Anjos Nijk is the current managing Director of the European Network for Cyber Security (ENCS). Based in The Hague, and founded in 2012, the ENCS is a non-profit member organisation that brings together critical infrastructure stake owners and security experts to deploy secure European critical energy grids and infrastructure.
ENCS has dedicated researchers and test specialists who work with the association’s members and partners on applied research, defining technical security requirements, component and end-to-end testing, along with education and training. The ENCS serves as an important point-of-crossover between the worlds of Information Technology of the enterprise world and Operational Technology that predominates in the infrastructural domains of national and international power infrastructure.
In 2018 the ENCS completed its first course of a training programme designed to help cyber security architects design secure smart grids, looking at risk-based architecture design and the IT/OT interface design. “There are many measures from the IT world that are applicable to OT systems,” Nijk said at the time. “Using too many measures will cause high investment costs and may make the system hard to use; [but use] too few, and the system is vulnerable. Assessing that balance requires thorough understanding of the systems and risks involved.”
In addition to his ENCS duties, Nijk is a member of the Steering Committee of the Smart Grids Task Force of the European Commission Directorate-General for Energy, a member of the Cyber Security Expert Group, and ENCS liaison with several key European associations, which include European Distribution System Operators (E.DSO), the European Network of Transmission System Operators (ENTSO-E) and the European Utilities Telecom Council (EUTC). (Interview conducted March 2020.)
CSE: From the ENCS’s perspective, how well do European states compare with each other in regard to the cyber security readiness of their respective energy infrastructures?
ANJOS NIJK: The diversity in culture, legislation and technology deployment in European nation states is reflected in security readiness of their energy infrastructures. This diversity provides the opportunity to identify and deploy the best practices. The NIS Directive introduces a degree of harmonisation by fostering a baseline security for operators of essential services, including Europe’s big energy grid operators. But other infrastructures like wind and solar farms and EV charging infrastructure, which can have a big impact if compromised, are out of scope. This needs to be addressed, and support is needed for initiatives fostering best practices deployment and all implementation through collaboration and harmonisation.
CSE: Do you see evidence that non-technical executive chief officers and directors in European energy utilities companies are acquiring greater responsibility for the cyber governance of their organisations?
AN: Yes, we see a clear increase. This is initially driven by the need to prevent incidents similar to what happened to the Ukraine power grid, and now with the broad implementation and certification of Information Security Management Systems driven by the NIS Directive. Also, the growth in ENCS members has been a clear indicator expressing a strong commitment and investment of European grid operators in security skills and capacity building. By now it is quite common that CEOs of grid companies refer to cyber security as a top priority in key-note speeches.
CSE: What are the main ways recent European legislative compliances such as GDPR and the Cyber Security Act (2019) have affected energy utilities in the EU regions?
AN: GDPR has resulted in appointment of specific responsibilities for data protection and governance structures in utility organisations. The Cybersecurity Act mandates ENISA to prepare certification schemes for ICT products, services and processes, also in the energy sector. But certification schemes which have been effective for other domains, have not been designed to address the specific needs of electricity grids. Electricity grids have a unique mix of legacy systems and new technology, real time requirements – you cannot switch off the grid when there is an incident – and cascading effects. Close collaboration between domain experts and regulators is required to create a scheme that addresses security effectively.
CSE: You have made the connection between good cyber security management and competitive advantage in the energy industry. In other vertical sectors these two factors have been linked for a long time. Is it fair to say that Europe’s energy utilities somewhat behind the curve in their understanding of the connection?
AN: I think that it is fair to say so. The energy industry only recently got exposed to cyber threats and started addressing it within its context of high investments, long cycles and regulatory framework. Industries like finance and telecoms have had a much longer history and higher volume of cyber incidents and, consequently, they have higher maturity in organisations and technology. But Europe’s energy utilities have identified the opportunity to build on this knowledge and is rapidly improving by collaboration to share knowledge and raise technology security levels.
CSE: You have pointed out that closing the skills gap is crucial to cyber preparedness for Europe’s energy supply and delivery sector. Is it in fact harder to recruit cyber security professionals who are able to understand the special nature of that sector’s infrastructure and also of its Operational Technology (OT)?
AN: Yes, it is, due to the requirement to master both security and OT technology and operations before you can effectively contribute. Grid cyber security is rocket science. Experts with only IT security knowledge already can choose any job they like and earn big salaries, so why bother to make the effort to start as junior again? The same goes for a network engineer starting to work in security. Luckily, there are also people who get motivated by the intellectual challenge.
CSE: ENCS uses members to work on projects that all members share. How often do non- technical senior executives from member organisations get directly involved in these initiatives? And what are the key benefits?
AN: In the ENCS we have various levels of engagement. Non-technical board level executives participate in ENCS Strategy Assemblies, Assembly Committee and Strategic Advisory Board. This assures strong c-suite level involvement in setting ENCS strategic direction and governance of the work. Benefits are two-fold: connecting ENCS stronger in the grid community and European groups as well as assuring budgets and support for the member projects and ENCS work program.
CSE: The ENCS member project for 2019 was ‘Information Security Management’. Are you able to briefly explain how that project progressed? Can you also say what its key outputs will eventually be?
AN: It was one of the member projects, we also had a member project on procuring secure equipment and we started substation automation security and hardware security. The objective of the ISMS member project was to gather and share best practices in implementing an ISMS, so that ENCS members can adopt and benefit from these best practices to create a first ISMS or improve an existing ISMS. An ISMS best practice guide was published on the ENCS portal and an expert group was established and will continue as an ENCS roundtable fostering ENCS members ISMS implementation.
CSE: You have said (in a March 2019 interview) that in terms of bringing about effective change in cyber security readiness and awareness that the focus should be much more on the facilitation of initiatives that deliver ‘concrete’ results. Can you briefly explain what kind of results you had in mind in that particular context?
AN: Concrete results are, for example, security requirements sets that can be used at procurement, testing methods and tools to verify the implementation of the requirements, role-based training such as designing secure architectures and secure configurations, vulnerability reports and everything that grid operator staff require to manage their grids’ security. Besides creating the content, it is important [for the ENCS] to support grid operators in implementing and using it.
CSE: If a cyber-aware CEO from, say, the finance sector, were to move across to a role in a European energy utility, what cyber security cultural differences do you expect that they would they encounter?
AN: They would certainly have to learn and appreciate the specifics of the grid, the different nature of the cyber risks and the culture of a technical organisation managing a very complex system, incentivised and evolved to operate the system within tight margins of system availability and security of supply at the lowest cost. This implies a culture of risk averseness, long term planning and compliancy with regulatory demands. The challenge will be to build and maintain the skills and processes capable of dealing with the short cycles of digital technology.