EDP Distribuição is the electricity distribution company of Energias de Portugal and it recently became the newest member of the European Network for Cyber Security (ENCS), a non-profit industry organisation for improving cyber security in European critical infrastructure, focusing on energy grids.
The smart grid offers a host of advantages to both consumers and utilities, but whenever you connect things to a network that were not connected before, you introduce new risks. We need to make sure the electricity grid is cyber secure and that consumers and their data are protected. If cyber security is seen as an afterthought, that opens the door to some big problems.
In Portugal, we have been working and evolving the smart grid since 2005/06 with the Inovgrid project. It was quite an ambitious project from the start. We looked at the whole smart grid value chain – renewables, electric vehicles, consumers producing their own energy – and the challenges to transform a network system operator into an active distribution system manager. And we did it through a customer-centric strategy, empowering people to make their own decisions about their energy usage.
An initial pilot project in Évora reached 30,000 customers, and seven more recent projects have involved around 100,000 customers.
For EDP Distribuição, an end-to-end cyber security strategy was a key concern even before the start of the Inovgrid project.
About ten years ago at EDP Distribuição, as we looked to rationalise and optimise our operations, we realised we would have to look for a strategy more leveraged in outsourcing. As our operation technology was becoming more exposed, and our processes and technologies more complex, we acknowledged we had to look closely at cyber security and data privacy. We did a lot of work identifying our main vulnerabilities and risks, and its corresponding controls, and we launched a portfolio of projects to address them.
We started increasing our visibility over cyber activities in our systems, managing access and privileges, applying network segregating and system hardening techniques. At the same time, energy grid cyber security started to feature prominently on the EU’s agenda, and a number of pan-European discussions and projects began to emerge. It was by that time we first started talking to ENCS. We were looking for forums and trusted communities to learn how to be more effective cyber protecting our critical infrastructure.
We first started working with ENCS around 2011. We worked on a few different projects, including having ENCS training on cyber security at its offices in the Netherlands, using the hackers versus company role play model, which really helped us to better understand how cyber security works and how the “game” is played.
Simply put, our membership of the ENCS means we can give our customers an extra confidence and assurance that we are working to keep them and their data safe. By working collaboratively with the European community for a more cyber secure energy sector, we keep consumers, their data and the electric distribution grid protected. These things are too important and the stakes are too high. As an industry, we cannot afford to make the same mistakes twice. If a utility or distribution system operator discovers a vulnerability that can be exploited by attackers, it cannot keep it to itself and wait for others to figure it out on their own. We need fast and effective information-sharing and co-operation, since a wait and see strategy is not an option.
The hackers will share information so we have to it as well.
In an increasingly connected world, it is essential that we all work with each other. One industry we can learn from in particular is telecoms. First, because the two sectors are mutually dependent (telecoms companies need energy to operate and electricity grids need telecoms to conduct their operations), but also because the telecoms sector has been confronted with a lot of the same challenges in the past. Telecoms got smarter earlier than the energy grid.
In telecoms, there has already been a huge shift from analogue to digital grids, and they have dealt with all the processes of service providers tendering for manufacturing contracts and having to figure out how to build in cyber security. These are all challenges we are facing now, and although there are some obvious differences, I believe we have a lot to learn.