Centralized energy transition, being a driver
for resilience and cybersecurity. The energy
transition is making energy systems more complex.
The integration of renewables are challenges.
Digitization can help us tackle challenges.
Raising questions with resilience, cybersecurity
and data protection. We need to increase the
flexibility of the. Artificial intelligence
and the Internet of things can make the infrastructure
work smoother. By harnessing these technologies,
there might be a case for the transition itself.
It can be a driver for resilience, cybersecurity
and data protection.
Thank you very much. I think this was a very
good introduction and kind of a hypothesis
we want to test here now on the panel. If
a decentralized system can build resilience
in cybersecurity. To cover this topic, I have
a very interdisciplinary and diverse group
of experts here which you need to really,
you know, work on the intersection of security
and the energy systems. So, right next to
me is the minister of entrepreneurship and
information technology of Estonia, Rene Tammist.
He's been also the head of the Estonia renewable
energy association and brings in energy transition
where Estonia is really quite far here already.
Welcome and I'm glad you're joining us on
the panel. Then we have Professor Trbovich.
The cofounder of GridSingularity, a blockchain
venture and on the governing board of the
European institution of technology. She's
led efforts in public administration, but
also has the technology knowledge. She's our
blockchain and policy expert here. Welcome
from my side as well. Then we have Dr. Giovanna
Dondossola. She's a leading scientist at the
Department of transmission and distribution
technology of the company RSE in Italy. She
leads projects on cyber risks and smart grid
communications and responsible for power control
resilience testing. She will give us an overview
on what our cyber risks and electrical control
systems. So, thank you for joining here as
well. Then we also have cyber threat and warfare
expert, Chris Kubecka. She's a security researcher
and awe nor and CEO of HypaSec. She has extensive
experience on the ground dealing with cyber
threats. She's led the security groups in
Saudi Arabia. And faced a cyber operation.
She's our cyber warfare and cybersecurity
expert here. Then I also welcome Mr. Moser.
He's the head of security supply unit at the
European Commission, DG Energy. He's in charge
for the development and implementation of
energy security policies and also worked years
at the DG Environment on energy policy. So,
he can tell us about the challenges of EU
security policy and he's an energy and security
expert. So, thank you for joining as well.
And then last but not least we have Dr. Georgieva.
She is the government affairs and public policy
manager at Google in Belgium. She has a doctorate
in law from the University of Enna and has
extensive experience working on cybersecurity
policy. She brings in the IT security expertise
from Google, helping us out finding solutions
for some of the challenges. So, before we
get into the discussion, and I'm taking a
breath because six panelists is quite a lot.
We have the opportunity, also, for your participation
via Twitter. So, there is a QR code, apparently.
Somewhere. I think you're seeing it. I'm not
seeing it from here. Where you can pose questions
and take part. The goal is to have a discussion
for maximum 60 minutes and then really leave
room for your questions and comments as well.
So, to kind of lead us into the discussion,
we saw in the video it was kind of posing
like the decentralized system could be could
have opportunities for cybersecurity. It could,
you know, build resilience. But first when
we talk about this as a solution, I would
pose this question to you, Minister Tammist.
What does this decentralized system look like
and where do you think it could help us increase
cybersecurity or resilience in general. Yeah?
Yeah. All right.
Yes. Dear fellow colleagues. I should perhaps
mention also from the introduction, although
I am a minister of IT in Estonia, I have a
background from the energy sector. And then
also being quite familiar with some transitions
there also from the IT side. But thank you
for having me here. Estonia is called by Wired
Magazine the most advanced digital society
in the world. And this is for the very good
reason because digital solutions are embedded
into our society, into our private sector,
into our government sector. And when it comes
to energy, it's no different. So, we are really
trying to identify solutions to be applied
also in the energy sector. Currently with
the transition we are having undergoing is
you have so, with these, these organization,
decentralization and thirdly and have a lot
of importance to the first two. Then perhaps
to some extent we haven't paid so much attention
to digitalization and I'm very happy that
we are doing this here today currently. So,
I think it's very important. So, we realized
that with decentralization and organization,
we needed more smartness. More smartness into
our grids, into our meterings. We need more
data. But then what happened with this data
is the question. So, from the regulatory point
of view, we have a verdict over the years
at the European level to realize the free
flow of energy to have a full integrated internal
energy market. And I myself have contributed
towards this aim quite extensively in my previous
career. Also, as a member of the administrative
board. But at the same time, we have a problem
with free flow of data. And this is not only
with the energy sector. But it's, of course,
the boards and different domains. And so,
what we are trying to do here in Estonia is
to really focus on the solutions that enable
us to utilize data and to make sure that the
digitalization in the energy sector also happen.
So, I bring just a few examples from Estonia.
One of them being the case of wind power.
It's an Estonian company trying to create
a market to trade directly between energy
producers and consumers. Usually large energy
consumers and to utilize blockchain technology
in order to enable that. So, they are tokenizing
the energy bits and then enabling the longterm
power purchasing agreement between the partners.
And so, this is one example that is now being
tested in Australia and the company is eager
to try these solutions elsewhere as well.
Important bit, having here discussions and
having listening here these discussions is
how to make sure that there's thirdparty access
to the data. And this is, of course, important
in order to enable different services to be
offered. And in this regard, we have a verdict
in Estonia and I myself in my previous career
have contributed into this project trying
to create data chains platform. And to make
sure that different data feeds into this platform
and then it's possible to use it with explicit
agreement from the consumers for the offerings
of different services. And at the moment,
TSO is advocating this platform for the European
benefit. And all the partners who are interested
in this are more than welcome to join.
All right. Thank you so much. I think this
already gave us a good overview on, you know,
we need free flow of data. If you're digitizing.
But this may bring also, you know, security
problems and questions of ownership and access
and, you know, preserving the integrity of
data which is important from also a cybersecurity
perspective. I would I think I would put back
that question on a PanEuropean one because
I think this is something we should discuss
later on as well. But I would first put a
question to you as a blockchain experiment.
What do you see the role of blockchain playing
in the digitalization and the decentralized
system? Especially with all this vulnerable
data that is being created and used through
that?
Thank you for having me here, as we prepared
for the panel I was asked to think about the
new threats. What do you mean by new? I realized
I'm in a prejudiced mode because in blockchain,
things change every day. For us, if it happened
two years ago, it's ancient. And the new cybersecurity
threat is two or three. Or a few years old.
All relating to this new IoT system that we
live in now. And again, I understand that
blockchain is still a hype. I saw an advertisement
for a blockchain security conference with
the byline, blockchain is the new black. So,
why the excitement? And, you know, what is
the value in this excitement? It's that it
really brings trust to the device level. So,
it creates trust among devices. And therefore,
decreases some of the vulnerabilities. It
is also a system that is by design distributed
and therefore you do not have a single point
of failure. And I even read most recently
that NASA started using blockchain to protect
itself against this type of attacks. So, it's
a technology that you use to combine with
other technologies. In the example just given
by the transmission operator, they designed
a wonderful system that builds on the platform
of everyone having a digital I D and being
able to with this platform to try to seek
a better service for their household. And
they are able to show some of the data that,
you know, their consumption databased on that
and get an offer from a different provider.
The and discussions right now is exactly,
you know, where is that data being held and
why is it in one server? So, if you add blockchain
on top of that service, you are no longer
holding data in one server and you are able,
as a as a person who, you know, who owns that
data to withhold that data in a more secure
fashion. So, it is really an enabler technology
that you would add on to other systems that
you have. What is really interesting about
blockchain's authentication is it asks all
the time, you know, what is your identity?
Sometimes, where are you? At what time are
you doing this? And therefore, if you want
to increase the level of trust in terms of
what the identity is, you can program that.
So, smart contracts in a blockchain are nothing
but programs that say, you know, if A does
this and B does that, then C happens. You
can program into blockchain automatic processes
to ensure that there is sufficient knowledge
all the time about who is connected to the
network, how, and what are they allowed to
do on the network? And I'm talking offgrid
as well as, you know, grid balancing part
of where blockchain could be very, very useful.
There are a number of uses really to boost
cybersecurity. The vulnerability remains always
the same with blockchain or any other technology.
It's the point of entry. For example, we have
developed a toolkit which helps track renewable
energy production and you can issue certificates
online. You can trade them and do this in
a highly trusted manner. If you can do the
same with tracking pollution, you can't, then
rely on other sensors that are less secure.
Less accurate reason I would say. We just
had a conversation about oil tracking. Where
does this oil come from? What's happened to
it in terms of processing? There you have
to rely more on censors and even humans to
enter some of the data. And there you have
the same problem with or without. With blockchain
you add automation, add devicelevel interaction,
distribute the access points in a way that
you make it more secure and not less secure.
So, it's a technology that's really welldesigned
for an IoT distributed system. I'm not only
talking about energy; I'm talking also about
all the other industries that have to authenticate
the providence and standardize. Just leave
it at this for now.
Okay. So, yeah, thank you very much. Now we've
got a good overview of also maybe how blockchain
can be a solution for some security problems.
But I feel like we wouldn't really sit here
if we could solve everything with blockchain.
So, now I'm posing it to you knowing, you
know, maybe some of the cyber risks that we
are seeing also control grid control systems
and other things, you know, in the energy
sector that have been digitized. Could you
give us an overview on, you know, what are
the risks you're seeing in and you're working
on and some of the challenges with that?
Okay. Thank you very much for your question
and for the invitation, of course. It's a
great pleasure to be here. And just for addressing
the question, I think that it's important
to focus on the topic of the event, energy
transition. And in particular if we considered
also the clean energy package. You all know
that there are three main that we can put
on the top of the clean energy package. This
is these are decarbonization, digitalization
and decentralization. So, of course, starting
from the first one, so, decarbonization, we
have to focus, of course, on the integration
of renewable energies in the energy infrastructure.
So, this means, of course, to have very different,
as we said, infrastructure. And also, to mention
that it is the European association of transmission
system operators involving all the TSOs in
Europe issued some calls that are strictly
related to the, for instance, one of the calls
is called system operation guidelines. And
it's just targeting the information exchanges
that are needed in order to operate the decentralized
energy infrastructure. And in particular,
they are defining the requirements for this
information exchanges. And for getting data
from the user, what they call the significant
grid users, available to all the stakeholders
that need such data. And all the stakeholders
means mainly TSOs, DSOs, distribution systems.
But also, with providers, for instance, for
targeting the future markets. And so, you
can understand that in order to identify the
write the operate digital solution of such
significant grid users, of course, we have
to identify sustainable solutions in terms
of topics involved in such digital solutions.
And most of the time if the sites of the grid
user is not big enough, this means that they
have to be based, for instance, on connectivity
that is provided by thirdparty operators.
So, this means that also this operator has
to provide reliable services and also, of
course, digital service providers such as,
of course, cloudbased services providers have
to provide reliable services for such information
exchanges. So, this all these), of course,
are priorities for connecting such distributed
energy resources to the main grid. And to
operate the overall decentralized digital
infrastructures. So, in terms of cybersecurity,
what does it mean? So, you know that in Europe
we have the information security directive
that is in place and in the different member
states. And, of course, this directive required
to identify which are the essential service
providers in terms, of course, also energy
operators and also digital service providers.
They are identified by the regulation to provide
the given level of security. So, of course,
cybersecurity capabilities. And those are,
of course, security postures. So, to implement
the appropriate security measures in relation
to the risks that have been assessed. So,
the risk assessment is a key driver for the
implementation of cybersecurity. So, what
can we say about the new risks of this decentralized
energy infrastructure? We said that if we
look at the architectural level, of course,
the attacks you face is increased. Because
the overall decentralized system is much more
wider. And so, of course, if we assess the
overall risks, we have to include all the
different components and the different networks,
technologies that are involved in the operation
of the energy infrastructure.
Thank you. I want to pick up on two things
you said. So, one, first thing you said, well,
there are more and more companies maybe also
IT companies moving in. And then that could
make it they could be entry points. We saw
recently in the US an attack where there was
a spear phishing campaign going to a company
that was a supplier of, you know, the primary
target and through that they would actually
access, you know, the primary target and then,
you know, that's where the the ultimate cybersecurity
would be aimed at. Let's talk about this challenge
a little bit and also on, you know, on a meta
level, on a policy level, I'm going to point
you, Mr. Moser. And this directive says, you
know, you should identify what is critical,
what are essential services. But I find that
very very difficult in that way. And where
do you see, you know what was the thought
behind that, maybe? At the beginning on what
is critical? And then how could we deal with
this challenge from a policy viewpoint when,
you know, more and more suppliers and companies
are moving into this field. How can we, you
know, keep an overview, even, on what could
be potential entry points?
You need to start somewhere. Member services
are identified by the member state as most
important relevant services for the functioning
of a system. That's basically the expression
of proportionality. But, of course, the overall
system needs to be kept in mind. Also, outside
the essential services. Especially if they're
there can be an attack of many at the same
time who have similar features. So, I think
the message to the whole system, member states
plus stakeholders, is keep in mind the whole
system and not just some of the maybe the
most important users and services. And draw
the lessons and apply them also to the others.
That's quite critical. And quite important.
And there is no uniform application. It's
up to the member states to define what they
consider as essential. And I think that the
tool which is critical, and which is central
to all our efforts here, risk assessments.
Also, risk assessments need to be made with
an open mind on a regular basis. And whenever
something new happens in order to draw lessons.
And then you can decide whether you need to
adjust, for instance, even the nomination
as essential service provider. Or what other
lessons you have to spread to other parts
of the system.
All right. Well, thank you. So, we have a
little bit of an overview on some of the solutions
and also the cyber risks. But I think one
of the, you know, players that is still missing
is, what are the what is the threat landscape?
So, what are we actually looking at? Who is
trying to attack the energy transition and
what are we seeing? And so, I pose this question
to you since you had actually experience dealing
with a cyber operation that was aimed at an
all company. Can you give us an overview on
the threat landscape? How serious is this?
And who is targeting us?
There's a lot of people targeting a lot of
different operators. The critical national
infrastructure of every country is indeed
unique, and it's decided by every member state.
Which can get a little confusing when there
is a major attack that can go from one country
it another. We're connected by our energy
grid and we also connect to other nonEU countries.
But European countries. Where their geopolitics
can also affect us. Good, for instance, there
was a continued conflict between Serbia and
Kosovo which caused a deharmonization in undervoltage
of the EU power grid and we lost 113 gigawatts
of electricity over an almost fouryear time
period. And all the European system clocks
like on your microwave and your oven lost
up to six minutes of time because of undervoltage
caused by geopolitics. In the case of the
attack against Saudi Aramco, there were previous
attacks against the Iranian infrastructure
regarding uranium enrichment plants. There
was one, Stuxnet, and then flame, they had
a burning American flag on their malware.
In turn when in 2012 they attacked Saudi Aramco
with something called Shamoon, the variant
had a burning American flag. What was unique
about that particular attack was 20% of the
energy goes through Saudi Aramco. It's known
as the world's most valuable company. And
if you attack a company that has spiders around
the world, you can deeply affect markets more
than just in one country. So, we have to take
a look at the geopolitics that could affect
our energy in one area and realize that it
can actually affect our energy here. At the
time of the attacks, we were looking at the
possibility if Saudi Aramco went completely
down from the oil production, we could have
400$450 a barrel of oil. And that would have
been devastating to a lot of economies. It's
very important that we look a bit more on
the broader picture because what happens over
there can deeply affect us over here. And
unfortunately, when there's money and there's
politics involved, those things are a target.
Very much so.
All right. Thank you. So, before moving into
some of the IT security solutions I want to
know at Google, I'm pretty sure they're receiving
lots of cyber-attacks all the time. I want
to first ask you in Estonia, you know, seeing
this also geopolitical situation in Estonia,
you know, has been the target of one of the
major cyber-attacks on a political IT infrastructure.
How are you preparing to, you know, for this
for such a scenario? What are yeah some of
your policies, solutions, practical solutions
that Estonia's looking at?
Sure. Thank you for this question. Indeed,
the more services we have online, the better
actually our cybersecurity has to become.
And this is, I think, very important to bear
in mind that each time when we are connecting
new services, new data, then especially with
the Internet, then we have to upgrade our
security systems as well. So, what we are
doing is we are really putting lots of attention
on to cybersecurity. And the way we have built
up our digital societies is on a distributed
basis. So, we don't have centralized databases.
But rather distributed systems which are connected
to one infrastructure. And I think this is
important also when we are considering the
European approach. So, how should we build
up this crossborder data exchanges to make
sure that we are building a resilient system?
So, you wrote an example of Estonia's case
from 2007 when we had a strong cyber-attack
against our systems. So, what we learned from
that is first we have to investment more into
our systems and we started to use blockchain
to protect integrity, security of our data.
So, actually at that time we had the term
of blockchain wasn't even born, I think. So,
instead we used the term of timestamping.
And the same technology actually is used nowadays
with our data chains platform. Which I mentioned
previously. And our files are actually used
in order to protect this with the blockchain.
So, indeed, so, we are building a resilience
system on the distributed basis. And I think
this is a good approach also when we are considering
PanEuropean approach.
Okay. Now, I would like to ask you, Dr. Georgieva,
as Google, you know, as a very innovative
company, how are you, you know, staying innovative
and at the same time keeping cybersecurity
in mind? What are some of the solutions or
experiences, you know, from a private company
standpoint with, you know, quite secure at
least what I have been dealing with networks.
Thank you very much. I think I don't have
to add something to what you just said. Thank
you very much for this invitation. It's really
amazing to be part of this very interesting
conference. And listening to all the very
interesting discussions in the last two days.
Indeed, we have protecting one of the world's
largest networks in a very connected world.
In a constantly evolving cyber threats I would
say is an issue, definitely. And I'll just
give you two numbers. We have like every minute
we prevent 12 million Spam messages to reach
your Gmail account. Every day we are securing
3 billion devices around the world with our
safe browsing antimalware system. The figures
are quite amazing, and we have a lot of products
and services with over a billion of users
and customers. Indeed, and that's why at first
security's actually in the middle in the center
of our thinking. Security was and still has
always been a very central topic which actually
drives our thinking. It drives our structural
thinking, our operations, our trainings to
which we are with our colleagues. And also,
the data centers and we have, of course, it's
security thinking is also part of our operational
and disaster planning. This is also, of course,
in order to be as secure as we are. Which
is still effect. That we have to think and
prethink security. So, I think in the last
few years securitybased design is a very buzzword.
Actually, we have been we have been implementing
this principle from the very beginning. And
it's the question is, how you start to develop
and create the product? We have also I think
it's a very important that cybersecurity is
not a final condition. It's a constant process.
It's a constant it's a continuum actually,
a continuous and automatic protection and
prevention and reaction. So, we have actually
three elements to think about. We have, for
the just to give you some examples, we have,
for example, we protect we protect the data
with multiplied layers of security like encryption,
for example. HTTPS or transport layer security.
We have and this is what I'm always trying
to explain. We built in security. Or security
is a lot of we are aware there is a possibility
and that's why we tried to build in as much
as possible security. So, we all know that
cybersecurity is a very complex thinking.
So, for me, for example, I would say I'm probably
not a normal user, but still I don't want
to be bored while I'm using the Internet with
all the security stuff. So, I don't want users
to have a cyber degree. That's why it's all
the possibility building it in the security.
What is also very important is collaboration.
Collaboration with our competitors, collaboration
with NGOs and with civil society, with academia.
Very important. And maybe also to give you
an example with our cloud service. Because
why the it's a bit of an advertisement, I'm
sorry about that. But this is a fact, actually.
It's actually a very high secure environment.
You have to go back down to the hardware.
For example, we're producing our own hardware
chips for the cloud. So, this is where the
socalled Titan chip. We introduced it two
years ago. We have, for example we place around
it an invisible border called VPS service
controls. And also, the quest for transparency.
In the cloud you have an audit trail that
any time a Google employee is interacting
with your data. So, I think these are measures
where you can put in place with cybersecurity.
And I think what I've also mentioned is even
if you're building the best cybersecurity
in place, it's still there is a little less
for users where you have to code cyber hygiene.
It's kind of where you're you're brushing
your tooth. It's kind of a reflected or wash
your hands before eating. I just remember,
there was a thing, there was an alarm about
fortunately it was a false alarm about the
tsunami. And there was a very interesting
picture on the Internet. It ran around like
when the security expert was explaining everything.
And behind him was the computer with the postit
with his password. It's the kind of thing
that happens which these things we can't prevent.
We offer a lot of tips and tricks for security
trainings and also for users. It's kind of
a whole complex program. You have to think
about it. And again, it's a collaboration
and everybody has to take care of it. But
also, a huge responsibility from people offering
the services and products.
Okay. So, what I took away just from this
kind of first round of really looking at the
subject of decentralization and resilience
is there's not really one solution. And I
my personal hypothesis is decentralization
in general could create some better security.
But it's not, you know, it's not going it
fix all the cyber risks and cyber threats
that we are facing. So, if we are, I think
and also one of the things which kind of came
out is there's not one actor that is gonna
solve it. Let's talk a little bit about that.
As a political scientist I'm always interested
you know, there's a new challenge. What does
our system do and what do private companies
have to do and the user and how do we get
them to do certain things? Quick response?
Yes, very quick response. Another is sharing
your learnings from a threat. If you go through
the public and share all this. I think this
is kind of our, in the cybersecurity community
there is a lot of ongoing exactly platforms
like this where for or us where you can exchange
this. And I think you mentioned in the directive,
since having a past on the public sector.
I think they created the network which is
a very interesting technical bless you it's
a technical, national and governmental are
cooperating with each other and talking with
each other. I think this is the most important
stuff. Talking to each other.
Thank you.
I would like us to distinguish between, you
know, being careful and responsible when it
comes to security. And still innovating, right?
Because if we demystify some of the attacks,
we will find out in the Ukraine, for example,
the system didn't have a twofactor authentication,
right? So, that's something you can resolve,
right? Without alarming everybody not to innovate
anymore and not to connect to provide additional
services.
Bow how do you get people to really implement
some of the basics of cybersecurity? What
are your ideas for that?
I think on one hand there are elements related
to grid management where we have responsible
parties if grid management and transmission
operators generally. I'm talking about agile
policy making now. That's the conference.
One of my favorite topics is the smart meter
or the socalled smart meter. Who in this room
thinks that the smart meter is really smart?
Thank you. You can get more accurate billing
with it, that's fantastic, right? And not
too exciting. But you can do so much more
with it. You can really work on the demand
side of energy. And you can really provide
flexibility with this device. And in the world
of blockchain where we are, and, you know,
my organization has built a global energy
blockchainbased platform for different applications.
For us, a smartphone is sorry, exactly a smart
meter is like a smartphone, right? So, if
you want to provide services that are that
go much beyond billing, you need to have a
connection to that smart socalled smart meter,
right? So, you need to have that option. You
need to have a connection to a SCADA system.
And there we need more agility among policymakers
to understand what is possible and why that
does not hamper security, but instead enhances
security of a number of services.
Okay. I will jump in here because this is
a direct kind of word attack on public policy
makers.
It's a proposal.
It's a proposal to be more agile. I'm going
to ask at the European commission, what do
you think about agile policy making and do
you think that there's maybe enough interaction
with, a yeah, like, newer companies and learning
about new technologies? Yeah.
We have a broad framework. Is it still the
first round? Okay. Because I haven't really
talked yet. So
You can go ahead and talk now.
Okay. So, I just would like to say that from
the European perspective there's a very large
effort to bring everyone together. Through
the NIS directive. But also, with a specific
efforts on the energy sector because we have
identified through dialogue with the energy
sector stakeholders that there are very specific
features of the energy sector. Not to be realtime
requirements, cascading effects, but also
the technology mix. And there are several
forms of cooperation between the member states
and with the commission. So, the public sector.
But also, in relation to the private sector.
Where basically everyone is involved who needs
to be involved. It's, of course, important
that the big network operators are there.
But also, technology providers and also the
smaller players. For that we have a special
forum of information and analysis sharing.
The European energy ISAC, information sharing
analysis center. But there are also other
initiatives basically within the private sector
which interact with the commission and the
member states. We based on the clean energy
package which, of course, relies on digitalization,
we will bring forward a network on cybersecurity
which complements the efforts done by the
NIS directive to bring out specific rules
for that. There has been an expert group who
has worked on that. And there will be a mandate
to the transmission system and distribution
system and working with the stakeholders to
work that out. The goal is really to identify
what further rules are needed and useful to
to bring forward cybersecurity. There's also
the cyber act, basically, from last year which
develops a scheme for certification. There
we will have to identify what actually is
useful for the energy sector because there
are advantages and disadvantages of certification.
We don't want to fix things prematurely. We
will reach out to find a common view what
should be certified. What is on the table
as options or processes. But also, services
and products as possible) to be certified.
What last week the commission adopted is a
recommendation on cybersecurity intersector
which is the first step to a network, which
is an invitation to a debate with the stakeholders.
It's not something which we say is the ultimate
and final truth. It is something to revise
and I invite you to have a look at that. It's
from last Wednesday. Our recommendation on
that. Basically, developing our views on what
should be done in order to address realtime
requirements, the cascading effect in technology
mix. And, of course, several of the issues
which have been mentioned are taken up there
because it comes from a dialogue with the
experts. Notably specific risk assessments.
To have redundancy in the system in terms
of networks. Automated responses. Then, of
course, public/private cooperation and then
security by design. Avoid spillover effects
and in order to achieve resilience of the
system. Cybersecurity is not to be seen in
isolation. We are there to ensure the resilience
of the energy system abroad. We have an extensive
regulatory network and framework on gas and
electricity, security of supply. Which looks
already at all the risks. The efforts here
are to specifically make sure that also the
cyber risks are thought through. And in the
policy debate we have a very close connection
also with the protection of critical infrastructure.
Which is sometimes not directly connected
from a conceptual point of view, but in practice,
yes. There we have a very old legal framework
from 2008 and the NIS directive is relatively
new from 2016. We will have to bring that
together in the future. That basically the
critical infrastructure protection is seen
together with cybersecurity. You mentioned
before that there's not a uniform approach
across the member states to essential services
or critical infrastructure. That is true.
That is some of the issues which you have
to address in the future. And I think what
is absolutely crucial is that the dialogue
is very intensive. One of the challenges there
is that sometimes member states do not are
not entitled even from their own national
laws to talk to others, to share information
which goes beyond basically very superficial
issues. So, one of our real challenges will
be to develop a trusted conversational channel
where information can be shared and brought
into the into the right hands and that has
trust basically being built up. We have seen
that in other areas.
I have to cut you off, sorry. But thank you
so much for giving us good overview on it's
not just public/private partnerships in implementation,
but also in policy making. And maybe it's
not necessarily as agile yet. But it is at
least openness. And there's dialogue. And
then I would see it as, you know, understanding
that this is actually really necessary to
create good policy. Before we go to Mr. Dialogue
over here, or Mr. Twitter and see what some
of the questions and comments you have been
posing, I saw that you had an impulse to talk.
So, I will give you the mic. And also give
you the opportunity and then we'll go over
and open up.
For the past ten years I have been doing a
lot of research on the fragility of the EU
grid versus the US grid. And the north American
grid, I should clarify. And some of my observations
are this. In the United States, critical national
infrastructure is part of the national defense
strategy. And the idea is to proactively protect,
mitigate and minimize and reduce the amount
of damage. Now, in the United States, the
Department of Homeland Security, ICS cert
and regular do scanning across critical national
infrastructure and report directly to the
operators because a vast majority is not owned
by governments but owned by private entities.
Here in Europe, that does not occur. There
are few nationallevel certs that do any proactive
scanning. This is a big problem, because when
you want to innovate, you want to jump, connect
and do things and not everybody realizes certain
dangers which could be part of the national
defense strategy. But there is no cohesiveness
when it comes to critical national infrastructure
and part of that strategy here in Europe.
When I take a look at the two grids, I see
that the United States one appears to be a
lot more mature in that manner. And one last
thing to add, there's currently there are
two known energyspecific certs here in the
European Union. In Europe. But only one is
actually mature, fully mature, up and running
for a number of years and that is the Austrian
energy cert. We have a long way to go when
talking about preventing and being proactive.
Because in Europe we're just not quite there
yet.
As the question was directed to the policymakers
from my left. Then I completely agree with
the point that the governments should be more
agile in seeking the solutions and promoting
the solutions. And I think a lot actually
stems from the political will. So, what we
have noticed and seen in Estonia is that in
order to develop this digital society, there
has to be constant political will to do that.
In this manner we have actually introduced
Evoting. So, only country in the world so
far. And that is not the only critical infrastructure
that is moving towards digitalization. And
so, I think political will is definitely there
to be needed in order to advance, in order
to find this right balance between protecting
the privacy and at the same time trying to
make sure that innovation is there and that
it's really bringing these solutions. And
to be employed forward.
All right. Thank you. So, yeah, I'll hand
it over to Mr. Dialogue.
Thank you. All right. So, we have one last
round at the Mentimeter. So, if I could get
the QR code up there once again. We have relatively
low participation right now. So, I want to
stress that this is your last chance at this
conference to participate. If you don't do
this now, you will regret it for the rest
of your flight back home. So, please, click
on those buttons there and let�s get those
questions answered. A few Tweets that I would
like it show. One of them is with a picture
here. So, those of you who are not able to
attend the women's lunch upstairs. This is
what it looked like. But actually, this is
a failed opportunity here. Because this room
is not that special. That's not what makes
you jealous. What makes you jealous is when
they turn this way and take a picture of the
roof terrace. So, if one of the ladies took
a picture of the terrace and would like to
make everyone jealous, please use the hashtag
and I will show that in my last appearance
today. Otherwise we had a couple of questions
here. Let me see if my iPad works. CSF asks
how we should deal with the problem when in
blockchain wrong information is introduced
to the system. And Jose wants to know, smart
meters aren't really that smart. Their designers
are not that smart as well? I guess I would
like to tie that in actually with the poll
that we're going to show now. So, let's switch
over to the poll. And we have three questions
here. The first is, is the integration of
renewables an opportunity or challenge. Most
people thought it was app opportunity. Should
the discourse on the energy transition focus
more on resilience in cybersecurity? Overwhelming
yes. And here's the question that I had a
little bit of trouble with. Will the shift
to renewables increase the risk of cyber threats?
It's about half and half. Although it looks
like people are still voting.
Let's pose this to our experts here.
But I would like to actually sort of problematize
this. Because the question for me is not really
whether renewables increase the risk of cyber
threats, it's if things like the smart everything
will increase little risk. I haven't heard
that like windmills are a cyber threat. I've
heard that they cause cancer. So, maybe you
can comment on that. And I'll hand over to
Julia now. Thank you.
Awesome. Thank you so much. I like these tools.
So, yeah, maybe just do a quick round of answering
this last question. Renewables, our energy
transition is this increasing actually the
risks. Start with you and then go around.
I have a very quick answer. Since 2017 Google
has achieved 100% renewable quota. We are
in our operational data centers and infrastructure
we are 100% solar and wind energy. Maybe to
keep it to say to be highly secure and renewable
is not a contradiction. Anybody else?
The renewable would require more digitalization,
it increases the risks, but only if not properly
addressed. The issue becomes more important
of addressing cyber risks. This can be done
and if you do that properly, risk assessments,
risk awareness, trainings. But also, the acceptance
of the responsibility of each user, of each
single user. And not basically delegate responsibility
to others and think everything is taken care
of by other people. Then the renewable integration
does not increase the overall risks.
There would be one situation I happened to
see if renewables are introduced to introduce
a threat and risks. That would be if we do
not plan properly to transition people to
better jobs from, say, coal. And keep the
socioeconomic classes good. Because I've seen
cases where there's povertydriven cyber criminality.
Dealing with malware, ransomware and Spam
attacks, so on. If we leave people behind,
the average wage of a malware operator is
10,000 Euro a week. We need to keep that in
the back of our heads that when we transition,
we cannot leave that many people behind.
Okay. From my from my side I think that I'm
agreeing basically with what has been said
before. But, of course, having such a complex
distributed infrastructure a challenge from
the cybersecurity standpoint. It doesn't mean
that we cannot manage it. Of course, the business.
But the responsibility has to be distributed.
Of course, not the same there is no one solution
fit for all the stakeholders. So, of course,
they can address it specifically, the frameworks,
for instance, can invest and sustain the costs
of implementing cybersecurity and information
security management systems. Of course, if
we are scaling down the operator and smaller
sites operator, of course, have to manage
cybersecurity in a different way. So, we have
to provide measure as we say soft handbook
for them. So, we have to involve vendors.
So, collaboration, we said. And, of course,
we need to also to develop new tools for managing,
for instance, for cybersecurity detection.
It's another issue from the research. As a
pain point, we see, of course, the need to
develop and to improve the capability of detecting
new threats. And so, to develop tools, for
instance, based on machine learning, deep
learning and data analytics. And that's a
point. So, in just in one rule that you have
to say that, of course, decentralization is
a challenge from the cybersecurity standpoint.
But provides also an opportunity for the whole
system resilience. So, why not?
So, I think people were divided because on
one hand increased numbers, increased complexity.
On the other hand, renewables are already
there. Right? We have that complexity already.
To respond to the two questions related to
blockchain through Twitter. So, one related
to the access point. And I thought I had addressed
that. Which is that it is, you know, a blockchainbased
database is at the moment the most secure
database. The entry point remains the vulnerability.
If it's a device that is more trusted, if
it's a person entering data, you still have
that human error possibility. And that, you
know, unless we're all replaced by machines
which I really don't think we will, will remain
an issue. On how can it be addressed. I mean,
just by having, you know, whatever layers
that you have right now and check off checks
and balances to ensure sufficient accuracy
and transparency and using as much devicebased
data points as possible. The other question
was about policy makers and smart meters.
It's not a question of are the policy makers
smart enough? It's more a question of that
they have this really heavy burden of a very
important issue which is energy supply and
energy security which I fully understand.
And that it takes time to make a decision.
It takes time to certify a device. But because
of this backlog and because of these delays,
as innovations come about, they do not get
introduced as fast as they could be, and they
can enable many other services to customers
that are equally important and that still
maintain that security. So, it's more of an
issue of how do you make sure that you understand
the changes around you and implement them
faster while still feeling confident having
tested it sufficiently, you know, for a regulatory
sandbox, whatever is available as a regulator?
And also, you know, I mean, I have met a startup.
They're actually one of the finalists presenting
later today. They have produced a currency
limiter as they call it, which make yours
home very flexible. And introduces that additional
service, which is important not just for that
household, but also for the, you know, the
grid management. They can go much more beyond
what they are doing, and they can become a
really smart smart meter. And there are other
innovators like that. But they will take time
because they are not sure if they can play
in that area because the certification is
such a closed topic. I'm just all I'm proposing
here is that it become a more of an open topic.
That we get the regulatory sandboxes faster.
That we once we test, then we are feeling
confident that certain solutions can work
and maintain or even increase security. That
we start implementing them faster. That's
the only proposal at the table here that I
have. Thank you.
I think it's important, of course, to have
technical and institutional capabilities in
place in order to deal with increasing cyber
threats. But to the question of whether a
decentralized energy production is increasing
cyber threats, I think the answer is no. So,
we have to be prepared for more advancing
digitalization coming with new types of threats.
But at that cyber threats to renewables is
not the right approach. We are in Estonia
facing similar challenges all the time. So,
where to strike the right balance between
the cyber protection, cybersecurity and the
innovation? And so, I think important is here
that we are we are transparent with the cyber
threats that we have in this society. And
also, are discussing these issues openly with
our citizens. And it is important in order
to advance with digital society that people
trust in our eServices. If there's no trust,
then it is very difficult also as a politician
to go ahead with more digitalization. So,
I think that this is really important.
Okay. I would like to do one last round for
one specific challenge which so, we discussed
now the challenge of innovation and resilience
and cybersecurity. And as you guys mentioned,
risk assessment, we need risk awareness. We
need dialogue. So, I'm, you know, this is
already I think a very first step to have
such a cybersecurity and resiliencefocused
discussion at an energy transition conference.
And you mentioned. Digitalization, but also
the hassle of, you know, we need to implement.
The challenge I see which will, you know,
will face lots of companies will face, but
also the public sector is there actually still
enough ways of cyber and IT security people
meeting, you know, with the energy sector,
important people, you know, who are driving
innovation there, what could be ways of where
we could start getting these people together?
And then also what are ways of, you know,
getting more people interested in IT security,
cybersecurity at the intersection of energy
policy? So, just to do a quick round of like
maybe you have a recommendation for people
in the audience. Or ideas of how we can move
this issue forward because it seems like maybe
cybersecurity could stifle innovation and
that's not what we would like, right? So,
yeah, just whoever would like to start first.
I can start. So, what we are advocating is
we have actually technical solutions available.
As I mentioned earlier as well. In order to
enable a more current support for our data
flows and incorporation. So, we are offering
the platform as a data chains platform for
anybody who is interested. And we are discussing
currently with several European nations. And
advocating this platform. So, even if countries
don't have similar infrastructure, or system
architecture as we have in Estonia, we still
have technical solutions in order to make
sure that this distributed, decentralized
data hubs can be connected to the system.
And also, we have protocols, common protocols,
you know, to make sure that different protocols
can be actually operated on the similar basis.
And for the authentication we have open for
the systems available, actually. So, all different
country don't have to have a similar digitalization
as we have in Estonia. So, what we are advocating
is to cooperate. And then offering openly
such solutions.
Okay. So, not always start from scratch, I
guess. Yep?
Yes, thank you very much. I think what Minister
Tammist said is very important. The issue
of trust, and trust comes very often with
security. It's if I trust the service. And
this is what we experience. This way for us
is like you have to think about security from
the very beginning. Do I have the product
which I'm offering? And if it's not secure
then it's not innovative. The question is,
every company, especially energy entity, do
you have delayed undertake on the risk assessment
for my service or product? Do I have the people
in place if something happens like a computer
emergency response team? Do I have a strategy
on this? How do you what is actually when
something happens, and this is also cybersecurity,
there is no 100% of cybersecurity. But you
can learn ways to cope. So, for example, do
you have a plan when something happens, how
do I react? This is also very important. So,
that's why, for example, there are a lot of
exercises. Same when you have a fire wire
exercise. It's the same with cybersecurity.
You have to exercise, what do you contact,
where do you go? And I think I guess what
Stefan mentioned is actually the very specific
responsibility from the energy sector is like,
I mean, if you're honest, just to make a little
joke, if there is no energy, there is nothing
else happening in the world. So, this is very
much a responsibility. And I think this is
very important for to understand that we are
responsible. So, we are a part of it. And
we have to deliver. So, this is from it's
not the user who has to deliver, it's us to
deliver. And it's even if it's Google or an
energy company, it's the trust we have to
create, and we create it only if we have all
these little steps. It sometimes it's like
risk assessment and then you realize, oh,
there is a gap. It's not covered, or I don't
have an IT person in place or something. Very
small steps.
Okay. So, yeah, just a quick comment on the
exercise in case you don't know. Next week
the NATO Center of Excellence is running a
scenario, a fictional scenario where also
there will be a cyber-attack on critical infrastructure.
The energy sector and that's, you know, worldwide
played through how are we dealing? So, definitely
something to follow. They usually put out
a report afterwards. It might be of interest.
So
Thank you. Maybe just a few final thoughts.
One is that, you know, I'm very involved in
energy blockchain innovation space. Most applications
are not in a regulated area. In great part
because they are scared away by regulations.
The more agile policymakers become, the more
innovation will come to that area as well.
Right now, it's focused on other areas. In
terms of countries that are leading by example,
one is considering and not sure if they're
going to be a member of the EU or not. So,
it's UK. It's actually the leader here where
we have a regulator working with the innovation
department. And funding pilots and testing
in a regulatory sandbox in this area. And
they started this one year and nine months
ago. I was there when they opened their regulatory
sandbox. The third thought I have is that
much of the technical development happens
here in Europe. Much of it here in Berlin.
I'm based in Berlin. A lot of the deployment
happens in Asia and Australia. Because it's
a less regulated area. Here the example of
the Estonian B power company in Australia.
So, this is a challenge to my colleague that
they also do it in Estonia. And finally, if
you're really excited about these issues,
we have annual summit of, you know, policymakers,
corporate startups here in Berlin at the end
of June. It's called Event Horizon Summit.
We're the official blockchain partner of this
conference. And you can join us there to really
dig deeper into many of these issues if blockchain
is of interest to you.
Thank you.
If I would respond to this remark on Estonia.
Yes, they are going to test it also in Estonia,
in Europe.
Excellent.
Okay. Back to the question now, why do smart
meters are not so appealing? As this is my
phone for the user and the customer. So, I
think, of course, we all know for sure. We
need I mean, we can shape the advantage of
a smartphone. It's much more difficult to
for the standard customer to appreciate the
value of demand response programs. So, of
course, what you need is just to have also
a cultural campaign that try to engage the
customers in such demand response programs
in order to get them more aware of the advantages.
Because not our homes are so smart today.
So, of course, it's something that is coming.
But it's not available yet. So, the advantage
and the benefits in terms of economic terms
cannot be appreciated today. So, it's an issue.
It has to be prepared in order to get all
the customers involved in the energy transition.
Okay. The two last remarks, please. And also,
again, on, you know, question of resilience,
building resilience. What is something we
should keep in mind now or start doing more
of?
In your business continuity planning and operations
continuity planning, the risk of a cyber event,
especially a major cyber event happening to
you or your thirdparty or suppliers has to
be added into those continuity plans and thought
of as another event. Also, with various types
of exercises and so forth, you would not want
a pilot or a copilot to fly an aircraft if
they had not been a simulator first. So, I
would expect when a major event occurs, what
happens is you have to get completely technical
and nontechnical people, legal, regulatory
and so forth, as a team and start preparing
those things now. It really is not if, it
really is when. I would say preparation and
adding into your business continuity, operations
continuity planning these types of events.
All right. And since you talked very late,
you now have the final last remarks.
I fully agree with what Chris said. But indeed,
the question is about skills also. And I think
there is a significant skills gap amongst
the users involved in the energy system. They're
not enough IT cybersecurity experts. And probably
not enough knowledge spread across amongst
the normal users. So, I think that will require
a particular effort by the companies. The
system operators, both transmissions and distribution
system operators, but also other players in
the energy system to make the normal nonexpert
users, their employees, basically, aware of
that. But also, private citizens should be
offered easy tips as it happens, of course,
on road traffic, for instance, about accidents.
That has been going on for decades. Education
of children, of young people. How to avoid
accidents. This needs increasingly to come
also for cyber risks. In order to enable them
to be responsible users. Otherwise, they simply
don't know. They have no chance. This is a
major challenge. It doesn't mean that everyone
has to become an expert. But a kind of minimum
awareness and knowledge of what dangers there
could be. And I think many in the practice
have already developed like this phishing
attacks that be aware if you get an email
from a friend. It looks a bit strange. Then
don't click on it, don't download things.
So, this has to increase and then I think
the security will certainly be improved overall.
There will never be absolute security. It
will be important to have exercises, especially
in the companies in the energy system and
then draw the lessons from it. And then exercise
as you mentioned with NATO, with you with
the member states, especially crossborder.
Several members are working together. Noting
also that some member states are differently
organized. So, it's not that that's there's
always the easy correspondence in the same
ministry in the other capital. Sometimes it's
agencies, sometimes the prime minister's office.
There needs to be a network where people can
call each other and have immediate contacts
and this network has to be kept warm. So,
exercise is the way to stay in touch, basically.
All right. Well, thank you so much. I certainly
learned a lot. I hope you also had fun after
the lunch break following this conversation.
And hopefully we can continue this talk and
dialogue. Please give a hand to all our experts
here on stage.
And we finished right on time. So, thank you
so much.
