This is Dana Perkins, and you're listening to Switched on the BNF podcast.

This is Dana Perkins, and you're listening to Switched on the BNF podcast.

Now.

Now.

I don't know about you, but it seems like all of my friends are talking about AI lately. And among the myriad of things to consider is cybersecurity. It's such a hot topic, in fact, that it was even featured in the most recent Mission Impossible film. But cybersecurity is not a new topic, as will come to find, as much of the world has an increasingly complex grid that has evolved to become even smarter and more digital and capable of optimizing energy use, which will prove helpful in the race to net zero. These very additions themselves have created new vulnerabilities which cyber attackers can exploit. So what sort of damage can be caused by a cyber attack on electric utility and can we protect them? And what exactly is an air gapps. It's a computer or network which is isolated from other networks for security reasons. Today, instead of me telling you any more about it, I'm joined by our Grids and Utilities team member Amanda al She's going to discuss some of the findings from her recent report called Guarding the Grid Utilities Fortify cyber defenses. Together, we discuss the different forms a cyber attack can take, the motivations behind these attacks, and the scale of damage that can be caused, as well as the costs involved in fixing them, and to ward off attacks. Can anything be done at the government level to beef up cybersecurity. We assess some of the policies countries have put in place to strengthen cybersecurity in both the public and private sectors, and the marketplace for companies offering grid security. And finally, what does the future of grid security look like? As we enter an era of AI and quantum computing with even greater computing capabilities, also comes some potential threats and are there measures that can be put in place to combat these even more complex attacks. To access Amanda's report, BADF subscribers can find it at BNF dot com, on benf Go, on the Bloomberg terminal, or on the BNF mobile app. If you like this podcast, make sure to subscribe and you'll receive an update when a future episode is published. And if you give us a review or a rating on Apple Podcasts or Spotify, it'll make us more discoverable by others. But right now, let's jump into our conversation with Amanda. Amanda, thank you very much for joining switched on today.

I don't know about you, but it seems like all of my friends are talking about AI lately. And among the myriad of things to consider is cybersecurity. It's such a hot topic, in fact, that it was even featured in the most recent Mission Impossible film. But cybersecurity is not a new topic, as will come to find, as much of the world has an increasingly complex grid that has evolved to become even smarter and more digital and capable of optimizing energy use, which will prove helpful in the race to net zero. These very additions themselves have created new vulnerabilities which cyber attackers can exploit. So what sort of damage can be caused by a cyber attack on electric utility and can we protect them? And what exactly is an air gapps. It's a computer or network which is isolated from other networks for security reasons. Today, instead of me telling you any more about it, I'm joined by our Grids and Utilities team member Amanda al She's going to discuss some of the findings from her recent report called Guarding the Grid Utilities Fortify cyber defenses. Together, we discuss the different forms a cyber attack can take, the motivations behind these attacks, and the scale of damage that can be caused, as well as the costs involved in fixing them, and to ward off attacks. Can anything be done at the government level to beef up cybersecurity. We assess some of the policies countries have put in place to strengthen cybersecurity in both the public and private sectors, and the marketplace for companies offering grid security. And finally, what does the future of grid security look like? As we enter an era of AI and quantum computing with even greater computing capabilities, also comes some potential threats and are there measures that can be put in place to combat these even more complex attacks. To access Amanda's report, BADF subscribers can find it at BNF dot com, on benf Go, on the Bloomberg terminal, or on the BNF mobile app. If you like this podcast, make sure to subscribe and you'll receive an update when a future episode is published. And if you give us a review or a rating on Apple Podcasts or Spotify, it'll make us more discoverable by others. But right now, let's jump into our conversation with Amanda. Amanda, thank you very much for joining switched on today.

Thanks for having me.

Thanks for having me.

So today we're going to talk about grid security. What's at stake here? What is the worst case scenario?

So today we're going to talk about grid security. What's at stake here? What is the worst case scenario?

So, I mean utilities are really integrating more and more digital technologies, meaning that they're investing in more technologies like sensors and creating digital models of the grid and investing in communication technologies. And as they do that, it means that first of all, the grid is getting the eyes, the brain, and the sense that it needs to act efficiently. By at the same time, integrating all these new technologies which have in at access means that it's increasing the potential cyber attack service of the power system. And with this new link with the Internet, it basically means that cyber thread actors could potentially access physical grid infrastructure, leading to damages, leading even to power outages.

So, I mean utilities are really integrating more and more digital technologies, meaning that they're investing in more technologies like sensors and creating digital models of the grid and investing in communication technologies. And as they do that, it means that first of all, the grid is getting the eyes, the brain, and the sense that it needs to act efficiently. By at the same time, integrating all these new technologies which have in at access means that it's increasing the potential cyber attack service of the power system. And with this new link with the Internet, it basically means that cyber thread actors could potentially access physical grid infrastructure, leading to damages, leading even to power outages.

So we're most concerned about blackouts maybe citywide, statewide, Like what scale would the worst case scenario be? And I guess the follow on to that is really how connected is it? Is it all of the grids across the US, barring or cut that are all connected. You know how big could a problem be if there was a cyber attack they got in If we're specifically focused for this question on power outages.

So we're most concerned about blackouts maybe citywide, statewide, Like what scale would the worst case scenario be? And I guess the follow on to that is really how connected is it? Is it all of the grids across the US, barring or cut that are all connected. You know how big could a problem be if there was a cyber attack they got in If we're specifically focused for this question on power outages.

I mean, that's really hard to say, because what we know right now is that there is malware out there that could specifically target technologies on the grid, like substations or other kind of operational technologies. So I mean, hypothetically a cyber attack could maybe take out and an ore utilities network. Hypothetically, I'm just saying, but I mean, of course, utilities are investing in new cybersecurity technologies to make sure that doesn't happen. But potentially the more and moral malware coming out that can target power systems means that this could lead to outages across utilities.

I mean, that's really hard to say, because what we know right now is that there is malware out there that could specifically target technologies on the grid, like substations or other kind of operational technologies. So I mean, hypothetically a cyber attack could maybe take out and an ore utilities network. Hypothetically, I'm just saying, but I mean, of course, utilities are investing in new cybersecurity technologies to make sure that doesn't happen. But potentially the more and moral malware coming out that can target power systems means that this could lead to outages across utilities.

So outages and then you also reference the damage to equipment. So is that one way of targeting or using malware is to actually cause maybe a piece of equipment to malfunction and to actually cause very expensive damage to critical infrastructure.

So outages and then you also reference the damage to equipment. So is that one way of targeting or using malware is to actually cause maybe a piece of equipment to malfunction and to actually cause very expensive damage to critical infrastructure.

Yeah, exactly. So there's one example. There's a kind of malware called crash override, also known as in destroyer. I love these names that're kind of funny, but what they do is really not funny. For example, crash override was used actually used in an attack on Ukraine's grid in twenty sixteen. And this malware basically took and codified, meaning put into code knowledge of how control systems work, so the control system for substations, how they work, and then use this to shut down the substation in Kiev. And this was one substation. But the scary thing is that cybersecurity professionals here thing that this could have been a proof of concept since not all of this malwar's functions were used. So if this is not on a larger scale, it can really damage the grid and of course impact people that depend on electricity.

Yeah, exactly. So there's one example. There's a kind of malware called crash override, also known as in destroyer. I love these names that're kind of funny, but what they do is really not funny. For example, crash override was used actually used in an attack on Ukraine's grid in twenty sixteen. And this malware basically took and codified, meaning put into code knowledge of how control systems work, so the control system for substations, how they work, and then use this to shut down the substation in Kiev. And this was one substation. But the scary thing is that cybersecurity professionals here thing that this could have been a proof of concept since not all of this malwar's functions were used. So if this is not on a larger scale, it can really damage the grid and of course impact people that depend on electricity.

So let's talk a little bit about the olden days when the grid was not connected and things were much simpler. Technology hasn't just spreaded immediately. Over time, systems have gotten more sophisticated, and there used to be security measures built into the way that it was designed. Can you talk a little bit about how the grid used to be designed and really what precipitated such a dramatic change to make everything interconnected.

So let's talk a little bit about the olden days when the grid was not connected and things were much simpler. Technology hasn't just spreaded immediately. Over time, systems have gotten more sophisticated, and there used to be security measures built into the way that it was designed. Can you talk a little bit about how the grid used to be designed and really what precipitated such a dramatic change to make everything interconnected.

I mean, originally the text structure of the grid or the digital tech structure of the grid was based on two main elements so it's informational technology and operational technology or IT and OT, so for IT think things like file management, emails, internet, and for OT. These are the technologies that monitor and physically control power equipment on the grid, like substations. And originally these were kept separate because you know, if OT, like a substation or circuit breakers on the grid were compromised, then it could result in power outages. So keeping IT and OT separate was the OG, like the original kind of cybersecurity mechanism for the power system to ensure a hack in it would not impact the physical grid. But I mean now we're seeing utilities are digitalizing at a rapid pace. And what I mean by digitalizing is that, as mentioned earlier, the grid is integrated news technologies like sensors and analytics software to access and analyze data from the power system to help run this physical infrastructure more efficiently. So this is great, you know if you think about efficiency, But this also means we're integrating IT and OT. So with this new link between information technology and operational technology, if a cyber thread actor hacks into an IT system, you know a simple thing like a phishing email, it might be able to move laterally and access ot networks and really cause damage to the grid like we've been seeing.

I mean, originally the text structure of the grid or the digital tech structure of the grid was based on two main elements so it's informational technology and operational technology or IT and OT, so for IT think things like file management, emails, internet, and for OT. These are the technologies that monitor and physically control power equipment on the grid, like substations. And originally these were kept separate because you know, if OT, like a substation or circuit breakers on the grid were compromised, then it could result in power outages. So keeping IT and OT separate was the OG, like the original kind of cybersecurity mechanism for the power system to ensure a hack in it would not impact the physical grid. But I mean now we're seeing utilities are digitalizing at a rapid pace. And what I mean by digitalizing is that, as mentioned earlier, the grid is integrated news technologies like sensors and analytics software to access and analyze data from the power system to help run this physical infrastructure more efficiently. So this is great, you know if you think about efficiency, But this also means we're integrating IT and OT. So with this new link between information technology and operational technology, if a cyber thread actor hacks into an IT system, you know a simple thing like a phishing email, it might be able to move laterally and access ot networks and really cause damage to the grid like we've been seeing.

So we talked a little bit about the olden days of the grid when things weren't as interconnected, and there is some brilliance in that simplicity in that.

So we talked a little bit about the olden days of the grid when things weren't as interconnected, and there is some brilliance in that simplicity in that.

Is there a.

Is there a.

Move to in some way make these grids a little bit isolated from one another to actually minimize the risk. I know that there's a lot to gain in terms of efficiency and reducing waste when we have a much more connected grid. And we're all familiar with these terms connected grids, smart grid, and actually even the rise of new business models like virtual power plants. But is there a space for grids to not be connected with one another and to have a series of non connected units that you know, the connectivity essentially ends somewhere, And is there thought being given to how connected is to connected?

Move to in some way make these grids a little bit isolated from one another to actually minimize the risk. I know that there's a lot to gain in terms of efficiency and reducing waste when we have a much more connected grid. And we're all familiar with these terms connected grids, smart grid, and actually even the rise of new business models like virtual power plants. But is there a space for grids to not be connected with one another and to have a series of non connected units that you know, the connectivity essentially ends somewhere, And is there thought being given to how connected is to connected?

That's a good question. I think that it would be very difficult not to have connected grids because we need both ram above and distribution grids and transmission grids and interconnection among these grids to support a broader sustainable energy transition. So I think what we need to do is understand that the power grid is getting more and more access to distributed energy resources such as evs such as roofs of solar and batteries that are connected to the distribution grid, which are connected to the transmission grid, which are communicating more and more with one another to help balance the overall power system. And as more of these decentralized energy resources come online, the cybersecurity of power systems also needs to reflect or mirror increasingly decentralized nature of the power system as well. Because it's happening, We're seeing a lot more virtual power plan projects. We're seeing a lot of more distribe engry resources come online. So of course some grids might like for example, microgrids, they can be islanded when need be. But what we're seeing is that a broader focus on coordinating the broader power system.

That's a good question. I think that it would be very difficult not to have connected grids because we need both ram above and distribution grids and transmission grids and interconnection among these grids to support a broader sustainable energy transition. So I think what we need to do is understand that the power grid is getting more and more access to distributed energy resources such as evs such as roofs of solar and batteries that are connected to the distribution grid, which are connected to the transmission grid, which are communicating more and more with one another to help balance the overall power system. And as more of these decentralized energy resources come online, the cybersecurity of power systems also needs to reflect or mirror increasingly decentralized nature of the power system as well. Because it's happening, We're seeing a lot more virtual power plan projects. We're seeing a lot of more distribe engry resources come online. So of course some grids might like for example, microgrids, they can be islanded when need be. But what we're seeing is that a broader focus on coordinating the broader power system.

Now, cyber attacks are something that are probably not new to any of us. We all think about phishing emails when we think about our own inbox. And what I want to know is how much of the focus I guess on these cyber criminals is on the energy system. And is this a big thing for us to be worried about.

Now, cyber attacks are something that are probably not new to any of us. We all think about phishing emails when we think about our own inbox. And what I want to know is how much of the focus I guess on these cyber criminals is on the energy system. And is this a big thing for us to be worried about.

I mean, short answer, yes, Unfortunately, that's exactly what we're seeing is that cyber attacks on utilities are on the rise, and the frequency of cyber attacks on utilities are reaching even new very high levels. And this is because as we digitalize the power system and connecting more and more connected resources. Connecting mean that they're connected to the internet, it means that the cyber attacks surface of the power system is growing and because of that, we're seeing more cyber attacks. So the frequency of cyber attacks on utilities we saw reach very high levels during the pandemic and part driven by more remote work and cyber attacks have also been increasing since the war in Ukraine, potentially because this is allowing threat actors to showcase their cyber war for techniques. So it's clear that this geopolitical and social issues and upheaval usually leads to an increase in cyber attacks, and this seems to indicate that the energy sector really is becoming more and more of a target. For example, according to the data from IBM, the energy sector for about eleven percent of the total global number of cyber attacks IBM tracked in twenty twenty two, which is higher than the sector's pre pandemic levels of about six percent, and North America in particular has been the most targeted region for attacks, according to this data on energy firms over the past two years.

I mean, short answer, yes, Unfortunately, that's exactly what we're seeing is that cyber attacks on utilities are on the rise, and the frequency of cyber attacks on utilities are reaching even new very high levels. And this is because as we digitalize the power system and connecting more and more connected resources. Connecting mean that they're connected to the internet, it means that the cyber attacks surface of the power system is growing and because of that, we're seeing more cyber attacks. So the frequency of cyber attacks on utilities we saw reach very high levels during the pandemic and part driven by more remote work and cyber attacks have also been increasing since the war in Ukraine, potentially because this is allowing threat actors to showcase their cyber war for techniques. So it's clear that this geopolitical and social issues and upheaval usually leads to an increase in cyber attacks, and this seems to indicate that the energy sector really is becoming more and more of a target. For example, according to the data from IBM, the energy sector for about eleven percent of the total global number of cyber attacks IBM tracked in twenty twenty two, which is higher than the sector's pre pandemic levels of about six percent, and North America in particular has been the most targeted region for attacks, according to this data on energy firms over the past two years.

What happens after a cyber attack? Do the consequences include needing to as you referenced, know if something gets broken, repairing kit or is this a conversation around actually being held round because that happens sometimes as well, where they won't release your system until you've paid a certain amount to the cyber criminal. What happens and how do these companies respond to these attacks when something does go wrong?

What happens after a cyber attack? Do the consequences include needing to as you referenced, know if something gets broken, repairing kit or is this a conversation around actually being held round because that happens sometimes as well, where they won't release your system until you've paid a certain amount to the cyber criminal. What happens and how do these companies respond to these attacks when something does go wrong?

Yeah, I mean a cyber attack can make many things go wrong, from money being lost due to just downtime of the power system, to having to pay off ransomware, to potentially having to pay fines because the cyber attack was caused by some kind of non compliance with regulation, or you know, fixing or repairing damage equipment. We've seen that Also, IBM estimates the global average cost of a data breach, which means just accessing illegitimate access of confidential data. They're saying the global average cost of a data reach, specifically for the energy sector, has reached nearly five million dollars, and this is because actually identifying and dealing with those reaches is getting costlier and taking longer because honestly, these cyber thread actors are getting more and more sophisticated in their techniques. At the same time, there's more technologies and services coming out specifically to respond to these attacks, so incident response technologies that includes both services like some companies like Drego's offer services like playbooks, which are basically lists of action items for specific cyber attacks that a company can do, and Dregos is specifically focused again on operational technologies such as in the grid. So other than services, there's also startups and companies coming out with new technology to support and even automate incident response. So, for example, there's a technology or group of technologies called SORE like Fly in all caps, which means Security Orchestration, Automation and Response, which uses basically AI algorithms to help both detect and automate some of the response to actual cyber incidents.

Yeah, I mean a cyber attack can make many things go wrong, from money being lost due to just downtime of the power system, to having to pay off ransomware, to potentially having to pay fines because the cyber attack was caused by some kind of non compliance with regulation, or you know, fixing or repairing damage equipment. We've seen that Also, IBM estimates the global average cost of a data breach, which means just accessing illegitimate access of confidential data. They're saying the global average cost of a data reach, specifically for the energy sector, has reached nearly five million dollars, and this is because actually identifying and dealing with those reaches is getting costlier and taking longer because honestly, these cyber thread actors are getting more and more sophisticated in their techniques. At the same time, there's more technologies and services coming out specifically to respond to these attacks, so incident response technologies that includes both services like some companies like Drego's offer services like playbooks, which are basically lists of action items for specific cyber attacks that a company can do, and Dregos is specifically focused again on operational technologies such as in the grid. So other than services, there's also startups and companies coming out with new technology to support and even automate incident response. So, for example, there's a technology or group of technologies called SORE like Fly in all caps, which means Security Orchestration, Automation and Response, which uses basically AI algorithms to help both detect and automate some of the response to actual cyber incidents.

So there are new companies that are seeing this vulnerability and fire a way to really help utilities figure this out. But surely it's not all coming from startups looking to strategically fix these problems. I would assume that the utilities themselves are invading in various ways to protect themselves. What is happening with the utilities and what other I guess domestically grown technologies or responses are they then turning to in order to secure their grid.

So there are new companies that are seeing this vulnerability and fire a way to really help utilities figure this out. But surely it's not all coming from startups looking to strategically fix these problems. I would assume that the utilities themselves are invading in various ways to protect themselves. What is happening with the utilities and what other I guess domestically grown technologies or responses are they then turning to in order to secure their grid.

What we've been seeing really is that utilities are spending more on cybersecurity and developing their own cybersecurity strategies, especially the larger utilities. So basically that involves one developing business practices. So that's things like growing security teams, having cybersecurity expertise on board levels, and also running annual incident response practices, kind of running hypothetical cyber attacks that might happen on the utility and have the security teams actually practice what they would do in that situation. That's the business evolutions side. There's also a lot of new investments coming out of utilities on cybersecurity. You know, what we're seeing is that spending is on the rise on cyber For example, in the US, we've seen that utility is a spending more in terms of capital expenditure on cybersecurity, specifically operational technology security. So for example, Southern California Edison or see their capex on cybersecurity, Rose about two thirds from sixty million USD in twenty twenty to nearly one hundred and ten million in twenty twenty one. And that was kind of driven by their grid modernization program to make sure that their grid technologies really are cybersecurity. And you know, we're BNS, so we had to quench the numbers. And we found that in the US, be calculated that the annual cybersecurity capex for utilities is likely already one billion US dollars, with the average share of capex allocation usually around one percent. And I mean, of course this might be higher or lower by utility, but this real isn't a small number, and it is likely to grow, we think as well. One regulations get more strict and two when, if, and when cyber attacks grow so.

What we've been seeing really is that utilities are spending more on cybersecurity and developing their own cybersecurity strategies, especially the larger utilities. So basically that involves one developing business practices. So that's things like growing security teams, having cybersecurity expertise on board levels, and also running annual incident response practices, kind of running hypothetical cyber attacks that might happen on the utility and have the security teams actually practice what they would do in that situation. That's the business evolutions side. There's also a lot of new investments coming out of utilities on cybersecurity. You know, what we're seeing is that spending is on the rise on cyber For example, in the US, we've seen that utility is a spending more in terms of capital expenditure on cybersecurity, specifically operational technology security. So for example, Southern California Edison or see their capex on cybersecurity, Rose about two thirds from sixty million USD in twenty twenty to nearly one hundred and ten million in twenty twenty one. And that was kind of driven by their grid modernization program to make sure that their grid technologies really are cybersecurity. And you know, we're BNS, so we had to quench the numbers. And we found that in the US, be calculated that the annual cybersecurity capex for utilities is likely already one billion US dollars, with the average share of capex allocation usually around one percent. And I mean, of course this might be higher or lower by utility, but this real isn't a small number, and it is likely to grow, we think as well. One regulations get more strict and two when, if, and when cyber attacks grow so.

Much like you can't drive a car without insurance in many parts of the world, is there an obligation illegal obligation in some countries for cybersecurity to be in place because nobody wants blackouts, least of which the company is operating the grid and also the power providers. But are governments getting involved?

Much like you can't drive a car without insurance in many parts of the world, is there an obligation illegal obligation in some countries for cybersecurity to be in place because nobody wants blackouts, least of which the company is operating the grid and also the power providers. But are governments getting involved?

The US really is leading the way in terms of regulation and standards for cybersecurity specifically in the power sector. And I think that's potentially because cybersecurity has been seen as a matter of national security for a while now. And for example, in two thousand and eight, the North American Electric Reliability Corporation NERK came out with mandatory standards for critical infrastructure protection called NIRKSIP. Sorry a lot of acronyms there, for both physical security and cybersecurity of the bulk electric system. And bulk electric system here refers basically to the transmission grid, so violations of these standards can result in fines of up to one million dollars per day per violation. But while the US has been kind of leading the charge in cybersecurity regulation and policy, I think also Europe is catching up. Originally, the European Union couldn't really impose strong regulations for power system cybersecurity because issues like cybersecurity are really related to national security, and I think countries don't really appreciate when you meddle into matters of national security, so it was difficult to do that. However, as cybersecurity is becoming more of an issue, and also I mean, we have a bunch of grid interconnections among European countries, which means a cyber attack in one country might affect another country. The EU is stepping up their cybersecurity directives as well, and the biggest thing there right now we're seeing is the Network and Information Security Directive or NIS number two, which is an update of that directive, which basically calls for essential entities which includes grids, to ramp up their cybersecurity measures. And there's a lot of fines there too, and it has to requires member states to basically set a maximum fine of at least ten million euros, which is about ten point six million dollars or two percent of their global annual revenue, whichever is higher if they fail to comply. So I think the European Union is also ramping up regulation here.

The US really is leading the way in terms of regulation and standards for cybersecurity specifically in the power sector. And I think that's potentially because cybersecurity has been seen as a matter of national security for a while now. And for example, in two thousand and eight, the North American Electric Reliability Corporation NERK came out with mandatory standards for critical infrastructure protection called NIRKSIP. Sorry a lot of acronyms there, for both physical security and cybersecurity of the bulk electric system. And bulk electric system here refers basically to the transmission grid, so violations of these standards can result in fines of up to one million dollars per day per violation. But while the US has been kind of leading the charge in cybersecurity regulation and policy, I think also Europe is catching up. Originally, the European Union couldn't really impose strong regulations for power system cybersecurity because issues like cybersecurity are really related to national security, and I think countries don't really appreciate when you meddle into matters of national security, so it was difficult to do that. However, as cybersecurity is becoming more of an issue, and also I mean, we have a bunch of grid interconnections among European countries, which means a cyber attack in one country might affect another country. The EU is stepping up their cybersecurity directives as well, and the biggest thing there right now we're seeing is the Network and Information Security Directive or NIS number two, which is an update of that directive, which basically calls for essential entities which includes grids, to ramp up their cybersecurity measures. And there's a lot of fines there too, and it has to requires member states to basically set a maximum fine of at least ten million euros, which is about ten point six million dollars or two percent of their global annual revenue, whichever is higher if they fail to comply. So I think the European Union is also ramping up regulation here.

Now you're only as strong as your weakest link. Is there a specific part of the network that is most vulnerable? And how do most of these problems actually get in? Is it malware connected to an email or is it something else? Is it our smart refrigerators or the electric vehicles connected to the grid directly, where are the biggest vulnerabilities?

Now you're only as strong as your weakest link. Is there a specific part of the network that is most vulnerable? And how do most of these problems actually get in? Is it malware connected to an email or is it something else? Is it our smart refrigerators or the electric vehicles connected to the grid directly, where are the biggest vulnerabilities?

I mean, based on what I've seen, most cyber attacks on utilities are still the regular ones, So phishing or through public facing applications or through websites and stuff like that. But as we get more and more distributed enjury resources connect to the grid, like electric vehicles, smart meters, even air conditioning units are becoming smart nowadays and can give and take electricity from the paragrid, it means that we're getting more and more end points connecting to the paragrid which are also connected to the Internet. And this means that honestly, utilities networks are becoming far more complex than they used to be and have far more endpoints than they used to be, which means that having regular firewalls. I think when we think about cybersecurity, right we think about traditional firewalls, which are basically like putting a giant fence around your corporate network. That's really not enough anymore as we have more and more of these endpoints flooding utilities network, So that's really calling for new sets of cybersecurity technologies down to the actual endpoints, specific security measures for these distributed energy resources and within the network.

I mean, based on what I've seen, most cyber attacks on utilities are still the regular ones, So phishing or through public facing applications or through websites and stuff like that. But as we get more and more distributed enjury resources connect to the grid, like electric vehicles, smart meters, even air conditioning units are becoming smart nowadays and can give and take electricity from the paragrid, it means that we're getting more and more end points connecting to the paragrid which are also connected to the Internet. And this means that honestly, utilities networks are becoming far more complex than they used to be and have far more endpoints than they used to be, which means that having regular firewalls. I think when we think about cybersecurity, right we think about traditional firewalls, which are basically like putting a giant fence around your corporate network. That's really not enough anymore as we have more and more of these endpoints flooding utilities network, So that's really calling for new sets of cybersecurity technologies down to the actual endpoints, specific security measures for these distributed energy resources and within the network.

So if I had to break this down in its simplest sense, it is a system that is connected to the electrical grid and in some way is trying to decide whether or not it pulls electricity or it stops pulling electricity based on what it's getting in terms of data from that grid, regarding perhaps peak demand at that time, in power prices or whatever that input is. What I'm wondering is with these firewalls that exist, those that are trying to break into the network, is it that the network inherently has vulnerabilities and they find those? And this raises the question of AI and an increasingly smart computer system that can go through a number of permutations very quickly and find those vulnerabilities versus when human being and mistakes do happen, responds to as you mentioned, phishing and essentially allows that vulnerability to happen because they made a mistake. I would expect that both of these exist, and you said the vast majority are coming from fishing right now. My question there lies, do we think that first scenario that I went through the w and where AI and locating those vulnerabilities without being aided by someone like myself clicking on the wrong thing, is that something that we additionally need to think about in the future.

So if I had to break this down in its simplest sense, it is a system that is connected to the electrical grid and in some way is trying to decide whether or not it pulls electricity or it stops pulling electricity based on what it's getting in terms of data from that grid, regarding perhaps peak demand at that time, in power prices or whatever that input is. What I'm wondering is with these firewalls that exist, those that are trying to break into the network, is it that the network inherently has vulnerabilities and they find those? And this raises the question of AI and an increasingly smart computer system that can go through a number of permutations very quickly and find those vulnerabilities versus when human being and mistakes do happen, responds to as you mentioned, phishing and essentially allows that vulnerability to happen because they made a mistake. I would expect that both of these exist, and you said the vast majority are coming from fishing right now. My question there lies, do we think that first scenario that I went through the w and where AI and locating those vulnerabilities without being aided by someone like myself clicking on the wrong thing, is that something that we additionally need to think about in the future.

Phishing is one that we know of for now, but I think as we have more resources connecting to the grid, we have more entry points for cyber attackers. So, for example, if we think about electric vehicles, even though a utility has its own set of cybersecurity measures, it needs to interface with an increasing amount of additional second and third party players. Right, so, every think about EV's they connect to the grid, and for example, a startup called si Flow is focused specifically on EV cybersecurity, and based on data that they're sharing, they show that the communications protocol used for EV charging management systems can be compromised by cyber thread actors, and by doing that, the thread actor could for example, turn EV chargers on and off, or even steal and as more evs come online as v an EFC's will happen in our new energy outlook and electric vehicle outlooks, if we do depend more and more on electric vehicles and systems like vehicle to grid where the power system calls on EV's to help support the grid, this could really cause damage as well. So basically what I'm trying to say is as more endpoints come online and the grid depends more and more on distribute energy resources which are also connected, that's a huge issue on the endpoint security level, which is kind of lacking right now.

Phishing is one that we know of for now, but I think as we have more resources connecting to the grid, we have more entry points for cyber attackers. So, for example, if we think about electric vehicles, even though a utility has its own set of cybersecurity measures, it needs to interface with an increasing amount of additional second and third party players. Right, so, every think about EV's they connect to the grid, and for example, a startup called si Flow is focused specifically on EV cybersecurity, and based on data that they're sharing, they show that the communications protocol used for EV charging management systems can be compromised by cyber thread actors, and by doing that, the thread actor could for example, turn EV chargers on and off, or even steal and as more evs come online as v an EFC's will happen in our new energy outlook and electric vehicle outlooks, if we do depend more and more on electric vehicles and systems like vehicle to grid where the power system calls on EV's to help support the grid, this could really cause damage as well. So basically what I'm trying to say is as more endpoints come online and the grid depends more and more on distribute energy resources which are also connected, that's a huge issue on the endpoint security level, which is kind of lacking right now.

So when I think about hacking, I think about non state actors, but we also know that some of these are either first of all state sponsored or secondly, is there a fear that essentially this could be weaponized.

So when I think about hacking, I think about non state actors, but we also know that some of these are either first of all state sponsored or secondly, is there a fear that essentially this could be weaponized.

Yeah, I mean what's a bit scary is that cyber thread actors are getting better and better at specifically developing malware and attack techniques targeting operational technologies like substations on the power grid, Meaning they're figuring out how to launch cyber attacks that are tailor made for the power grid, and this can definitely be used in cyberwarfare. So a very famous example of an attack on an industrial control system was stucksnet, which basically targeted a nuclear power plant in Iran by taking advantage of a software vulnerability to access controllers in that plant, and basically the attackers use this vulnerability to compromise the control system and make the centrifuges spin too fast, causing damage to the plant. So this and some other examples we've seen around the world are kind of showing us that cyber warfare is an increasingly normal thing, specifically targeting the power system.

Yeah, I mean what's a bit scary is that cyber thread actors are getting better and better at specifically developing malware and attack techniques targeting operational technologies like substations on the power grid, Meaning they're figuring out how to launch cyber attacks that are tailor made for the power grid, and this can definitely be used in cyberwarfare. So a very famous example of an attack on an industrial control system was stucksnet, which basically targeted a nuclear power plant in Iran by taking advantage of a software vulnerability to access controllers in that plant, and basically the attackers use this vulnerability to compromise the control system and make the centrifuges spin too fast, causing damage to the plant. So this and some other examples we've seen around the world are kind of showing us that cyber warfare is an increasingly normal thing, specifically targeting the power system.

Another data point that came up also from IBM is that the cost per data breach is averaging around four point seven eight million US dollars each time. So this is expensive. It's expensive for the breech and invariably now it's costing more money to try and prevent them and cut it off at the past. So this is a burgeoning industry of companies that are looking to service this. But what is the next thing for you now that you've spent time researching this, What is the next thing that you're going to look at and look into that hasn't been covered in this research note in the vein of trying to better understand cybersecurity.

Another data point that came up also from IBM is that the cost per data breach is averaging around four point seven eight million US dollars each time. So this is expensive. It's expensive for the breech and invariably now it's costing more money to try and prevent them and cut it off at the past. So this is a burgeoning industry of companies that are looking to service this. But what is the next thing for you now that you've spent time researching this, What is the next thing that you're going to look at and look into that hasn't been covered in this research note in the vein of trying to better understand cybersecurity.

That's a good question. I think what I've been seeing in general in cybersecurity tech innovation is that the security focus is coming closer and closer to the end resource or the endpoint. So it's going from being this massive firewall around the network to end point security, which basically gives endpoints like ev smart meter substations their own set of security measures. And this endpoint or resource focused security also brings us the access control, So we've been seeing a lot of innovation and access control, which traditionally is things like encryption or firewalls or multi factor authentication. And what interesting innovations here are zero trust models and quantum resistant encryption. So in a zero trust model, access is basically provided to resources like a substation, for example, or a smart meter on a per asset and per request basis, as opposed to kind of you know, allowing access to all assets in a network once an actor is within a firewall. So for example, ge and other tech vendors are beginning to integrate zero trust architecture as a layer in their grid software portfolios. And then on top of that, another interesting innovation is think about a future when quantum computing becomes a reality. Encryption like today's encryption can be easily decrypted with an actual functioning quantum computer. So encryption today needs to get up to speed, so new kinds of cryptography or post quantum cryptography can help. For example, IBM, Google and university partners co developed a kind of lattice day digital signature in which encryption security relies on the difficulty of finding short vectors and lattices. So basically what that means is it's a very very difficult mathematical problem about finding specific vectors in a three dimensional space. So definitely we've been seeing some cool innovations in access control and any kind of tech that's bringing the security closerts.

That's a good question. I think what I've been seeing in general in cybersecurity tech innovation is that the security focus is coming closer and closer to the end resource or the endpoint. So it's going from being this massive firewall around the network to end point security, which basically gives endpoints like ev smart meter substations their own set of security measures. And this endpoint or resource focused security also brings us the access control, So we've been seeing a lot of innovation and access control, which traditionally is things like encryption or firewalls or multi factor authentication. And what interesting innovations here are zero trust models and quantum resistant encryption. So in a zero trust model, access is basically provided to resources like a substation, for example, or a smart meter on a per asset and per request basis, as opposed to kind of you know, allowing access to all assets in a network once an actor is within a firewall. So for example, ge and other tech vendors are beginning to integrate zero trust architecture as a layer in their grid software portfolios. And then on top of that, another interesting innovation is think about a future when quantum computing becomes a reality. Encryption like today's encryption can be easily decrypted with an actual functioning quantum computer. So encryption today needs to get up to speed, so new kinds of cryptography or post quantum cryptography can help. For example, IBM, Google and university partners co developed a kind of lattice day digital signature in which encryption security relies on the difficulty of finding short vectors and lattices. So basically what that means is it's a very very difficult mathematical problem about finding specific vectors in a three dimensional space. So definitely we've been seeing some cool innovations in access control and any kind of tech that's bringing the security closerts.

At the end, resource, I love that the form of protection you brought up is called zero trust architecture.

At the end, resource, I love that the form of protection you brought up is called zero trust architecture.

It makes exactly it really, don't trust anyone.

It makes exactly it really, don't trust anyone.

Don't trust anyone I might click on that phishing email. Amanda. Thank you so much for walking us through not only what's happening with cybersecurity, but also this different set of vocabulary, so these different systems that are being used in different acronyms, and also my personal favorite from the show, zero trust architecture.

Don't trust anyone I might click on that phishing email. Amanda. Thank you so much for walking us through not only what's happening with cybersecurity, but also this different set of vocabulary, so these different systems that are being used in different acronyms, and also my personal favorite from the show, zero trust architecture.

Thanks for having me.

Thanks for having me.

Bloomberg NEF is a service provided by Bloomberg Finance LP in its affiliates. This recording does not constitute, nor should it be construed as investment advice, investment recommendations, or a recommendation as to an investment or other strategy. Bloomberg NEF should not be considered as information sufficient upon which to base an investment decision. Neither Bloomberg Finance LP nor any of its affiliates makes any representation or warranty as to the accuracy or completeness of the information contained in this recording, and any liability as a result of this recording is expressly disclaimed.

Bloomberg NEF is a service provided by Bloomberg Finance LP in its affiliates. This recording does not constitute, nor should it be construed as investment advice, investment recommendations, or a recommendation as to an investment or other strategy. Bloomberg NEF should not be considered as information sufficient upon which to base an investment decision. Neither Bloomberg Finance LP nor any of its affiliates makes any representation or warranty as to the accuracy or completeness of the information contained in this recording, and any liability as a result of this recording is expressly disclaimed.