requests from being served. Time synchronization attacks can manipulate real-time data, causing false information to circulate, for example about current energy levels in the electricity grid. Malware can be used to infect computers and demand ransoms, for example. The variety of ways cybercriminals can cause damage is mind-boggling and constantly evolving.

The pros and cons of AI

Artificial intelligence (AI) is becoming a useful tool in the fight against cybercrime as it increasingly impacts energy systems. In particular, it can help detect attacks and inform users of their nature. According to this articleResearchers in New Mexico have developed AI algorithms that use code to monitor anomalies in cyber attacks at the device, system, and utility levels. AI is also becoming increasingly used due to the automation of the electricity grid, enabling electricity load forecasting and for possible fault detection, not only due to cybercrime, and can help the electricity grid to ‘heal’ itself.

But the downside is that it can also be used as a tool for hacking various systems. According to the Federation of the European Electricity Industry Eureelectric“Cybercriminals are using AI to automate attacks, bypass security measures and create highly convincing phishing scams.”

The joint committee between ISO and the IEC are establishing standards for AI that address some of these issues. ISO/IEC TS 8200for example, specifically addresses the manageability of automated AI systems.

Tools and solutions

Most countries in the world have opted for legislation to avert cyber attacks. In the European Union, for example, the NIS 2 guideline was adopted by Member States in 2024. It extends the scope of cybersecurity requirements to electricity, oil and gas networks. The EU also recently published the Cyber ​​Resilience Act (CRA) to improve security in the digital infrastructure.

In addition to regulations, the international IEC standards are important tools to ensure a cyber-secure network. As Frances Cleveland, IEC cybersecurity and networking expert, explains: “There are ongoing efforts within my working groupresponsible for the development of the IEC 62351 cybersecurity standards for the electric grid, which I call the “How to do it” standards. The IEC also has the IEC 62443 Standards that tell you ‘What to do’. These standards are being expanded to include horizontal cybersecurity requirements, meaning that different industries, such as the energy sector, are adapting the core IEC 62443 standards to reflect their more specific needs. We are currently working on cybersecurity requirements for substations and will address specific requirements for distributed energy. IEC 62443-4-2 can also be used to test the cybersecurity of devices such as electric vehicles, photovoltaic panels and other distributed energy sources.”

The IEC 62351 series provides cybersecurity requirements and guidance for designing security into systems and operations before they are built, rather than applying security controls after the systems are deployed. Some of the various security objectives of these cybersecurity requirements include authenticating data transmissions through digital signatures, ensuring only authenticated access, preventing eavesdropping, preventing playback and spoofing, and intrusion detection. The IEC 62443 series focuses specifically on the industrial automation and control systems (IACS) used in critical infrastructure.

However, the time required to develop standards is a limitation and makes it difficult to keep up with the latest cyber threats, which are evolving very quickly. As IEC TC 57 expert Dustin Tessier explains, “standards are lagging behind in addressing complex protection and cybersecurity applications, especially for single points of failure in centralized platforms.”

The ISO/IEC 27000 The series is generally considered to cover information security management and certification in IT-specific environments – and not OT-based critical infrastructure such as power grids. But as they get smarter, the line between IT and OT is blurring. (For more on this blurring line, read Keeping the world’s critical infrastructure cyber-secure | IEC e-tech)

The convergence between IT and OT explains why ISO/IEC JTC1/SC 27 recently released ISO/IEC 27019which provides information security controls for the energy sector, and covers a very broad range of smart grid-related technologies, including central and distributed process control, monitoring and automation technology, sensors and actuators and DER integration, to name a few.

The case of nuclear energy

Nuclear energy is seen by many countries as a way to reduce CO2 emissions and it is also useful for balancing the electricity grid as it integrates more intermittent renewable energy sources. But nuclear power plants are also becoming more vulnerable to cyber threats as they become increasingly digitalized.

These threats increase the risks to an even higher level. In the worst case, hackers could take control of operations and not only wreak havoc on the power grid, but also cause a nuclear reactor meltdown, leading to widespread radioactive contamination.

The IEC takes these threats very seriously and is working with the International Atomic Energy Agency (IAEA), a United Nations agency committed to promoting the safe, secure and peaceful use of nuclear technologies and setting global nuclear safety standards. Experts out IEC Technical Committee 45 participate in the Technical Working Group on Instrumentation and Control of Nuclear Power Plants (TWG-NPPIC), which was established by the IAEA in 1971 to provide advice and promote research on nuclear power plant technology, especially human system interfaces.

A specific cybersecurity standard, IEC 62645was developed “to prevent and/or minimize the impact of attacks on information and computer programmable digital systems on nuclear safety and power plant performance.”

The standard proposes a table of high-level similarities to the horizontal IEC 62443 series, which includes dozens of subclauses related to organizational context, lifecycle implementation for programmable digital system security, and security controls. (Read more about these standards in this interview with the chairman of IEC TC 45.)

Keeping up with cybercriminals is an ongoing battle – and one that requires the combined efforts of regulators and technical experts. Currently, the energy sector has the right tools to do this, but the toolkit needs to be continually updated as attacks become more sophisticated.

Author: Catherine Bischofberger

The International Electrotechnical Commission (IEC) is a global non-profit membership organization that unites 174 countries and coordinates the work of 30,000 experts worldwide. International IEC standards and conformity assessment are the basis of international trade in electrical and electronic goods. They facilitate access to electricity and verify the safety, performance and interoperability of electrical and electronic devices and systems, including, for example, consumer equipment such as mobile phones or refrigerators, office and medical equipment, information technology, electricity generation and much more.