Energy Transition Talks

From air gaps to zero-trust: Building cyber-physical resilience in the modern grid

CGI in Energy & Utilities Season 4 Episode 5

Share episode

Send us a text

Zero-trust, device identity and cyber-physical resilience are now essential for securing modern energy grids. In this episode, CGI’s Andrea Grad speaks with PHYSEC CEO Prof. Dr. Christian Zenger about protecting OT, IoT, smart meters, substations and distributed energy resources (DERs) at scale. They also examine how regulations such as NIS2, the Cyber Resilience Act and the CER Directive are shaping global approaches to grid security, compliance and modernization. 

Visit our Energy Transition Talks page

Andrea:

Hello and a warm welcome to everyone who tuned in for today's podcast. My name is Andrea Grat. I'm a lead consultant at CGI and based in Düsseldorf, Germany. In today's podcast, we will discuss the topic from air gap to zero trust security architectures from the energy world 4.0. But I'm not alone today. Our guest is Professor Dr. Christian Zenger, who is the co-founder of PISAC, which is a successful spin-off from Ruhr University Bochum, specializing in OT and IoT security. Christian, it's so great to have you as a guest today. Please introduce yourself.

Christian:

Thank you very much. Happy to be here. Yeah, I'm uh I'm Christian. I'm a professor at the Ruhr University, which is one of the top universities for cybersecurity in Germany. I have more than 40 professor colleagues in this topic, which maybe is an impressive number and demonstrates how strong we are here. And I got lucky uh nine years ago to um yeah uh found FISAC together with my co-founder Heiko. Yeah, and together we developed a technology and a strong team specialized on OT and IoT security.

Andrea:

Wonderful, thank you very much. Well, with that, I think you bridged the gap to uh to the topic, and I would suggest we start right away with the first question. Uh, looking at today's threat landscape in the energy and utility sector, what do you see as the most common risks for energy suppliers?

Christian:

Yeah, so I think first of all, what's interesting is that the energy uh sector is attacked very specifically, and um, there are attack vectors which are really uh tailored to the energy sector. Um next to the topic that uh in this yeah sector we have a very close, let's say, uh work together collaboration between the IT infrastructure and the OT infrastructure. Um and um this means that there are different attack vectors. Number one is still ransomware um against the IT, but also ransomware uh which uh for coincidence uh you know um swapped from IT to OT, but also ransomware which attacks OT directly. We have uh supply chain attacks through software updates and the update um um the ecosystem by themselves, and we have also sabotage um of skaters system from remote access operations as well as uh um closed access operations, so where attacker really you know go physically to the device and attack them. Both attacks usually aim a physical um threat.

Andrea:

Well, speaking of the physical threats, um, it kind of bridges the point to the IoT devices, and at CGI we often see that utilities are challenged by the growing growing complexity of those, uh, from smart meters to grid edge sensors. Um, and in that context, Christian, what what role does IoT security play, especially when it comes to critical infrastructures?

Christian:

Yeah, so uh so let's say there are three generations. Generation one is you know, all the assets are air gapped, um, especially due to very old operating systems, and they maybe should you know keep air gapped. Second is the classical Purdue model where you have different levels and different different tasks are operating on these levels, like the level zero are the sensors, actors, control level, um, etc. etc., up to the business uh level. And the uh all the levels are segmented. Yeah, you cannot just communicate from one level to another. There are strict rules very clearly defined. And uh the third generation is the industrial IoT, so where you are able to jump from one level to another, like from level zero to level five, just with a smart IoT technology. And um this makes everything cheaper, faster, and very interesting and um um business-wise uh something people like because they they get digitalization chances. However, doing this uh concepts like zero trust are getting fundamentally important because you cannot uh uh you know go through these different levels without having a very proper end-to-end encryption. Therefore, it is important to look at the requirements for modern security by integrating IoT.

Andrea:

That actually really resonates. Um, and I I think that your guys' value preposition in that is very important. Um, we see that a lot of utilities um they have a common interest in also IoT AI for predictive maintenance, um, but that is always paired with questions about regulatory compliances. It's just a reminder that innovation and governance they really go hand in hand. Um, and now if we're looking at EU regulations with NIS2, the Cyber Resilience Act and the Data Act, what are the biggest compliance challenges for energy providers? And especially how do you think uh can collaboration between players like CGI and Pfizec help reduce the cost of compliance?

Christian:

Yeah, so I think um the most important is that you know the known um regulations like the NIST II, but also the regulation, the CER, Cyber Entity Resilience Act, which uh manage the physical security. My recommendation is to look at both at the same time and uh develop a converged approach where the cyber and the cyber physical um attack vectors are handled together. Um, number one. Number two is uh the Cyber Resilience Act, which is the first one which is actually um providing a minimum security standard for the vendors. This is really something uh you as an operator should use because um uh with the knowledge of what the you know what the Cyber Resilience Act is actually um requiring, you can think about what kind of um documents which the vendors are now you know working on could actually help you with your own um compliance strategy. Um, this is something economically interesting, yeah, because you don't need to do your 100k uh risk analysis if the vendor already did a huge part of it. Yeah. From my perspective, uh this interaction between NIST2 and Cyber Resilience Act is also solving a classical Prisma dilemma between the vendor and the operator. And if we look at a very old study from IBM from 1983, which says that the relative costs of fixing problems like adding IT security afterwards uh cost 100 to 200 times the cost compared to if you do it by design in the product. And this is a huge economical thing. So um I think uh this regulation, which solved this Prisma dilemma and also helps the operators to get more than you know product description, is something very useful. And um, I think at FISAC we developed a really important piece of the puzzle of technology to do this in a very smart, uh, clever way. And together with CGI, we are able to provide a holistic approach to this entire topic.

Andrea:

That makes a lot of sense. I and I do think that that is a great synergy we've created between Pfizac and CGI. Um now I want to come back to the point where you mentioned uh cost savings earlier, uh, with fines for up to 15 million euros or the equivalent of 2.5% of the global turnover on the table. How do you think uh can organizations map these risks against uh current cyber spend to make the to make the business case?

Christian:

Yeah, I think this is one of the most interesting questions um to answer. The standard answer is you need uh business case argumentation for your cybersecurity investments, which are not just risk-based quantization, but also um provide like now the you know the the potential fees you need to pay if you don't do it in a proper way. So what you will do is like a risk analysis where you say, okay, you know, the the attack scenarios lead to um problem with the production, with the contracts, uh, with the um responsing, or you know, um uh building, uh fixing the the systems, and um making a list of yeah, what are the biggest risks and costs and how much do you invest. Yeah, this is like the let's say the standard answer to this. Um, but um there are also security solutions which are also providing really functional advantages. For example, um the zero trust architecture um helps you to troubleshoot. It's easier to fix problems if you have a zero trust architecture. Or a single sign-on security features reduce the login effort you have. And a third example is uh security uh information event management, like a Xeom system, which can also be used for predictive maintenance because you are getting a lot of locked files as well as in a converged approach from the physical information. And um, this is by the way, also something we are offering together with CGI. And yeah, these are actually functional advantages you're getting with um security.

Andrea:

That sounds great. And do you think that shared evidence uh repositories between device makers, integrators, and DSOs might also help reduce audit duplication and compliance costs?

Christian:

Yeah, absolutely. Um like uh risk analysis is one of my favorite topics here because it's uh it's um it's a lot of work to do this and sharing them, of course, in a kind of you know um pseudonymized way, you know, not uh offering and you know publishing like your internal IP addresses, of course, but um yeah, uh providing this kind of audit reports, risk analysis, etc. etc., uh will have a huge impact for uh reducing cost and and improving efficiency. And as I said earlier, I also think that this will be something like a byproduct by the vendors. In the future, when you buy a product, you will get some information about the security of this product from the vendor anyway. But internally, the vendor is forced to um develop more documentations, again, risk analysis. So, and this is something um I think uh the vendors will sell together with the products in the future. Um, additionally, I also believe that um um in institutions like in Germany, the BSI will also provide um some knowledge bases like this.

Andrea:

Thank you for those insights, Christian. Now we've spent a lot of time discussing the current situation, but if we were to jump into action, um if you were to put yourself into the shoes of the decision makers in the energy and utility sector, um what piece of advice would you give them if they were considering new digital initiatives?

Christian:

Yeah, I mean, in the role of a professor, I would also recommend to look for a very strong academic partner, like uh chair professor at the university, because as I said earlier, we are strong here in Germany and of course also in other European countries. Um, and um ask them for help, you know, see how they can bridge the gap between the vendors and the operators from a very neutral position. Um, they will not just offer you like the standard, let's let's say old products, uh but also the new innovative and modern approaches. And um, yeah, I think this is my my my number one advice.

Andrea:

That's the advice. Well, that sounds like um there are a lot of different things uh to take into perspective. Um now, if you were to say we've we've done all of the research, we've talked to uh the academics, and uh we know all everything that we need to know. Um, if you wanted to take a look into the future, uh looking into 2030, knowing that you don't have a crystal wall, but what do you think? Where does the trends lead us?

Christian:

Um I think currently our regulation is not really accelerating innovation. So um, in a let's say dystopic um book, I would uh say maybe a lot of things we are working on today are still uh you know our topics in five years, and it seems to be not unrealistic. However, a positive scenario will be that this kind of regulation will be changed in the way that innovation gets accelerated, and you are able to use also technologies which are really you know 21st century, but without any you know compromise of security. You know, they are as secure as the current solutions, and with this, you know, we will get the entire thing. Yeah, we will get uh prosumer dynamic tariffs, um um being able to uh use battery also to charge back to the to the grid, um and uh all the different ideas uh um we have, but from my perspective, um the key point is having a regulation which yeah makes innovation possible.

Andrea:

Absolutely. Well, I uh thank you for your valuable insights for today, Christian. It sounds like there's still there are a lot of uh pieces that are already in place uh to make sure that we have a safe and secure uh cyber infrastructure. Um, and there's still other things that we need to work on. Um, but unfortunately for today, we've reached the end of the episode. Uh thank you, Christian, for joining us and uh sharing your valuable insights. Uh, and of course, a big thank you to everyone who tuned in today. We hope you enjoyed the conversation. Um, and if you'd like to know more about how CGI and Pfizec are shaping the future of uh secure energy infrastructures, visit our websites or connect with us on LinkedIn. We look forward to having you with us again next time. Thanks.

Christian:

Thank you.

Head Shot

Peter Warren

Host
Head Shot

Peter Warren

Host

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

Energy Transition Talks Artwork

Energy Transition Talks

CGI in Energy & Utilities