How ‘defence in depth’ can repel energy sector cyberattacks

How ‘defence in depth’ can repel energy sector cyberattacks
Image: Siemens Energy

It is an uncomfortable fact that there is no way of futureproofing power assets against unknown cybersecurity threats. However, it is also true that companies in the energy sector can be smart, vigilant and adaptable to cyber threats if they apply a ‘defence in depth’ cybersecurity concept. Bernhard Mehlig, a cybersecurity specialist at Siemens Energy, explains how.

Listen to the audio version of How ‘defence in depth’ will repel energy sector cyberattacks, read by Philip Gordon. This audio article is also available on iTunes.

Power plant and power grid operators have their hands full when it comes to industrial cybersecurity.

The attack surface of their assets increases daily due to a plethora of new applications connected to their operational technology via the Internet of Things, edge and cloud computing, mobile devices, distributed energy generation, and remote assets. And when you add to that global supply chain attacks for hardware and software, you have a picture of an increasingly challenging operational landscape.

It’s no surprise, then, that the number of attacks on energy assets is also on the rise.

This article is part of the ‘Future Energy Perspectives’ series on Power Engineering International, in which experts from Siemens Energy share their insights into how we can move towards a decarbonised energy system.

Like all critical infrastructure, they are a key target, be it for profit, terrorism, or geopolitical reasons. At the same time, attacks are also becoming more sophisticated and attackers are better equipped, with operations run by nation-states and cybercrime organisations. As a result, attacks target more and more operational technology, a problem exacerbated by the convergence of OT and IT.

Fittingly, the research and consulting firm Gartner predicted in 2022 that by 2024, “a cyberattack will so damage critical infrastructure that a member of the G20 will reciprocate with a declared physical attack”.

The cyberspace arms race

To illustrate the risk, there are plenty of well-documented, high-profile attacks to choose from.

The infamous 2015 multi-stage hack of a Ukrainian utility, for example, started with a phishing attack and ultimately resulted in a blackout affecting around 225,000 households. In 2021, the US Colonial pipeline was affected not by an oil leak, but by a leaked password obtained by Ransomware attackers, resulting in a six-day shutdown. Consumers panicked as fuel prices surged in response to the supply shortage.

These examples are only the tip of the iceberg, as industry insiders report that cyberattacks regularly result in operational disruption, power failures, property and environmental damage, and in some cases, even physical injuries.

Due to its very nature, one challenge will be ever-present in the world of cybersecurity: there is no way of futureproofing assets against unknown cybersecurity threats.

While you can get a gas turbine hydrogen-ready so it can burn 100% hydrogen in a few years without any major upgrades, cyber hardening energy infrastructure cannot be carried out in advance in the same way. Instead, operators are in a constant arms race with the attackers.

Defence in depth

All of this has operators rightly concerned. Ultimately, this is a good thing, because it will instigate positive change.

Today, it’s clear that industrial cybersecurity is a core business competency without which reliability is not possible. Operators, therefore, must be smart and vigilant about how to best apply the tools and resources at their disposal. Once they have done their due diligence, they should hopefully realize there is a way to properly protect energy assets, even if it’s a neverending job that requires constant reassessment.

What is necessary, in essence, is an adaptable approach for all products and solutions in operation. An important part of this is the ‘defence in depth’ concept.

It consists of three consecutive protective layers that are coordinated with one another. One example is physical access control with biometric recognition to keep attackers out of power plants.

The second line of defence concerns network security. For example, critical networks can be secured with firewalls and virtual private networks (VPNs), creating subnetworks, and ensuring communication is encrypted. This is especially important for any communication with edge devices or the cloud. It also concerns remote-controlled assets such as the gas-fired power plant in Leipheim in Southwestern Bavaria, which is designed to help with grid stability in case of an emergency.

The third protective layer is systems integration, which protects terminals and automation systems by way of various access limitations, as well as antivirus software for malware protection. This includes monitoring and analysing network traffic, where AI can play an important role in keeping track of large data streams.

Additionally, today, ‘zero trust’ technology is often included, meaning that even within restricted networks, verification for any action is required and only minimal access is granted. And, in case of emergencies, the equipment should also safeguard the availability of all resources through backup and recovery solutions.

Defending the energy sector against cybersecurity enemies. Image: Siemens Energy
Defending the energy sector against cybersecurity enemies. Image: Siemens Energy

Security by design

Of course, at the core of all these layers are assets and components that need to be secured as well – and that should ideally be done before they are integrated into a power plant.

An essential part of this is the ‘security by design’ concept, in which systems are designed from the ground up with a special focus on cybersecurity risks so as to reduce the attack surface from the start.

That’s also why technology providers like Siemens Energy employ cybersecurity experts for their complete portfolio. They ensure various cybersecurity requirements for different products and customized customer solutions are met.

An important part of this is fulfilling the lead cybersecurity standard IEC 62443, which requires, among other things, that systems are regularly patched and that supply chains are secure.

As power plants often have a life span of three to four decades, it also comes as no surprise that some of their legacy components don’t have the latest cybersecurity functionalities, as required by cybersecurity standards mentioned earlier.

But that doesn’t mean they can’t be retrofitted.

Today, it’s possible to add sensors or other monitoring devices to a component so as to collect data and send it to a control system for analysis.

These are all important technical building blocks for securing your operation. But all of it would be worth little if one didn’t create awareness among co-workers at the same time.

In fact, today most security breaches can be traced back to human error. That means it’s essential to have regular training sessions and make sure IT staff regularly implement security measures. It also includes ensuring basic cyber hygiene, such as two-factor authentication, being wary of phishing attempts, and regular updates of soft- and hardware.

More Future Energy Perspectives
Replacing F-gases in switchgear: a revolution in the making
How disruptive service solutions will re-energize power plants
Scaling up clean fuels for net zero
Kicking out coal and greening gas on the road to net zero

Cybersecurity in a tight labour market

That’s a long checklist, but who takes care of it all?

While cybersecurity is an essential concern of any operator, it takes specialists to implement most of these measures… and those are scarce: The 2022 Cybersecurity Workforce Study found that while today’s global cybersecurity workforce is estimated to be at 4.7 million people, it still faces a shortage of an additional 3.4 million cybersecurity workers.

This tight labour market makes it challenging for small and mid-sized companies to build their own cyber expertise. So, with ever-evolving cyber legislation putting an increasing responsibility on security solutions, providers like Siemens Energy have been working for some time to build in-house expertise and dedicated cybersecurity teams whose services their customers can rely on.

As a result, these specialist teams are getting better at ensuring the implementation of security concepts for all phases of an asset’s lifecycle. They do this based on a risk-based analysis, meaning security efforts are focused where it matters most.

If an energy company does not have the resources itself, it can buy these services from technology providers and free up the time to concentrate on plant operations.

Supply chain security

For security providers, threat intelligence is an essential part of their work. This entails constantly searching for information on threats and vulnerabilities in thousands of software and hardware components that are built into power plants and power grids.

Information on vulnerabilities can be found among many sources, such as official security advisories, vendor support pages, and security communities.

It’s work that must be done over the entire lifecycle of these components – a task usually too large for many energy companies. For instance, even if a vulnerability is discovered, it must still be evaluated. If it’s a cause for concern, providers can take care of the required patches.

This way, the providers also offer crucial help when it comes to complying with regulations and international cybersecurity standards such as IEC 62443 or the EU Cyber Resilience Act. These demand, among other things, that systems are regularly patched and that supply chain security is tight.

The blackout in Ukraine in 2015 happened via control software that was infected in the supply chain. That’s why, at Siemens Energy, we have a dedicated group that defines the selection of our suppliers based on their security track record.

Good energy makes the world go round

Even with all the precautions in place, cybersecurity is a challenging, perpetual task. Crucially, therefore, if an attack is detected, there must be a clear guideline for how to react. It’s essential to have an incidence response plan in case the lights do go out, and, ideally, to train for the worst case by having ‘fire drills’. External partners can also help with this, even if it’s just to validate the plan.

Overall, it’s clear that cybersecurity poses a formidable challenge for the energy industry, though it’s one that can and must be mastered.

It’s vital that this is done via teamwork with industry partners, cybersecurity providers, suppliers, customers, as well as colleagues who must be made aware of the risks. Only then will it be possible to push security continuously forward, without ever losing sight of all the good the energy system makes possible.

HOW TO… defend energy against its enemies

  • With digitalisation in the energy industry and increasing connectivity of assets, the surface for cyberattacks increases.
  • Industrial cybersecurity is a core business competency without which a reliable energy supply is not possible.
  • Energy providers can adopt a “defence in depth” that protects their assets by building consecutive protective layers.
  • Cybersecurity should be considered from the outset in product development, following industry standards and legislation.
  • Preparedness on the part of the energy provider benefits from threat intelligence, supply chain security, and workforce training – which is also offered by some technology providers.


Bernhard Mehlig is an Industrial Cybersecurity Consultant at Siemens Energy. He started his career at Siemens as a software developer for industry automation and communication applications before he became interested in cybersecurity and made it his professional goal.

He has been working in the field of cybersecurity field for 10 years now. During this time, he supported customer solution projects on cybersecurity issues covering the entire solution lifecycle from building secure system architectures to evaluating cybersecurity risks and ensuring their secure deployment. As a member of the corporate cybersecurity department, he now focuses on providing best practices and guidelines for all Siemens Energy business areas.