RESEARCH REPORT

In brief

In brief

  • It is becoming critically important to secure the connected energy ecosystem as cyber attackers are constantly evolving.
  • Rapid growth and increasing complexity of the ecosystem has outpaced the development of national and international standards.
  • A zero trust security model should be adopted as many domestic users have little knowledge of security practices, which could be exploited to penetrate the ecosystem.


Connected energy ecosystem trends

Government regulations and financial incentives to establish clean, renewable connected energy ecosystems are a powerful driver for change. These are creating new power consumption and generation models, leading to a rapidly evolving connected energy ecosystem with clean, renewable electrical power generation and storage technology integrated into buildings.

By combining these with other smart building technologies, even more energy efficiency and cost reductions can be achieved. This results in an energy efficient building ecosystem that automatically self-optimizes to maximize user comfort while reducing carbon emissions, building operations and maintenance costs.

Electrification of transport is another significant part of the connected energy ecosystem. Although electric vehicles (EVs) make up a small proportion of vehicles on the road, sales are rising as battery technology improves. Current global projections indicate that one in ten vehicles purchased in 2025 will be battery-powered and by 2040, the world will need some 12 million public charging points and $400 billion spent on infrastructure.



Security risks and challenges in the connected energy ecosystem

Like many new technological areas, the connected energy ecosystem has been driven by individual or competing entities with a focus on consumer uptake and profitability. Cybersecurity and ease of integration with other systems has often been an afterthought. This has led to an extremely heterogenous and rapidly expanding ecosystem which has outstripped the ability to create national and international regulations or frameworks to ensure that components can interoperate securely. However, the diverse range of technologies and lack of standardization is not the only challenge to security. There are also challenges in securing the processes and people that operate and use it.

Security requires a seamless combination of people, process and technology

Regulations in the connected energy ecosystem

The decentralized and international nature of the connected energy ecosystem means that it is impossible for any individual participant to enforce a consistent and holistic approach to security across the ecosystem. The adoption of international standards is therefore becoming a priority.

Front running countries such as the Netherlands, France, Germany and the UK are beginning to introduce regulations to protect their connected energy infrastructures, but international standards are required to ensure interoperability of devices operated in different countries and guarantee safe and secure integration.

A paradigm shift: Moving from assuming trust to proving trust

Typically, security defenses have focused on perimeter defenses to restrict access to trusted, authenticated identities, but trust-based models fail spectacularly when trusted identities are stolen or misused. The COVID-19 pandemic accelerated the move to remote internet connectivity for work and e-commerce, and many organizations were unprepared for this sudden transition. With greater reliance on on-line channels, the cyber threat ruthlessly exploited this lack of preparedness for safe remote access.

Moving to zero trust

Because of its extremely diverse range of technologies, service providers and users, the connected energy ecosystem is particularly vulnerable to breaches of trust. Although it can be reasonably expected that an e-mobility service provider or microgrid operator will have security defenses integrated into their solutions and security-aware teams to monitor and maintain them, the same cannot be said for households running connected energy solutions. Many domestic users of connected energy solutions have little or no knowledge of good security practices. They may have obsolete and insecure devices connected to their home networks, making them a prime target for hackers wishing to penetrate the ecosystem.



Most domestic users of connected energy solutions have little or no knowledge of good security practices

How to implement zero trust models

All security models require strong governance. Zero trust security is no different, but it is based on five fundamental pillars; users, devices, network, application and data, supported by a strong foundation of automation and analytics to enable it to scale.

Key components for strong zero trust security governance are:

  • Understand your business operational priorities and protect these with appropriate security controls. This ensures that the most robust security defenses and controls are used to protect business-critical assets and operations.
  • Understand the users, devices, information flows and data within your organization and establish a set of automated rules to control access to and use of them.
  • Review the secure software development lifecycle process (SSDLP) regularly to ensure that it evolves to adapt to new technologies and threats.
  • Create an organizational structure with clearly defined security roles/ responsibilities (ownership, responsibility, terminology and reporting, including interaction with regulatory authorities and tracking of security roadmaps).
  • Raise security awareness through regular employee security training so that bad practice is eliminated, and good security practices are engrained in your organization.
  • Automate security processes and rule checking whenever possible to ensure simplification and a standardized approach to enforcement in a non-intrusive manner.
  • Understand how your offerings will be used outside your organization (e.g., devices, services or solutions), and incorporate security mechanisms that eliminate the possibility of intentional or unintentional misuse.
Subscription Center
Stay in the know with our newsletters Stay in the know with our newsletters