dena conference: Cyber ​​security as the Achilles heel of the energy industry

The energy industry suffers from cyber attacks. At the “Future Energy Day” last Thursday in Berlin, the German energy agency dena discussed how affected companies deal with this and what strategies are needed for more security in the energy network. However, the industry cannot avoid greater digitization, says Philipp Richard, head of the Future Energy Lab, who is convinced of dena: “A successful energy transition is definitely also a digital energy transition.” Because an increasingly very decentralized energy system has an “enormous need for integration and coordination”. If the data cannot be exchanged and made usable by different actors, the digital energy transition will not progress.

Victims of blackmail pay – and often remain silent

High-quality data is essential for the critical infrastructure of the energy industry. “The lack of this data probably also means that some actors are fundamentally skeptical about transferring even more responsibility to digital technologies,” is Richard’s impression. The pace at which digitization is being driven forward is not sufficient. “The degree of digitization is perhaps also part of the bottleneck we face,” says Richard.

Ransomware attacks, which are currently troubling the industry, have proven to be particularly damaging to trust. “20 percent of the energy supply companies talk about it, 80 percent keep it under wraps,” estimates Klaus Kister, CEO of the Aachen-based Kisters Group. 40 percent of those affected would pay after ransomware attacks. But the damage caused between 10 and 20 percent of annual sales, said Kisters at the dena event: “It just hurts like hell.”

Insurance companies don’t want to pay

The Kisters Group was blackmailed in November 2021 after a cyber attack. At times she had no access to her own system because it had to be shut down. It was only four months later that it was able to return to normal operations. It did not take part in the blackmail attempt, but immediately informed all customers, partners, the police, the Federal Office for Information Security and the Federal Network Agency.

Kisters develops IT systems for sustainable resource management of energy, water and air as well as environmental monitoring. The IT security incident triggered a small tremor in the industry: According to the Federal Network Agency, the introduction of “Market Communication 2022” had to be postponed by six months, which affected several hundred companies and market roles in the electricity and gas sectors. The launch date is now October 1st.

In retrospect, Klaus Kisters would inform the authorities again, only when dealing with insurance he advises “it’s best to bring in a lawyer for cyber security”. His “lessons learned is that the insurance company doesn’t want to pay for this type of disaster and they will do everything they can to get out of it.”

The Kisters Group has now doubled its IT security team. Klaus Kisters does not believe that the corporate system can be 100% secured, but what is important is how to deal with a cyber attack and how to get the systems back up and running: “An absolutely important topic that also needs to be discussed more in the energy industry.”

Digital identities for market communication

If the data that provides the basis for automated energy trading is manipulated or compromised, the consequences can be devastating. For example, amounts of energy that are sold and planned in a virtual system strengthen the impression that the energy system is in balance. “If, however, the data record assigned to an energy system is falsified at a certain quarter of an hour, for example, and the amount of energy does not actually exist, this creates an imbalance that throws the physical system out of balance,” warn experts in the report on the blockchain pilot project “Machine Identity Ledger” of dena.

The key question for the energy transition is therefore: How can IT security be baked into the structures of the emerging energy market? In the blockchain project, dena developed a digital and decentralized directory for device identities together with players from the energy industry and start-ups and demonstrated its technical feasibility.

There is still a lack of uniform identities for generation and consumption systems such as wind and solar systems or electric cars on the energy market. Automated device registration and identity management could reduce transaction times and costs, for example for trading in green electricity certificates, a supra-regional electricity market, peer-to-peer trading, attested experts from the blockchain pilot project.

Even changing energy supplier still takes up to 15 days in Germany. If processes in the energy system can be controlled automatically, the changeover could take place in real time. However, this requires digital proof and verification of the identities and rights of actors and assets.

The machine identity register developed in the Future Energy Lab can solve these requirements. It also conforms to the requirements of the Federal Office for Information Security, says dena expert Moritz Schlösser. “We have found a technical solution that can make it from the laboratory into the energy system and can thus form a basic building block for flexible system use.”

Ensure the origin of a data set

According to Philipp Richard, the energy industry now needs initiatives to define criteria for standard data sets – and to attach value to the data sets. A lack of standardization is the bottleneck for the conversion of the energy system. The status of an integrated system can only be better recorded and tracked with uniform data sets. The proof of the origin of a data record is the basis, with the control and verification being carried out automatically.

Security expert Jens Trüker from the University of Bayreuth and the Fraunhofer GIT sees a “great willingness” among energy companies to introduce digital identity registers. He is confident: “The potential interest will be there very quickly when you see how much money you can save with it.” He sees the further development of the master data register in the larger context of register modernization. The Federal Ministry of Economics (BMWK) is currently building a hydrogen register, a heat register and a certificate of origin register, which “have nothing to do with each other today,” says Trüker. “That can not be.”

The German Energy Agency has dealt with several topics on the subject of security in the energy industry in recent months: The innovation report Enercrypt on behalf of the BMWK deals with how master data and communication channels can be cryptographically secured and security standards can be further developed. The follow-up project EnerCise strives for the practical implementation of international cooperation between security experts and German network operators through two cyber security exercises. She is also setting up an “industry platform for cyber security in the electricity industry”.