Cybersecurity a European challengeEnergy 1 July 2019
Digitalization is revolutionizing our society transforming human existence, business models and the relationship between authorities and citizens.
Focusing on the European context, data shows that in the different Member States EU citizens and companies have a different level of computer skills and, more generally, a different awareness of the advent of the digital age, accessing available digital services with a different intensity and interest.
The Internet allows people to connect worldwide and has led to the spread of a mass of smart devices for both individuals and businesses. However, this relatively new way of living (always accessible, everywhere at every moment) has resulted in many new problems in terms of security, and specifically cybersecurity. According to the WEO, cyber risks intensified in 2017, so much so that cyber attacks and massive data fraud appear in the top five global risks perceived. Cyber branches have almost doubled from 68 per business in 2012 to 130 per business in 2017. The financial costs of cyber attacks have also risen over the last five years (+62%).
The recent cyber attacks have different and broader impacts compared to those incidents of the past decade. In 2017 alone, two major attacks involved WannaCry (in May) and Petya (in June). WannaCry hit, among others, the National Health Service in the United Kingdom, Nissan Motor Manufacturing UK and Renault. According to Cyence, the potential economic losses were estimated at $8 billion. Petya mainly hit the Ukraine, where the Chernobyl Nuclear Power Plant went offline, with an estimated loss of $850 million. Cyber attacks have been changing over the last years. Until a few years ago, they were more focused (every week, a new retailer, healthcare provider, or financial institution lost their customers’ sensitive data), while now these attacks are more widespread, hitting, more or less simultaneously, several different companies and sectors worldwide.
From 2013 to 2017, cyber crime, Cyber Espionage and Information Warfare have recorded the highest number of attacks. cyber crime has gradually increased from 53% to 76%, while hacktivist attacks have progressively decreased from 39% to 7%. Cyber espionage and information warfare increased in 2017 (by 47% and 24%, respectively).
Malware are the most widespread attacks accounting for a total of 787 million, of which 2.7% spread over the mobile network. Ransom attacks also increased, accounting for 12.5 million in 2017 (+226%).
European citizens are also facing the growing reality of cyber threats. According to Eurostat data, in the European Union, the share of Internet users having experienced certain common security issues over the Internet – such as viruses affecting devices, abuse of personal information, financial losses or children accessing inappropriate websites – was 25% in 2015 and is forecasted to increase in the coming years
if appropriate security measures are not implemented. Being infected by a virus or other computer infection was the main problem. In fact, slightly more than 1 Internet user out of 5 (21%) in the EU caught an online virus or other computer infection resulting in a loss of information or time. Moreover, security concerns prevented 24% of consumers providing personal information to online communities for social and professional networking; ordering or buying goods or services online (15%); downloading software, music, video files, games or other data files (15%); carrying out banking activities online (14%); or communicating with public administrations across the EU-28 in 2015. Instead, among the European industries, financial Services, fanufacturing and telecommunications are the main target of cyber criminals, especially in Germany, Belgium, Spain and Great Britain.
European Union put in place several initiatives to ensure data protection for European citizens. These include: Regulation 679/16, the proposal for a regulation concerning the protection of individuals in the processing of personal data by EU institutions, authorities, offices and agencies, as well as free data movement; the proposal for a regulation on confidentiality and electronic communications; the proposal for a regulation of the European Parliament and Council on a framework for the free movement of non-personal data in the EU); cybersecurity (EU Cybersecurity Strategy launched in 2013; the Regulation on electronic identification authentication and signature; and Directive 2016/1148 – the NIS Directive – the strategic plan for cybersecurity launched in September 2017) in the European Member States.
Nowadays, cyber criminals are continually finding new ways to monetize personal information and many enterprises and organizations have been blackmailed. Furthermore, for some companies, intellectual property and trade secrets are their most valuable assets, and they now find these have become susceptible to new and growing threats. Therefore, the range of potential attacks and attackers is widening and increasing by the day. The new technologies, mobiles, and smart devices connected to the Internet of Things expose every organization to attackers and in an increasingly digitized world, cybersecurity has jumped to the top of companies’ risk agendas after a number of high profile data breaches, ransom demands, distributed denial of service (DDoS) attacks and other hacks that have occurred over the last years. No sector of the economy is immune to attack; cyber criminals are increasingly targeting power grids, chemical plants, aviation systems, transportation networks, connected cars, telecommunications systems, financial networks, etc. Very often, cyber crime uses very simple tools and tactics, namely emails, to make a big impact and to damage companies. In fact, email is not just a communication tool but it is also one of the prime sources of threat for users and organizations. This threat can range from unwanted emails in the form of spam to more dangerous types, such as the propagation of ransomware or phishing campaigns.
The growing digitalization of the economy has also exposed the energy sector to cybersecurity risks. Utilities are increasingly exposed to IT risks, due to the smart electricity networks with thousands of interconnected users. As other companies, utilities are threatened by economic cyber risks (e.g. a hacker wishing to profit from an attack, by diverting money to an account or stealing industrial information). However, the main concern for energy companies is relevant to the cyber attacks that could affect electricity generation plants and transmission grids.
Although utilities were among the first companies to computerize, today the need for a renewal has emerged. Many utilities use equipment that works very well from an industrial point of view, but they are obsolete from an IT point of view (e.g. old control systems).
Cybersecurity is becoming a priority in the energy sector so that, in 2015, 40% of European energy companies had already formally adopted an ICT security policy. Among risks, energy companies are less worried by the unavailability of ICT services due to an attack from outside (e.g. Denial of Service attack), with only 29% of European enterprises having formally defined a specific ICT security policy against this cyber threat. While 37% are concerned about data destruction or corruption resulting from an attack or unexpected incident.
Smart grids have a huge potential in terms of safety, productivity, improvement of service quality and operational efficiency, despite requiring more care in terms of cybersecurity. A distributed energy system unquestionably has a higher number of potential vulnerabilities and access points. However, the effects and the impacts of possible attacks can be reduced and isolated to a specific part of the system. It is therefore crucial to establish an adequate security system, in order to safely carry information on the digital network and prompt reply malfunctions and interruptions in the electricity supply. Due to the possible impact of a successful attack on consumer trust and the rise in security questions along the value chain, smart grids should be equipped with sophisticated protection mechanisms that can evolve rapidly and adapt to the continuous development of malware.
Thanks to the evolving energy paradigm – increasingly focused on decentralized model and energy storage systems, as well as electricity producers and consumers, all working together through remote control and monitoring as virtual power plants –the energy cloud is becoming increasing important. Supported by technological progress, it encompasses platforms to enable the matching of traditional market players and customers.