article banner
Energy & cybersecurity

Cyber-attacks in the energy industry

Renato Sesana Renato Sesana

Innovative trends, such as the increasing relevance of renewable sources and the wider use of ICT to manage the whole energy supply chain, together with the fact that energy production and transfer infrastructures are among those considered “critical” on a national level, make the energy industry an increasingly appealing target for possible cyber-attacks.

The energy industry has been evolving fast for some years, mainly following the rise of so-called “prosumers” (i.e. companies, businesses, families that play the role of both energy consumers and energy producers). This implies an exponential growth of players connected to the network - though the majority of them are small-sized - and, subsequently, an increase of potential targets for attacks and a higher probability that such attacks succeed.

As concerns cybersecurity regulation, there are no specific and focussed directives in the energy industry, therefore reference is made to more general rules focussed particularly on the protection of “critical infrastructure”.

According to the Cybersecurity Report 2018 (PDF) [ 4318 kb ], presented in Milan on 12 July by Politecnico di Milano university, shows some interesting data.

In particular, it shows the estimated damage in case of a possible cyber-attack, which would cause a 10% decrease in solar and wind power during the annual hours of operation. In this event, the annual decrease in power production would amount to about 2TWh, equal to:

  • 4.9% annual power production from solar and wind power plants
  • 2% power production from renewable sources
  • <1% national power production

It should be noted that, in this case, Terna would have to increase energy volumes traded on the Ancillary Services Market (MSD - Mercato per il Servizio di Dispacciamento), thus determining an increase in expenditure for the community, equal to about 264 million Euros.

Other interesting data emerged from the survey carried out on end users (93 out of 700 actually answered), who are the last link of the chain, with particular reference to the industrial sector.

How much relevant is OT (Operation Technology) cybersecurity?

  • 52% very relevant and perceived
  • 48% not much perceived but increasingly relevant
  • 0% irrelevant now and in the future

Have you carried out investment within OT Cybersecurity?

  • 77% no targeted investment has been carried out
  • 23% investment has been carried out

Therefore, it is clear that, though OT cybersecurity is an issue of great interest, no adequate investment is carried out.

Further interesting data result from the answers to this question: “Should it be necessary to replace a production plant or choose a supplier or a new solution, are OT cybersecurity performances evaluated?”:

  • 39% no, they are not taken into account
  • 51% yes, they are evaluated but do not represent a critical diver
  • 10% yes, they are evaluated and represent a critical driver

In conclusion, today, OT cybersecurity is not a strategically critical issue for businesses. Subsequently, the level of investment carried out and of maturity of cybersecurity governance systems are very low.

For further information or insights, please contact Renato Sesana.

Advisory
Our IT & cybersecurity services
Energy

Our services in the Energy & cleantech industry