Cyber security and the energy Trilemma – Part 1

With the energy sector already in crisis, how then should it deal with the growing risk of cyber threats?

In this three part series, Martyn Ruks will be looking at how cyber security relates to the current energy crisis, the perils of ignoring potential cyber-attacks and also some practical advice on how to incorporate security into your smart energy projects.

Introducing the Energy Trilemma

According to the now widely-cited 2012 report from the World Energy Council, the energy sector is facing a ‘trilemma’ – The three conflicting problems of securing future energy supplies for all, reducing our global carbon footprint, all the while ensuring that consumer bills do not rise.

Eon Trilemma

[Source: E.ON]

Philosophers simply describe a trilemma as a choice between three unfavourable options. But economists call it the ‘impossible trinity’: a trade-off between three goals, in which two are pursued at the expense of the third. But when it comes to our energy supply, we simply cannot afford to fail at any of the three challenges.

Why does cyber security matter?

When the wellbeing and livelihoods of everyone on Earth are affected by these fundamental issues, it’s easy to understand why cyber security often lands a little further down the list of priorities.

However, as a leader in the field of cyber security research, we believe that the failure to address it could have a wide ranging impact, and potentially undo a lot of good work being done to solve the energy crisis.

Every day we see increasing evidence of highly skilled groups around the world executing highly sophisticated cyber-attacks, many of these with the effectiveness needed to cause significant effect to energy supplies.

We understand that this may sound a bit alarmist, after all, why should we worry about a seemingly nebulous and intangible threat when the trilemma looms large over our industry?

The rest of this article will seek to address the cyber issue by looking at each component of the trilemma:

Challenge 1 – Ensure the security of energy supply

Over the next three decades, world energy consumption is projected to increase by 56 percent, driven by growth in the developing world, according to International Energy Outlook 2013 (IEO2013). The primary challenge in this space is ensuring we have enough generating capacity to meet our energy needs.

Understandably this requires a level of investment we need to finance our new power stations and then to deliver them in time to meet the consumer need.

Globally, the energy industry is in need of significant investment. Upgrades and replacement projects are needed throughout the energy infrastructure of both developed and developing nations in order to keep pace with consumer demand, technological advances and legislation.

The investment need

The drive to decarbonise future electricity generation has left many developed nations reliant on an ageing oil & gas infrastructure. Investment is needed to replace these traditional technologies, but post the economic downturn availability of funding is not matching demand.

For the energy sector, one of the few positives of the economic downturn was that the reduced market for goods and services meant energy demand was lower than initial projections. This gave many countries time to enhance their renewable generation base, but despite this, it is widely acknowledged that a generation capacity shortfall is imminent. Across the developed world, many assets are due to close in the next five years with no immediate abilities to replace this lost capacity.

The rapid growth of emerging market nations, such as China, India and Russia, has placed a great strain on their energy infrastructure. To support their growth, these nations have tended to commission a mix of renewable, cleaner gas and nuclear powered generation assets – all needing investment.

As more developing nations eye up global economic opportunities, so a similar strain will be placed on their energy infrastructure, requiring the need for yet more investment.

So why does cyber security matter here?

When it comes to risk, most people might only think of cyber-attacks being used to cut the supply or affect infrastructure, which is of course very important, but another major impact is the damage to confidence in the investment community.

The stakes are incredibly high when it comes to building power stations, with countries expending significant amounts of financial and political capital to secure their energy supply. So just imagine if someone is able to pull the plug at will – the whole process of sourcing funding could be undermined.

This, as you may imagine is a relatively new problem, with the new world of the Smart Grid providing a vast array of routes for potential attackers to infiltrate into energy supply systems.

Investors like stability and confidence. Cyber incidents create the exact opposite of these conditions and therefore any significant cyber related incident inside the energy generation or supply process could be a real threat to securing the level of investment that is needed in the industry.

So it should be clear that failing to deal with cyber security as part of our solution could leave us exposed in the first of the three issues in the trilemma. When we start to look at how we might meet this challenge it is helpful to turn to the second issue the industry needs to overcome.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.