Aurelio Blanquet, pictured, Director at EDP Distribução, the Portuguese DSO, talks smart grid cybersecurity and why his company has joined ENCS, the European Network for Cyber Security.
EDP Distribuição is the electricity distribution company of Energias de Portugal, one of Europe’s largest electricity operators, owning and operating approximately 99 per cent of the electricity distribution network in mainland Portugal. Recently, the company became the newest member of the European Network for Cyber Security (ENCS) – a non-profit industry body for cybersecurity in European critical infrastructure, focusing on energy grids.
Why is cybersecurity so important to the smart grid?
The smart grid offers a host of advantages to both consumers and Utilities, but whenever you connect things to a network that weren’t connected before, you introduce new risks. We need to make sure the electric grid is cyber secure and that consumers and their data are protected.
The future is going to be digital, so cybersecurity has to be a strategic priority for all stakeholders in the sector – utilities, manufacturers, government, academia and any active energy sector players. If cybersecurity is seen as an afterthought, then that opens the door to some big problems.
How advanced is the Portuguese smart grid?
In Portugal, we’ve been working and evolving the smart grid since 2005/6 with the Inovgrid project. It was quite an ambitious project from the start – it was never just a smart metering project; we looked at the whole smart grid value chain – renewables, electric vehicles, consumers producing their own energy, and the challenges to transform a network system operator into an active distribution system manager. And we did it through a customer centric strategy, empowering people to make their own decisions about their energy usage. The approach was very well perceived at the European level – it won several awards and has been highlighted as a reference project by the Joint Research Centre (JRC). An initial pilot project in Évora reached 30,000 customers, and seven more recent projects have involved around 100,000 customers.
So Portugal has advanced quite far in terms of smart grid and smart cities, with the unique aspect that the Portuguese roadmap is an industry-led approach supported by the regulator and government, but without a specific political mandate driving it forward – and as EDP Distribuição is driving the initiative, it brings even more responsibility regarding the potential risks and adversities related to its implementation, as in cybersecurity. There weren’t any standards or guidelines handed down to us. So, we’ve spent a lot of time working on the cybersecurity challenges with other industry players, the government and academia both in Portugal and across Europe.
And what about cybersecurity? Has security been a priority from the beginning?
Yes, for EDP Distribuição, an end-to-end cybersecurity strategy has been a key concern even before the start of the Inovgrid project. About ten years ago at EDP Distribuição, as we looked to rationalize and optimize our own operations, we realized that we’d have to look for a strategy more leveraged in outsourcing. And as our OT (Operation Technology) was becoming more exposed, and our processes and technologies more complex, we acknowledged that we had to look closely at cybersecurity and data privacy. We did a lot of work identifying our main vulnerabilities and risks, and its corresponding controls, and we launched a portfolio of projects to address them in order to improve the overall security of our critical information infrastructure and adapt to the new threat landscape. We started increasing our visibility over cyber activities in our systems, managing access and privileges, applying network segregating and system hardening techniques. At the same time, energy grid cybersecurity started to feature quite prominently on the EU’s agenda, and a number of pan-European discussions and projects began to emerge. It was by that time we first started talking to ENCS. We were looking for forums and trusted communities to learn how to be more effective cyber protecting our critical infrastructure.
When did you first work with ENCS?
We first started working with ENCS around 2011, so it’s been five years now. We worked on a few different projects, including having ENCS training on cybersecurity in their offices in the Netherlands, using the red/blue teams (hackers V.s. Company) roleplay model (which really helped us to better understand how cybersecurity works and how the “game” is played.
Why did you decide to join ENCS as a full member? And why now?
We’ve seen the value of collaboration; of working with the wider European industry, governments and academia. Hackers work in teams – they’re very cooperative, coordinated and often well-funded. They share their knowledge and expertise, so to defend ourselves and our customers as an industry, so should we. Having worked with ENCS and seen the value they may add, it made sense to join as a full member now and explore the advantages of this partnership. Internally, it has helped us to increase our cybersecurity awareness, putting it on the board level agenda.
On a broader level, it allowed us to fully access that network, its centre of expertize and benefit from that collaboration. By being members, it also means we can contribute with our own experience and expertise, and have a say in decisions over what the network does next, and what type of research is funded. Specifically, we’re working on a rather ambitious smart grid infrastructure security project, and we realized we wanted to be fully plugged into this expertise for it. ENCS assures a professional and comprehensive approach for the identification and remediation of our main threats and vulnerabilities.
What does your ENCS membership mean for your customers?
Simply put, it can give them an extra confidence and assurance that we are working to keep them and their data safe; working collaboratively with the European community for a more cyber secure energy sector, keeping consumers, their data and the electric distribution grid protected – these things are too important and the stakes are too high. Therefore, as an industry we cannot afford to make the same mistakes twice; if a utility or DSO (Distribution System Operator) discovers a vulnerability that can be exploited by attackers, it can’t keep it to itself and wait for others to figure it out on their own. We need fast and effective information sharing and cooperation since a wait and see strategy is not an option. The hackers will share information so we have to it as well. Our membership with ENCS demonstrates how we are keen and motivated to working together with the industry, and that we can’t treat cybersecurity as an area of competitive advantage where we work against each other. As businesses we’ll do better learning from each other, and consumers will be safer too.
Is there another sector you think the smart grid can learn from in terms of cybersecurity?
In an increasingly connected world, I think it’s essential we all work with each other. A particular industry I think we can learn from though is the telecommunications sector. Firstly, because we’re mutually dependent on one another (they need energy to operate, and we need telecommunications), but also because they’ve been confronted with a lot of the same challenges in the past. Telecommunications got smarter earlier than the energy grid. In telecommunications, there has already been a huge shift from analogue to digital grids, and they’ve dealt with all the processes of service providers tendering for manufacturing contracts and having to figure out how to build in cybersecurity. These are all challenges we’re facing now, and although there are some obvious differences, I believe we have a lot to learn.
What’s next for EDP Distribução, ENCS and cybersecurity?
At the moment, we’re still in the midst of a large scale smart meter infrastructure security project where ENCS is contributing with all its expertise. And as the smart grid is still a work in progress, there’s still a lot to be done to ensure that we are addressing the main cyber challenges of our evolving digitalisation process. More generally, there is also much to learn from and contribute to in terms of the wider cybersecurity conversation in Europe. We look forward to doing so as an active full member of ENCS.
