The energy industry is undergoing radical changes. Application of the Industrial Internet of Things (IIOT) is expanding rapidly, equipment is becoming “smarter,” and lines between the digital and the physical are becoming increasingly blurred.
Yet when it comes to power grids, rapid digitization across much of the energy industry has proved to be both a blessing and a curse. While it has provided vastly enhanced efficiency, hardware digitization has also exposed power grids to new cyber security risks which could result in large-scale disruptions. To mitigate these risks, one needs to look beyond superficial quick fixes and consider how decentralization might strengthen our energy security for the long haul.
The fundamental structure of power grids has hardly changed in a century. Historically, power came from large plants driven by fuels such as coal or gas, and the construction of long transmission lines ensured that electricity could reach consumers even in distant locations.
Only as energy demand grew and new-generation sources such as wind or solar became popular did the power grid experience some changes. Yet the centralized design of the grid remained virtually the same.
In recent years most electricity providers embraced digitization and gradually began to rely on sophisticated industrial and supervisory controls and data acquisition systems, which were often designed with performance, not security, in mind. Much of this hardware was then connected to the IIOT, which boosted efficiency and cut operational costs, but also increased its vulnerability to hackers.
A number of high-profile cyber attacks against power grids in the past few years have highlighted the magnitude of gaps in security.
A number of high-profile cyber attacks against power grids in the past few years have highlighted the magnitude of security gaps
In 2015, a hacker group managed to take down an electricity distribution grid in Ukraine, leaving 230,000 customers in the dark for several hours. A year later, another cyber attack successfully compromised the Ukrainian power grid, took control of some of its industrial control systems and cut a fifth of Kiev’s power for about an hour.
Even more worrying, in 2017, Germany’s National Cyber Defense Center warned that a series of successful cyber attacks against German energy providers could potentially create a “domino effect” and not only take down Germany, but also affect the entire European power grid.
This does not necessarily mean that power grid infrastructure is teetering on the brink of an imminent hacker-induced meltdown. Many grid operators run highly advanced cyber security protocols and often have sufficient redundancy to withstand component failure.
Yet despite these security measures, power grid architecture remains inherently fragile. The risk still exists that a single powerful cyber attack could slip through the net, infect the operator, take down the grid and cause havoc across the board.
This suggests a need to go beyond the all-too-common “patch and pray” method and start considering how to make fragile centralized systems more resilient to potential shocks.
Gradual decentralization of power grid architecture through the introduction of micro grids could potentially address the problem. Micro grids are in essence scaled-down versions of the regular power grids that in combination with distributed energy generation units are often used to provide power to remote areas where centralized supply is lacking. In addition to working independently from the main power grids, micro grids can also operate in parallel with them.
Given their capacity to operate independently from the main power grid, micro grids can provide enhanced energy security in the event of a cyber attack. If an attack manages to take down the main grid, a micro grid can disconnect itself from the main grid and, by relying on local power generation, continue to work relatively unharmed. Therefore, if micro grids were introduced on a large scale, the overall power supply architecture would become less fragile and better equipped to withstand potential shocks.
While the mass adoption of micro grids is no cure-all since they remain vulnerable to cyber attacks, decentralized systems are far more resilient than centralized ones thanks to the nature of their design. It is much more difficult to simultaneously infect and take down hundreds of micro grids than a single centralized grid.
The remaking of well-established energy infrastructure would be a herculean task, which could take years if not decades to accomplish. Any such discussion is bound to unleash a torrent of questions linked to regulatory matters and funding issues.
Therefore, any potential steps toward greater decentralization of power grids would have to involve a wide stakeholder base, including governments, the private sector and academia. Furthermore, any hardware improvements should be matched by complementary software upgrades.
As the energy industry continues to embrace digitization on an unprecedented scale, it is almost inevitable that cyber attacks will pose an ever greater threat to energy security. Fortunately, when it comes to power grid security, the benefits of going small might prove to be very significant.
Lukas Trakimavičius works at the Economic Security Policy Division of the Lithuanian Ministry of Foreign Affairs. Previously, he held several positions at NATO, where he worked on energy security, arms control and non-proliferation. The content of this article reflects the author’s personal views.