The simulated hack took place in the Netherlands and was organized by the European Network for Cybersecurity for members of the European Network of Transmission System Operators for Electricity, or ENTSO-E.
Both the hackers and the defenders were real employees with key responsibilities within Europe’s power systems. The group was a mix of job titles and skill levels, including SCADA engineers, IT systems administrators and two chief security officers.
And the key take-away for PEi reporter Tildy Bayar was that no matter how good the cybersecurity defences in place, employees must also learn the skills to use them effectively.
Rene Marchal is a former chief security officer at Dutch grid operator TenneT who is now seconded to The Netherlands’ ministry of justice and security. He is also chair of ENTSO-E’s working group on critical systems protection. In the process of helping to organize the training, he said he had been surprised by the average IT employee’s lack of cybersecurity awareness.
"I was surprised at how much less [IT employees] relate to securing the network or IT process against malware attacks. I thought before that it was more integrated in their mindset," he said.
"There is a really huge difference between keeping the system running and defending the system," he added, "and it’s a little bit uncomfortable to think that your system is under-teched. As Churchill said, ‘War is too important to leave to the military’, and cybersecurity is too important to leave to the IT department."
Marchal says the RTBT training is "not for cybersecurity experts, but for management to get a better understanding" of cybersecurity issues.
"Especially for higher management in key positions to make investments," he says, "they should know what the risks are. In the old-school world it was less complex, and easier to overview the risks. Now we say ‘It’s so complex, leave it to the experts’ – cybersecurity professionals rather than everyday employees – but there’s a risk to that.
"Management is ignoring these risks a little bit, and is therefore not willing to spend the money. And because knowledge is so weak on digital processes, we are still dependent on experts," he says. "So this course is a wakeup call to get little bit of awareness and learn about the vulnerabilities, but also to create commitment so people will go back to their home base and spread the news.
"Part of the coin in an efficient and hyperconnected world is that you also become more vulnerable, and if you don’t compensate it can be a nightmare."
Anjos Nijk, ENCS Managing Director, agrees. Those who attend the training have, on average, only 30 to 40 per cent of the skill level needed to successfully avert a determined cyberattack, he says, and the main goal of the training is "to build this knowledge".
The course also aims to get people with engineering histories and those with IT backgrounds talking to each other. "We have to bring them together," Nijk says, as both skillsets and kinds of knowledge will be needed in an attack scenario.
To read the full article, click here
YOU’LL ALSO LIKE: Cybersecurity: How utilities can prepare the next generation smart grid