The European Network for Cyber Security (ENCS) – a non-profit organisation owned by grid operators – is on a mission to improve cyber security by sharing knowledge. Via events, portal documents, testing, training, and consulting, the organisation’s members can access the cyber security knowledge gathered over the last 10 years from ENCS’ extensive network.
Peter Molengraaf, a former CEO of Alliander and founding father of ENCS. Wolfgang Löw was one of ENCS’ first members and currently serves as Chair for the ENCS Assembly Committee, as well as CISO for EVN.
Anjos Nijk, current Managing Director of ENCS, spoke to them about their experiences with ENCS and cyber security over the years to mark network’s 10th anniversary.
Anjos Nijk (AN): We are all very proud that ENCS has reached its 10th year. I wanted to ask you to cast your mind back and tell us how you first became involved with the network and what your early impressions were.
Peter Molengraaf (PM): “At the time I was CEO of Alliander, a major distribution network operator (DNO) in the Netherlands, and we were preparing for a massive roll-out of smart meters to something like 2-3 million households. We realised early on that when you digitise the grid you create new risks from a cyber security perspective. We needed to address that ahead of our smart meter procurement, but we didn’t have much relevant expertise within the company as it had never been a concern before.”
“So, we got together with some other local parties – some from academia, from telecoms and some other commercial sectors. We assembled a lot of relevant expertise, but it quickly became clear that the different parties wanted very different things out of the cooperation – plus it made knowledge sharing with the government difficult. We decided that the smart thing to do was to coordinate primarily with other grid operators, who share the same challenges and priorities, and that was really the genesis of ENCS as a member network as we see today.”
“From there, we continued down the smart meter track, working with Tennet and other Dutch DNOs and DSOs (distribution system operators) in the Netherlands. However, it was clear that trends like smart meter requirements and privacy regulations were being driven at the European level more than the national one, so we also expanded to work with other European DNOs and DSOs, as well as beginning to engage with the European Commission.”
Wolfgang Löw (WL): “Yes, and that’s really why ENCS was so interesting to us at EVN. I remember the first contact I personally had with ENCS was at a conference in Berlin. They were talking about this testbed they had for testing different components and I loved that idea – of having a dedicated space and team for helping the energy sector in this way. I spoke to them after the presentation, and what really pushed us to get involved was the way it was set up as a not-for-profit organisation focused solely on the needs of its members.”
“In that set-up, we saw an opportunity not just to benefit from the expertise of others, but to influence the direction of future activities and research. That’s why we joined very early on as a full member with full voting rights in the assembly – which I now chair.”
AN: Compared to those early days, how has ENCS grown and changed through to today?
WL: “Ten years ago, ENCS was very centred around those testing capabilities, on the components. From there it grew to offer consulting services, and to create minimum security requirements for specific components – we did a lot together on the Austrian smart meter roll-out, for example.”
“Over time the network’s influence grew so that it was having an impact at both the nation state and European level. Now we are advising on the Network Code – among the Commission, the nation states, and the network utilities, ENCS is really respected for its technical knowledge and is often brought in to discuss certain topics. That gives an even stronger mandate for supporting the members as cyber security requirements evolve.”
PM: “The biggest difference is obviously the breadth of membership – from a handful of Dutch operators, mainly DSOs, to DSOs and TSOs right across Europe. As the membership has expanded, so has the scope, so whereas we started out with smart meters, we then did substation automation, and now things like solar inverters and EV chargers. As the digital grid expands, so does the scope of what you need to protect, and ENCS has shown itself to be perfectly positioned to do that. Especially seeing as, in many cases, rollouts and trends don’t develop in every country at the same time, so through the network we prevent utilities in different countries having to reinvent the wheel. Ultimately that is good for everyone.”
AN: Okay, so that is how ENCS has developed, but looking outwards: how has the cyber security threat landscape changed over the last 10 years?
WL: “Ten years is a long time in cyber security, and in tech generally. In those early days, to execute an attack against the grid, in most cases you would need physical access to the components controlling the grid. That feels like a long time ago now – almost everything is digitised and therefore theoretically vulnerable. There are also simply more things to protect – the proliferation of renewables and decentralised energy resources has changed the threat landscape massively. Solar panels, batteries, EV chargers – all this infrastructure needs to be controlled and is therefore connected and must be protected.”
“The pool of threat actors has expanded too. It was clear from the beginning that power grids would be tempting targets for nation-state actors as well as cybercriminals looking to make money, and those predictions have proven true. Today we speak about Russia’s actions in Ukraine and see that cyber warfare is firmly established as another dimension of war.”
PM: “It is difficult, because the digital world develops so fast – far more quickly than traditional energy grid engineering. The capabilities of both the attackers and defenders grow non-linearly – exponentially even – and it’s a race to keep up, which is why pooling resources on the ‘light’ side is so important.”
AN: Okay, and in your opinion, what has progressed well in the last 10 years with regards to cyber security for the grid, and what has not progressed as well as you would have hoped?
PM: “ENCS engages with member organisations on two levels. One is the technical level, with the technical experts in the trenches who must make these things happen. That has progressed really well, with peers recognising the advantages of knowledge-sharing and pooling expertise very early on. The other level is getting cyber security onto the agenda for grid operators’ boardrooms. ENCS has also made very good progress here but, if I had one regret, it is that this did not progress even more quickly. Today, there is open conflict between Russia and Ukraine, including cyber conflict, but there was a major attack on the Ukrainian grid in 2015 during previous hostilities. That was a wakeup call, but in business there are always competing priorities and I don’t think that call was heard as loudly and clearly as it should have been.”
WL: “Yes, quite possibly and there is always room to do even better. For me though, I think the fact that cyber security is now firmly on the boardroom agenda should be counted as a success. Partly, this is down to regulation pushing it onto the agenda, but here too ENCS deserves some credit for its work on the Network Code and NIS Directive, for example.”
“In terms of what could have progressed further? If you had asked me some years ago, I would have been disappointed to see so many smart grid tech vendors rush to win market share before really giving cyber security due consideration. Partly that was eagerness to be first to market, partly due to lack of resources and direction from the wider market. However, I think ENCS has done very good work in setting security requirements alongside its members and driving up standards across the industry.”
AN: And looking to the future – what do you see for ENCS and power grid cyber security in the next 10 years?
PM: “I am extremely pleased with ENCS’ trajectory, so my hope is for more of the same: more knowledge sharing, more working with regulators and standards bodies on codes, testing and security requirements for more new energy assets as they come onto the market and connect to the grid. There are still more grid operators in Europe who are not members than those who are, so there is more work to do!”
WL: “Threats will continue to develop and so will defences, but every day the grid community is more connected and collaborative, which will work in our favour. In the near term, as Chair of the Assembly Committee, I look forward to ENCS supporting ENTSO-E and the new EU DSO entity prepare for the Network Code, NIS Directive and Cybersecurity Act among other things. If the war in Ukraine has taught us anything, it is that energy and cyber security will be critical to any future conflicts, so it’s essential these regulations are informed by deep technical understanding. Further out than that, we will have to see what the future brings but I am confident ENCS will play an ever-greater role as the network proves its worth to the European grid community through its expertise, knowledge sharing, training and other activities.”
AN: Finally, can I ask for any particular personal highlights from working with ENCS over the last 10 years?
WL: “Well of course for me, becoming Chair of the Assembly Committee earlier this year was a very proud moment! Before that, our early work at EVN with ENCS on the smart meter requirements stands out as work that made a real impact. A big personal highlight for me though, was the first time participating in ENCS’ Red Team-Blue Team training – I was on the Red Team and I am pleased to say we won.”
PM: “Looking back, I certainly think that the privacy requirements in the European smart meter regulations would not exist in their current form without ENCS. We were ahead of the game on that, in fact I would say that across all the smart meter projects we have been involved with through members, we have really contributed to the quick dissemination of best practices through Europe and made the roll-out safer than it would otherwise have been.”