Applied Risk’s NightWatch 2022 event addresses current issues across industrial cybersecurity space

Industrial cybersecurity company Applied Risk organized Thursday the fifth edition of its NightWatch 2022 event that was hosted in a hybrid format. The theme of this year’s event was ‘Securing Critical Infrastructure Amidst Geopolitical Situations,’ that brought together industrial cybersecurity professionals from across a range of industries to share and learn from research findings and established OT (operational technology) security strategies. 

The event was kicked open with a welcome session by Jalal Bouhdada, founder of Applied Risk, a DNV company, and global segment director for cyber security at DNV, and Remi Eriksen, group president and CEO of DNV Group. 

Bouhdada said that the gathering is really about sharing knowledge and helping each other to protect ourselves, especially in the OT community, from the bad guys. “So we’ll keep maintaining this tradition. And we’re very glad to see that we’re having new companies and new members that are joining this community.”

Taking the stage after Bouhdada at the NightWatch 2022 event, Eriksen pointed out that with society fast approaching the 2020s, people have started to label this decade as the ‘decade of transformations.’ “This is the decade where there will be immense changes, food systems, transport systems, healthcare systems, and also this will be the head where the technologies that are underpinning industry 4.0 goes from experimentation into large-scale deployment. And all these transformations are deeply dependent on critical infrastructure being more and more digitally connected, connected to make society safer, connected to me to lower the cost and increase efficiency. I’m also connected to make the world more sustainable.” 

“However, this increased connectivity results in, say, an unprecedented change in the risk picture that we are facing,” Eriksen said. “Moving from vulnerabilities, single standalone assets to multiple distributed vulnerabilities across many systems. On top of this, we can add a global pandemic, we can add a war in Europe, we can add geopolitical tension. And you can also add a widespread food crisis and energy supply shocks. 

Eriksen added that the security risks embedded in both system transformations are talked about. “And this crisis cannot be ignored by government, business, and the wider society. Cyber threats to critical infrastructure are becoming more common, more complex, and more creative.”

Speaking at the NightWatch 2022 event, Dr. Stephan Lechner, director of Euratom Safeguards at the European Commission’s Directorate General for Energy, and coordinator of policy activities for the European Commission on cybersecurity in the energy sector provided the audience with a European perspective on cybersecurity. He also covered recent and planned cybersecurity activities of the European Commission in the energy sector and beyond, while addressing the objectives and expectations of the European Commission on cybersecurity in the energy sector. He proceeded to provide an overview of the expected impact of European Union legislation on operators and suppliers.

Citing the prevailing gas prices, Lechner said that “we see we’re having an energy crisis. And we are also having a crisis of security of the supply of energy. And this is currently being addressed at the political level. In the European Union, the council, the member states are looking at the European Commission and asking the European Commission to propose ways out.” 

Talking about why Ukraine’s energy sector hasn’t collapsed altogether in the early war days, Lechner said that Ukraine has learned since 2014, the Crimea invasion, and they have hardened their environment enormously and very professionally. “So shelling energy systems is still an approach to interrupt them and it’s obviously simpler than hacking them, at least in Ukraine,” he added. 

But the energy sector in the EU might not be that fit for countering cyber attacks or withstanding cyber attacks, Lechner added at the NightWatch 2022 event. 

Addressing why energy infrastructure should be hacked at all, Lechner said that “until 24th of February, the question would have been worthwhile and they would have received quite a number of answers. But we have seen that you do not always need a very logical reason for doing something. It just might fit you politically. And we have seen that energy infrastructure has been attacked and we still do not know the details and we most possibly will never find out the details. But we have seen it and it had not been expected. Or had it.” 

Pointing to the media reports published after the attacks on Nord Stream 1 and 2 natural gas pipelines, Lechner pointed to the various prior indications that the CIA might have warned the German government, which the latter did not comment on. “But of course, there is also a lot of intelligence around and there are warnings here, there, and everywhere. So if you’re receiving all the signals, it’s very difficult to sort out what is going to be taken for real. But it’s yet more difficult to sort out how you would react to them. So how would you protect a pipeline that is just deep down in the waters? And you might not even know where an enemy might strike and which way – difficult enough.” 

Going back a little bit from the physical attacks to cyber, Lechner said that in March 2022 after the start of the Russian war on Ukraine, he quoted the U.S. president claiming that there are issues with cybersecurity. “Cyber attacks could come soon and it’s about looming Russian cyber attacks. And industry businesses need to do more. Interestingly, they say they’ve been working with the private sector for months now. Actually, in the European Commission, we are looking into the energy sector for years now. And we felt that in 2015-2016 when we started it, we were still comparably late.” 

Lechner added that “these are also things that are indicators and we did not see the Nord Stream blasts come where we didn’t know how to react, but how would we react here? It’s not so straightforward. We would anyway have to understand that whatever we do, there is something that we call systemic risk.”

Talking about the connectivity within the power grid and synchronization is really immense, Lechner said at the NightWatch 2022 event that “it is not as if we had TCP/IP and the power grid. No, not at all. The protocols of the Internet were laid out for robustness. This is when DARPA drafted it to make it robust against cuts that might appear here or there. Those weren’t the Cold War days. And it has been architected for this purpose, but the power grid hasn’t. So power grid analysis has been brought up in the United States at least and is no different in Europe, 10.8 percent of all links are at the risk of failing and the cascade event – this is a lot.”  

“Now thinking about synchronization that is happening across the various zones of the European grid or grids and also synchronization that we are establishing with Ukraine and going beyond in Moldova. I mean this is getting more and more connected.” Lechner said. 

He added that cyber security is not something “that you can simply check and then the deal is done. I have heard politicians say if this package of the European Commission gets adopted, we will all be safe. And the politicians are not saying this because they believe that they’re all safe – they just want to press for adoption. And so they want to press the member states to give into certain positions. And the reality is much different.”

Dealing with the increasing digitalization speed, Lechner said that “cybersecurity efforts are keeping us on track. So we need to really understand that the treadmill here will not stop. This is digitalization that we have entered, and they’re accelerating and we need to keep on running and the pace is there and the pace will accelerate. So the efforts have to be continuous, it is nothing that you can just take off.” 

Pointing to the three unique characteristics of the energy sector, Lechner highlighted the use of real-time components, cascading effects of blackouts, and a mix of legacy technology with the Internet of Things. 

Commenting about the recent Cyber Resilience Act, Lechner said at the NightWatch 2022 event that it is a commission proposal only to be discussed with parliament and council. “The commission – the only entity at the European level who can propose legislative drafts – has suggested addressing all products with digital elements for cybersecurity. Going broad, everything that has a digital element must be subject to this proposal. This is what they’re planning. So this is a catch-all instrument that will come up with everything that is digital has a digital component, and therefore would be as rightly said, vulnerable. If it’s smart, it’s vulnerable,” he added. 

“Addressing the rest, so it is kind of cybersecurity by default. Please stay away from our markets if you’re having digital components in your products that are unsafe,” Lechner said. “There is an important article four, the application of this regulation may be limited or excluded and then it says various sectoral rules achieve the same level of protection. So what we are having in the energy sector already and the network code that they’re preparing is specific to the energy sector and will do the trick. So these pieces of legislation fit into each other.”

Pointing out that it is all draft and has not been approved yet, Lechner said that it is in discussion with the council and the parliament. “So careful. But this is our approach, how we will try to catch the rest and avoid being flooded by insecure devices or components then aligned with the sectoral roles and this is why it makes sense to look into the sector specificities so take away messages cybersecurity will stay a continuous effort,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.