Exclusive: Powering up our cybersecurity defences

Wolfgang Loew, CISO, EVN reflects on the importance of robust cybersecurity in the energy sector.

Wolfgang Loew has been an active part of the ENCS network since his company, Austrian utility EVN, joined as one of ENCS’ early members in 2014. Since then, Mr. Loew has become CISO at EVN, joined the Assembly Committee at ENCS and worked with E.DSO and various EU bodies. International Security Journal caught up with him to find out more.

 How long have you been involved with ENCS and what first convinced you to become a member?

We joined ENCS in 2014 – more than six years ago now! We weren’t founding members, but we were early to join the network as even back then we could see the need for partnership on cybersecurity and a secure environment where we could work together with others. In particular, we wanted to work with specialists for testing and implementing network components and we needed to do so in a trusted environment.

What major projects have you worked on with ENCS over the years?

Over six years, we have done a lot together with ENCS. The network supports us on various projects, with consultancy, with penetration testing – this is a completely different, hyper-specialised discipline as opposed to everyday website penetration testing, so you absolutely need to work with specialists. For example, you have the smart meter roll-out, which is a challenge here in Austria as it is across Europe. ENCS assisted us in setting the security requirements for the components and then testing them.

Then there is the ‘network’ aspect of the network. ENCS helps provide that bridge to organisations like E.DSO and different EU bodies to ensure our thoughts and considerations are represented through decision-making at all levels.

Can you tell me a little bit more about the smart meter testing work you mentioned and how that has supported EVN?

Of course, this is probably one of the most important projects we’ve undertaken with ENCS. Obviously, the smart meter roll-out is happening, that is a fact. However, it’s essential that the whole system is designed, specified and procured with utmost care to prevent the introduction of avoidable security flaws. No cybersecurity is perfect, but when thinking about such a far-reaching initiative, anything less is unacceptable.

So, we worked with ENCS to shape the cybersecurity requirements that we issued to potential vendors – which is helpful to the vendors too, as it gives them direction. Then we worked with ENCS specialists to conduct rigorous on-site penetration testing before any orders were placed.

We take this approach with other components too, of course, such as RTUs. It may sound onerous for the vendors, but actually it is very collaborative. We can even involve them in the testing process so that issues can be fixed and, ultimately, we are all working towards the same outcome: a secure grid.

These projects have allowed us to purchase components, such as smart meters, with confidence and feedback has been positive so far from all stakeholders.

In 2018, you became a committee member for the ENCS Assembly committee – can you elaborate on why you decided to take on that role?

At that point we had been working with ENCS for four years and both myself and the broader EVN leadership were fully convinced of the model: a non-profit organisation representing the cybersecurity interests of the industry. We stood behind the idea of ENCS and it was clear that ENCS was important to us as an organisation. As such, it was important for us to have a say in the direction ENCS would take. We felt we have a lot to offer the network and wanted to help define the strategy behind ENCS.

What benefits do you think you contribute to the ENCS network – both as an individual and an organisation?

As a network organisation, ENCS derives its strength from its membership base and we are proud to contribute to that. EVN is a true multi-utility provider, covering electricity, water, heat, gas etc and we have intel staff that can add knowledge and experience from across all those different types of network. EVN has historically been a forward-thinking utility on the topic of cybersecurity.

Personally, I can assist the network with my contacts across Europe. Aside from work as part of ENCS, I have been part of various projects and working groups at the Austrian and European levels, including work alongside ENCS on the basis for the network code for cybersecurity, giving me very good contacts. It’s important for ENCS to have those connections at a senior level to do its work effectively and by becoming an Assembly Committee member I aim to bring that to the table.

While some people still seem to think of cybersecurity in energy as a new thing, you have been involved in this for a long time now. Can you tell me a little about your broader cybersecurity work with EVN and EDSO and how this all fits together with ENCS?

EVN has always been good at prioritising security and we take the topic seriously – we have to in order to provide services our customers are expecting. Take smart meters – the project most visible to end customers. There is a breaker unit involved, meaning a threat to security of supply and GDPR relevant data, meaning privacy concerns. That’s two hugely important cyber threats in one component, we see no choice but to take that seriously.

For my part, I first touched on energy cybersecurity during my bachelor degree and then really dived into during my infosec masters. After completing my studies, I found the infosec manager position at EVN. That was in 2012; I became CISO in 2015 and that’s my personal journey in the sector.

We can’t speak to you and not ask – how has the pandemic changed things regarding cybersecurity in the energy sector?

Like a lot of industries, ours has had to cope with the abrupt shift to working from home. At EVN, we were fortunately already more or less prepared for that, but obviously needed to scale up the infrastructure to allow for everybody doing it at once.

In terms of materially new threats, there has been a noticeable rise in phishing attacks across the sector, taking advantage of people working from home and communicating 100% digitally. In a way this has underlined a message we have been repeating for years: that security is a mindset, not a function and the responsibility of everyone at the company, not just a few of us in infosec and IT. This will only become truer as companies move more infrastructure into the Cloud. It’s a problem for COVID-19, but also for the future.

Speaking of the future, what do you think it holds for the energy world in terms of cybersecurity?

I think the pace of change is really going to accelerate. You have the ongoing migration to the Cloud, which I mentioned, but also broader digitalisation challenges. You see more products and services popping up for controlling energy consumption at the grid edge, for controlling grid components too – all of these trends bring vulnerabilities and as a sector we need to keep up with them and work together to define security requirements, architectures and so on. ENCS will be a crucial part of this, along with the Network Code Cybersecurity.

We can also expect movement on regulations at various levels. The NIS Directive will be reviewed and national NIS laws implemented – this will create a lot of areas where we envisage working with ENCS throughout the next year.