BSI wants more responsibility for energy security

Two weeks after the major power outage on the Iberian Peninsula, the German Federal Office for Information Security is now calling for better protection for energy networks. The Bonn-based IT security authority sees an urgent need for action, particularly in the increasingly decentralized electricity sector: the number of attack vectors is increasing because more and more parties are involved in the functionality. Wallboxes, inverters, heat pumps, smart meters and other devices would further exacerbate the problem.

BSI President Claudia Plattner therefore wants to be able to take better measures against external attackers. “With the intensification of geopolitical tensions, the motivation of potential attackers has also changed,” says Plattner. There is therefore an urgent need to invest in security structures, technical protection measures and resilient architectures.

“At the same time, we also have a large increase in decentralized components,” which would be desirable for now, said Plattner in Potsdam this morning, but the supply chain must be focused on. The existing dependence on a few manufacturers is also a issue. The BSI favors a three-stage approach: The entire operational infrastructure must be subject to basic protection, while storage systems, inverters, virtual power plants and other central components must be hardened in a targeted manner. According to the BSI paper, particularly exposed systems with a high potential for damage should also be secured to a high degree.

To date, responsibility for cybersecurity in this area has primarily been assigned to the Federal Network Agency via the IT security catalogs. The Federal Office for Security is consulted in the process. Today's demand is therefore also an expression of the question of how tasks will be distributed under the new black-red federal government.

At the same time, a large proportion of the smaller, new, decentralized infrastructures are covered by the requirements of the Cyber Resilience Act, among others, while other larger infrastructures are covered by the revised Network and Information Security Directive.

BfV and THW warn of lack of preparation

At the Potsdam Cybersecurity Conference, the Vice President of the Federal Office for the Protection of the Constitution, Sinan Selen, also warned of events like the one in Spain. Although this was fortunately limited in time, there is no guarantee: “A major blackout is nothing less than a super-GAU in the digital age.” The consequences of a power outage would be all the more devastating the longer it lasted – ultimately, there would be a risk of public order collapsing. This scenario does not necessarily have to be triggered by a hostile aggressor, said Selen: “It makes a lot of sense to think in worst-case scenarios and reflect on the worst-case scenario because we are living in very serious times.”

Volker Strotmann from the German Federal Agency for Technical Relief in Potsdam described a problem in such situations as being that society has so far been underprepared for such incidents. “We are not the insurance company for everyone, we need to get this mindset out of people's heads,” said Strotmann, CIO of the THW.

“The resources that all aid organizations have are finite. What we can produce in terms of drinking water is finite. What we can provide in terms of electricity is very finite,” he warned against illusions in the event of a major and prolonged blackout. Certain resilience cannot be achieved voluntarily.

(mho)