Is Europe ready for the energy transition? – European Governance of cybersecurity in a transforming power grid

(1)

1

Is Europe ready for the energy transition? – European

Governance of cybersecurity in a transforming power grid

First Reader & Supervisor: Dr. Vlad Niculescu-Dinca

Second Reader: Prof. Dr. Bibi van den Berg

Javier Trescoli Garcia s2016591

Leiden University

Crisis and Security Management Thesis

Word count: - 9000 (biblio, references, annexes)

(2)

(3)

3

“Infrastructure, at the deepest level, is not a static set of building

blocks that serves as a kind of fixed foundation for economic activity

as we’ve come to regard it in popular economic lore. Rather,

infrastructures are an organic relationship between communications

technology and energy sources that, together, create the living

economy”

Jeremy Rifkin, The Third Industrial Revolution

“Without degitalisation, the energy transition is not

happening. Without cybersecurity, the energy transition

is over”

Bianca Barth, European Policy Advisor

“The power grid is continental.

Physics does not use

passports”

(4)

4

Acknowledgements

This thesis marks a milestone in my life. When I was 18, I embarked in Valencia to pursue a double degree in Law and Political Science. The moment at writing these words, I am 26 and concluding my master (hopefully!).

I want to take this moment to acknowledge briefly the people who made helped me in the conclusion of this path.

Thank you to the people of Accenture who gave me the opportunity to do my thesis. Special mention to fellow interns Jelmer, Tamara, Basel and Filip. The ride has been fun.

Special thanks to the attention and support of Philip, Kim and my future career counsellor, Bas. Philip, thanks for introducing the issues and dilemmas emerging in the grid. It has been a long and exciting journey.

Kim, thank you for the patience and your advice. Your daily support made a difference in times I felt like giving up. Thank you for listening and thank you for your supervision. I have learnt a lot and hope to learn more.

Bas, thank you for taking the time to explain the intricacies and marvels of electricity and power grids coffee after coffee. Your fascination for energy and your hate for buzzwords has influenced me heavily and I hope to be able to continue professionally the passions this thesis has fired up. Special thanks to my supervisor, Dr. Vlad Niculescu-Dinca. From the beginning he has had patience with my chaotic self and has tried very hard to bring my ideas to the ground and get them done. I look forward to having a calm coffee after the thesis.

Special thanks to my second reader, Prof. Dr Bibi van den Berg, whose insightful input and feedback have taken this thesis to next level.

And lastly, the most important of all: my parents. Thank you for your unconditional support and wisdom in the last 8 years. The ride has been bumpy at times and the map was not clear, but I think we can say we are making it. Thank you, nothing of this would have been possible without your support.

For new beginnings, Javier Trescoli García

(5)

5

1. INTRODUCTION

The European Union’s electrical critical infrastructure is currently under a dual transformation. Firstly, a digital and technological revolution that is affecting every societal and economic sector, is leaving behind an ‘analogue’ grid and materialising into a digital-physical infrastructure called the ‘smart grid’. Secondly, since the raising awareness of the challenges produced by climate change, the EU has aimed at transitioning from a carbon-based energy system to an energy system based on renewable energy sources and an energetically sustainable economy. Both transformations of the electrical critical infrastructure must succeed in order to achieve the objectives of the EU to “give EU consumers secure, sustainable, competitive and affordable

energy by overhauling Europe’s energy and climate policies” (European Commission, 2019, p. 1).

However, even though it may seem that these two transformations are happening at the same time in the same infrastructure, digitalisation underlies the success of decarbonisation (Amelang, 2017) (WEF, 2017) (Cozzi & Turk, 2017). And digitalisation brings risks and vulnerabilities of its own to the infrastructure and processes whose functioning it aims to improve (Flick & Morehouse, 2011) (Mo, et al., 2012) (Kitchen & Dodge, 2017).

Digitalisation is described as “the growing application of ICT across the economy” (Cozzi & Turk, 2017, p. 22), which is focused on the advancement in the production of data as digital information, the analytics of the generated data and the connectivity between data, humans and devices. Due to the nature of decentralised intermittent generation of renewable sources, the smart grid has traditionally been deemed as necessary to incorporate these sources to the main grid (Ardito, Procaccianti, Menga, & Morisio, 2013). Since then, due to the increased awareness of the risks linked to climate change there is an increasing societal pressure towards institutions, grid operators and utilities to accelerate the ‘smartification’ of the grid, in order to decarbonise faster the generation of electricity and as a consequences, other energy reliant economic sectors (Perez-Arriaga & Knittel, 2016). Widespread digitalisation, according to the International Energy Agency, enables two key opportunities for decarbonisation. Firstly, the integration into the main grid of small-scale renewable and distributed sources as well as storage technologies and secondly, the incorporation of electric vehicles into the functioning of the grid (Cozzi & Turk, 2017, pp. 17-18). Therefore, the smart grid does not only benefit the energy transition and mitigate climate change, but is arguably the precondition to achieve the efficient incorporation to the main grid of a variety of technologies related to sustainable and decentralised energy generation, distribution, storage and consumption (Amelang, 2017). Whilst the three process of digitalisation, decarbonisation and decentralisation are key processes of the smart grid, these processes converge intensely, feedbacking each other, at the grid’s ‘edge’. This specific phenomenon within the smart grid has been identified by certain research institutes and specialised media outlets (Rocky Mountain Institute, 2012) (Chen, 2017) and recently introduced into the broader energy discussion by the World Economic Forum (WEF, 2017). This phenomenon has been conceptualised as ‘grid edge’. Whilst the smart grid is focused on the entirety of the grid, the grid edge is exclusively based on the interplay between the three processes and the technologies related to them. These technologies are distinctly varied, ranging from distributed energy resources, storage and electric vehicles to microgrids, Internet of Thing devices, automation systems and smart energy market platforms (WEF, 2017, p. 4) and is being provided by a variety of actors which have traditionally not been part of the electric grid,

(8)

8

such as the manufacturers of electric vehicles. Even though the grid edge phenomenon is only starting, the WEF predicts that in the mid 2020s grid edge technologies will reach their tipping point in adoption and their use will from then on grow exponentially, creating in the next 10 years a $2.4 trillion market (WEF, 2017, pp. 6-7). Whilst grid edge has not been appropriately delineated and defined, the concept itself is useful as a lens to begin to understand how the smart grid is blurring its ‘edge’ as it expands further, integrating into mobility and buildings and creating a new electric market.

Nevertheless, despite the benefits degitalisation has brought to the economy and society, this process has introduced systematically vulnerabilities and new layers of risk. These vulnerabilities and risks have affected every new degitalisation initiative, such as smart city projects (Kitchen & Dodge, 2017) industrial processes (Knapp, Samani, & Langill, 2013), electoral processes (Fidler, 2017) and especially, critical infrastructure (Greenberg, 2017, Knake 2018, Ollagnier 2018). Only recently cybersecurity has become a top priority of governments and companies (Abellan, 2018). The increasingly widespread concern for the issues attached to degitalisation is reflected in the 8% yearly average growth of the cybersecurity market (Barciela 2018, Austin 2018). In a 2018 survey CEO companies considered hackers to be the biggest risk to the economy, whilst the second biggest risk was a geopolitical event, such as Brexit (Phillips & Russell 2018).

These fears are especially present in the energy sector, which is the critical infrastructure that is the most under- attack by cybercriminals and nation states (Knake 2018, Symantec 2017). The Council of the European Union has defined critical infrastructure as “an asset, system or part

thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions” (CEU, 2008, pp. 3, Art 2(a)). The importance of the electric grid as

critical infrastructure, both underscores the lucrative and strategic opportunity for the attackers and why it is so vital to protect. In the United States, the Federal Energy Regulatory Commission has unanimously concluded that the gravest threat to the reliability of electricity to urban areas are the cyber-attacks against the digital infrastructure of the power grid (Kitchen & Dodge, 2017, p. 51). The European Union´s experts on the topic conclude similarly that if cybersecurity in the energy sector is not taken seriously, it will undermine the single digital market and the energy union which would impede the integration of the single market in the EU (EECSP, 2017). The EU has begun to implement major initiatives to face these issues. The introduction of the Network and Information Security (NIS) Directive in 2016 was one of the first steps of the EU to secure the degitalisation of transnational essential services, such as the supply of electricity and power grids (European Commission, 2017). The Cybersecurity Act which came into force as recently as the 27th_{of June 2019 (ENISA, 2019), introduces European certification systems and}

increases the role and importance of the EU’s ‘cybersecurity agency’, the European Network and Information Security Agency (ENISA). In the context of energy, other initiatives include the creation of an Information and Security Analysis Centre by DG Home and currently, the development of cybersecurity regulation for the electric sector by DG Energy. All these initiatives reflect the increasing concern for risks and vulnerabilities in the smart grid and the development of a cybersecurity governance of the smart grid.

However, the focus of these initiatives is mostly targeted towards addressing the digitalisation of the electrical critical infrastructure and developing a European governance to address the transnational nature of the European electrical system. It remains unclear to what degree the

(9)

9

EU’s emerging cybersecurity governance of the smart grid is addressing the added risks and vulnerabilities to the new digitalising, decarbonising and decentralising technologies that are converging at the smart grid’s edge and that do not fall under the competence of the grid operators. It could be argued that there might be a serious “gap” of governance in the EU’s emerging cybersecurity smart grid governance which is pertinent to analyse due to the importance of digitalisation and decentralisation in the process of successfully decarbonising the electric system and the economy. Therefore, the research question of this thesis is:

How does the European cybersecurity governance of the smart grid consider potential risks and emerging actors relating to grid edge technologies?

1. What is grid edge? And what are the potential risks for the smart grid?

2. Are new actors emerging in the cybersecurity governance of the electrical power grid? 3. What is the EU’s cybersecurity governance of the smart grid?

The research question has aimed to explain how the European governance of the smart grid is facing the potential risks of grid edge technologies. Firstly, it was necessary to conceptualise grid edge and identify the potential risks. Secondly, to identify if any potential actors were emerging due grid edge technologies. And lastly, to map the EU’s cybersecurity governance of the smart grid to evaluate to what degree are risks and vulnerabilities product of grid edge technologies (GET) being addressed. These sub questions develop and further understanding of what is currently happening at the edge of the smart grid and therefore, evaluate how exactly the European governance is addressing these risks.

1.1 Literature Review

There is barely any academic publication that attempts to conceptualize or that analyses specifically “grid edge”. Currently, grid edge seems to be used only by certain specialized media and international institutions to address the disruption and transformation that is happening at the edge of the grid. Some publications use the term and barely define it, such as reports by the World Economic Forum. It seems that everybody agrees that there are changes happening but due to a lack of term, right now “grid edge” itself seems to refer to any type of change in technologies and business models in certain aspects of the grid. Currently, there is only one academic recollection of articles (Sioshansi F. P., 2017) that aims to present a variety of case studies of new business models and deployment of GET. But in a similar vein as the report of the World Economic Forum, this published anthology does not address grid edge itself. It simply acknowledges that changes are happening and that the edge of the grid is becoming crowded (Sioshansi, 2017).

On the other hand, there is research on security issues related to technological disruption in power grids, though the researchers do not connect it to any “grid edge” phenomenon. For example, a recent research by the University of Pennsylvania, proved how dangerous high wattage devices such as, heaters and air conditioners, could be for the power grid when hacked through an Internet of Thing botnet (Soltan et al., 2018). Therefore, the issue becomes that there may be literature about the security concerns of the transforming power grid, but these have not been related and are not understood yet as product of a specific phenomenon. When it comes to technical issues, there is research related to GET, but rarely are these understood in a broader social, economic and political context or interconnected between them. Therefore,

(10)

10

there have been no papers published that specifically address the cybersecurity issues and the governance of grid edge.

Due to the importance of the issue and how unexplored the phenomenon is, the gap of knowledge identified aims to conceptualize and delineate grid edge and consider the risks this phenomenon means for European established stakeholders and the current electrical grid.

1.2 Academic relevance

As the introduction and literature aim to portray, “grid edge” is an under researched phenomenon that requires to be addressed and conceptualized. It’s a term that is being used loosely in specialized circles, seems to have an increasing market in the following decade (WEF, 2017) and could eventually become as common place as “blockchain”. The gap of knowledge this thesis especially focuses is the absence of a conceptualization and delineation of what risks for the grid and stakeholders are produced by the implementation of GET. As the phenomenon is currently still in an embryonic phase, its analysis has allowed to understand the dynamics and characteristics, what stakeholders are emerging, how it has affected established stakeholders, what is the current cybersecurity governance and its possible evolution. Furthermore, in the context of the EU, exploring how the cyber-dimension of the transnational CI is managed allows to further explore how governance of security coordinated from supranational institutions and what this could mean for national governments.

1.3 Societal relevance

By adequately conceptualizing and delineating the grid edge landscape, the stakeholders and the current governance model and practices within the landscape, the research can be useful for different stakeholders to both understand their own position within the emerging ecosystem and their responsibility in its cybersecurity governance. The research is especially important for two type of stakeholders: distribution system operators (DSOs) and policymakers. The former is an established grid operator that distributes low voltage electricity between the grid and consumers, but now due to the changes that are happening beyond the distribution phase the DSO is under more pressure to change and adjust to the emerging ecosystem. The latter are policymakers that may still not see the risks for the electric power grid and might have to develop regulation and networks to secure a successful energy transition, because as an energy expert mentioned “Without digitization, the energy transition is not happening. Without

cybersecurity, the energy transition is over”. This statement shows the conundrum of requiring

information technology to successfully transition towards a new energetic model but how this transition increases risks and threats.

1.4 Reading Guide

The first chapter has introduced the topic and the research question. The second chapter is dedicated to the historical background of the inception and development of the grid, followed by identifying and explaining the current stakeholders and how the grid became considered critical infrastructure. The last section concludes with the current phase of the evolution of the energy system with the smart grid.

The third chapter answers the first sub question “What is grid edge?”. The first section explores technologies related to grid as described by experts and the WEF, as well as determine traditional stakeholders and emerging actors related to these technologies. Based on the data,

(11)

11

the second section will conceptualise grid edge. Lastly, the potential challenges inferred from the data and the conceptualisation of grid edge will be identified and developed.

The fourth chapter lays the groundwork for the mapping and analysis of the European cybersecurity smart grid governance by introducing in the first section the current cybersecurity framework and in the second, the relevant EU institutional actors. The fifth chapter introduces the theoretical framework, which uses Hufty’s Governance Analytical Framework (GAF) to map the conclusions from a multi-theoretical governance approach based on Multi-stakeholder Theory, Network Theory and Metagovernance Theory. The sixth chapter introduces the methodology, where empirical data is based on interviews and desktop research.

The seventh chapter is where initially the multi-theoretical approach is applied to and GAF is used to map all the insights onto one governance framework. Once the European governance of the smart grid is mapped it will be possible to fully determine to what degree grid edge risks are contemplated. These conclusions have allowed to conclude the research and extract policy recommendations that ideally would improve the resilience and security of the grid, and therefore, assure the decarbonisation transition.

(12)

12

6. METHODOLOGY

This section is divided in three sections: research question, research design and methodology. The first explains how the questions were answered and how the sub questions help further the main question. The second focuses on the broad approach towards the accumulation of empirical data and why it is suitable to answer the research question. The latter explains the specific process that has been followed and justifies specific methodological choices, which are: the interviewees and their importance within the research and the case selection of the EU. The last section is dedicated to the trustworthiness of the process and the results of the research in order to address issues of reliability and validity.

6.1 Research Question

The following question was aimed to be answered:

How does the European cybersecurity governance of the smart grid consider potential risks and emerging actors relating to grid edge technologies?

1. What is grid edge? And what are the potential risks for the smart grid?

2. Are new actors emerging in the cybersecurity governance of the electrical power grid? 3. What is the EU’s cybersecurity governance of the smart grid?

The research question aims to explain how the European governance of the smart grid is facing the potential risks of GET. In order to address the question, firstly it was necessary to conceptualise grid edge and identify the potential risks. Secondly, identify if any potential actors were emerging due to GET. These sub questions help develop understanding of what is currently happening at the edge of the smart grid. The third sub question aims to map the EU’s cybersecurity governance of the smart grid to evaluate how the European governance is addressing the risks.

Hufty’s Governance Analytical Framework is used to analyse the main question by introducing governance as the intermediate variable between the independent variable (IV) and the dependent variable (DV) (2011, p. 416). The IV is the disruption at the edge, formed by the technologies, stakeholders of the smart grid and the actors that are emerging due to GET. The DV is the problem introduced by these technologies, which have been identified as the absence of a European sector specific cybersecurity regulation, the tension between market dynamics and cybersecurity and lastly, the potential risk of grid edge becoming CI. These risks are further explained in Chapter 4, section 4.3.

Using GAF and the multi-theoretical approach allows to map the EU’s cybersecurity governance and further understand the interplay between risks, stakeholders, networks, actors, policies and institutions.

Independent Variable

Disruption at the edge of the smart grid

(technologies, stakeholders, emerging actors)

Intermediate Variable

EU Cybersecurity Governance of the Smart Grid

(DG Energy, DG Home, ENISA, member states, Commission)

Dependent Variable

Potential risks of the disruption at the edge

(absence of regulation, long term CI, market dynamics)

(13)

13

6.2 Research Design

The research’s main goal is explanatory as it aims to explain if the EU’s cybersecurity governance of the smart grid faces the potential risks of GET. This has been initially done by firstly, conceptualizing grid edge and its risks, and secondly, identifying emergent actors related to grid edge and the relevant institutional stakeholders in the EU’s governance. The next analysis aims at mapping the EU’s governance using GAF as the analytical framework and the multi-theoretical creates a holistic lens to fully analyse the scale of the European smart grid governance.

6.2.1 Data Collection

The two methods of data collection are unstructured interviews and desktop research as qualitative methods provide the data to describe and understand a phenomenon within its own context (Trochim & Donnelly, 2006, p. 158) . Initially, desktop research provided the starting point for many of the questions for the interviewees. The research is based on a variety of resources, mostly academic literature, news articles and policy papers. Due to the limited academic knowledge available specifically on the grid edge phenomenon, much of the information came from different online sources, ranging from specialized journalism of the energy sector and reports from international institutions. Because grid edge remains undiscussed in academic circles, interviews became the main source for a variety of perspectives on grid edge. Most of the interviews were conducted to address the first two sub-questions, focused on grid edge, the risks and emerging actors. The remaining interviewees were interviewed based on their position within a stakeholder group or role within an institution, in order to obtain insider insights on the governance processes they were part of.

The interviews were unstructured, which means that the structure and contents of the interview is “evolutionary, flexible and open” and therefore useful for “exploring intensively and

extensively and digging deeper into a situation, phenomenon, issue or problem” (Kumar, 2014,

p. 177). This approach was deemed the most suitable to explore and deepen into grid edge, its risks and stakeholder and governance issues within the EU. Each interviewee had a specific set of questions previously prepared, depending on their expertise or position within an organisation. Once the questions were answered, the conversation would go into details from the answers and into other questions that emerged from the previous answers. Notes were contrasted with available information from desktop research and when pertinent, other interviewees and experts.

The interviews were conducted between late November 2018 and early January of 2019. None of the interviewees who finally were used in this thesis were recorded. Due to the issues of security discussed the interviewees requested confidentiality and did not wish to be recorded. Furthermore, interviewees were not comfortable being recorded by someone they did not personally know and that currently was interning at Accenture Security, which brought up issues of conflict of interests for some interviewees. For example, an interviewee was concerned that their answers could be used to inform Accenture corporate strategies in the energy cybersecurity sector. One of the interviewees requested anonymity. Only when specific statements were extremely relevant as empirical evidence, they were requested permission to be specifically quoted on the pertinent statement. The absence of recorded proof brings up issues of verifiability; if necessary, emails where the interview is arranged can be offered as evidence that the interviews took place.

(14)

14

6.3 Methodology

The methodology used in this research emulates the methodology employed by the European Union Network and Information Security Agency in their reports on cybersecurity topics (ENISA, 2017, p. 15) as it employs a similar approach that combines desktop research and interviewees from the relevant sectors and stakeholders within the scope of research. However, there is a divergence in the analytical approach as ENISA lacks any type of framework to analyse the data it accumulates, and this thesis has aimed to analyse the data from a multi-theoretical approach. The following diagram is an example of the methodology employed at ENISA and which this research takes as guidance.

FIGURE 1ENISA´S METHODOLOGY (ENISA,2017 P.15)

The main reason for emulating ENISA’s methodology is that we share the same research premise of using a holistic perspective and exploratory approach to understand emerging risks and threats landscapes due to digitalisation and to what degree governance addresses the issues. The research process of this thesis has been developed as follows:

Task 1: Background research and the identification of experts, main stakeholders and potential actors

The background research allows to list all the possible options and evaluate whose input would be insightful and useful as well as properly asses the position of the stakeholder. In addition, it gives an orientation of what is going on and which actors are becoming more relevant.

Task 2: Desktop Research & contacting with the experts and stakeholders

The desktop research clarified what type of specific questions the student asked each interviewee, which constructed an understanding of the landscape and how the interviewees fitted in the research and in relationship to one another. In this phase, 55 potential interviewees were contacted, with only 9 making it to the final round. It was attempted to interview a representative from as many stakeholders as possible, succeeding at interviewing a representative of ENISA, DG Energy, bne, EDSO and EE-ISAC.

Task 3: Interviewing experts, main stakeholders and potential actors

The interviews provided a variety of perspectives and opinions on the phenomenon, which many would not call grid edge, but all acknowledged that there were issues of cybersecurity

(15)

15

governance. The interviews and desktop research allowed to further conceptualize and delineate grid edge and its trends as well as identify potential risks related to the proliferation of GET. It must be mentioned (though it will be developed in the corresponding section) that not all the desired interviewees were interviewed and not all the interviews were equally successful, conditioned by limitations of time and form.

Task 4: Analysis and application of the criteria operationalized from multi-theoretical framework to answers and results of desktop research

Once the EU’s traditional stakeholders of the smart grid were identified, it allowed to identify emerging actors within the smart grid ecosystem and that were related to GET as well as the corresponding relevant European relevant cybersecurity policies. Through the interviews and desktop research, grid edge was conceptualised, and risks defined, which meant that all the necessary elements were in place to map the EU’s cybersecurity governance of the smart grid according to the analytical and multi-theoretical framework and finally, evaluate if, how and to what degree GET risks were being considered.

3.4 Reliability & Validity in qualitative research understood as trustworthiness

Normally, the methodology and results must pass the litmus test of reliability and validity. Validity, refers to “the ability of an instrument to measure what it is designed to measure” (Kumar, 2014, p. 213) whilst reliability refers to capacity of the method applied to be “consistent

and stable, hence predictable and accurate” (Kumar, 2014, p. 215). Whilst quantitative research

can easily standardise their methods, qualitative research has it more complicated to be evaluated according to the values of reliability and validity (Kumar, 2014, p. 219; Trochim & Donnelly, 2006, p. 162). Qualitative methods, especially when looking for depth and variety, are limited by the type of standardisation that assure the predictability, consistency and rigidity that normally leads to reliable and valid methods and results. Due to the method of the unstructured interviews, the answers of the interviewees and the object of study being a shifting landscape of cyber risks and threats within an energy transition, it would not be appropriate to evaluate according to those principles. Denzin and Lincoln argue in these cases to substitute positivist standards such as reliability and validity by constructivist approaches that rely on trustworthiness and authenticity (Denzin & Lincoln, 2017, p. 202). According to the authors, trustworthiness is based on four indicators: credibility, confirmability, transferability and dependability.

The credibility indicator establishes whether the results of this study “are credible or believable

from the perspective of the participant in the research” (Trochim & Donnelly, 2006, p. 162)

whereas the confirmability indicator establishes whether “the degree to which the results can

be confirmed or corroborated by others” (Trochim & Donnelly, 2006, p. 163). Even though not

all participants that were reached out to comment to respond, those who did, agreed that the conclusions were sound and appropriate. Some suggested including more risks; this issue is discussed in the final chapter, dedicated to further research. Out of all the interviewees that were contacted for their position as a stakeholder, only one responded. This means that the credibility of the conclusions reached about certain stakeholders within this research could not be evaluated according to this indicator. As for confirmability, in this context, the “others” could be considered experts in the sector of cybersecurity and energy, such as professionals from security services. Those that were consulted agreed upon the risks and the current state of European governance of the smart grid.

(16)

16

Transferability establishes “the degree to which the results of qualitative research can be

generalized or transferred to other contexts or settings” (Trochim & Donnelly, 2006, p. 162)

Transferability is primarily the responsibility of the reader who carries out the generalisation, responsible to appropriately judge whether the underlying assumptions, process and results can be transferred to other contexts. In this case, transferability is obviously complicated and not immediately recommended, due to the unique nature of the EU’s institutional governance. However, the conceptualisation of grid edge and the risks could be transferred to other contexts. Dependability is concerned with “it is concerned with whether we could obtain the same results

if we could observe the same thing twice” (Trochim & Donnelly, 2006, p. 162), suggesting to keep

an extensive and detailed record of the process for others to replicate and evaluate its dependability. The methodology and research design are quite straightforward as well as the analytical and the theoretical framework being illustrated in detail which allows to understand how the conclusions were reached. However, the unstructured interviews and the possibility of shifting opinions from the interviewees, difficult the replicability of the collection of data that lead to the conclusions in the first place. In response, it is argued that despite the variety of answers, the conclusions are based on the most sound and evidenced statements, whilst those that seem more radical or less founded were contemplated to add nuance to the phenomenon but were not the base of conclusions.

In conclusion, though there are issues of verifiability because the interviews were unrecorded, this can be proven that happened though other means. On qualitative grounds, the research stands on solid foundations though there is space for improvement, i.e obtaining feedback from the interviewees that represented stakeholders. In the following chapter, the research begins by establishing the historical background and evolution of the electric grid, the process by which it became a matter of national security and the emerging cybersecurity concerns and risks.

(17)

17

2. HISTORICAL BACKGROUND

The process of electrification is a modern phenomenon, the necessary condition for our contemporary civilization (Jones J. 2003; and Parks 2017). In order to understand the current centralised regulated monopoly that is being transformed, it is neccessary to understand the economic, societal and technical context in which these regulated monopolies emerge and their evolution until today. This chapter starts with a section that briefly explains the evolution of the grid, from its inception at the the hands of Tesla, Edison and Westinghouse to the current the transition towards smart grids. The following section then explores the evolving perception of critical infrastructure and how it parallels its evolution into the matter of contemporary national security. This chapter concludes by setting up the importance of the smart grid - and with it, the importance of cybersecurity - in order to conceptualise grid edge and its risks in the following chapters and what they could potentially mean for the smart grid.

2.1 War of the Currents and the road towards a monopoly

In the late 1880s and early 1890s, the Western world was disrupted by the commercialization of electric generation, transmission and distribution by Edison’s company, the Edison Electric Light Company, who installed the first direct current (DC) power plant in New York City. This power plant, named Pearl Street Station, supplied safe, reliable and cheap electricity to the most influential and rich individuals of the city as well as its most important newspapers (Jones, 2003). In the following years, DC power plants became the standard in the US for the generation, transmission and distribution of electricity.

However, today the predominant power grid is based on alternative current (AC) transmission and distribution. This was a direct consequence of the emergence of the AC, discovered by a former Edison employee, Nikolas Tesla, and commercially implemented by a rival entrepreneur of Edison, George Westinghouse (Reid, 2016). This clash between such personalities and organizations materialized in public discourse through extremely aggressive business competition and litigation for control of the patents of bulbs and innovative electrical equipment. The journalists and engineers of the time deemed this confrontation the “War of Currents” (Parks, 2017) as Edison and Westinghouse defended their electrical system as the most suitable for widespread commercial use. Whoever emerged victorious would set the standard current for the whole process of electrification of the US. Due to international expansion of these companies into Europe and the race for the nation states within to continue their industrial growth, whatever current prevailed would be simultaneously implemented in the Old Continent (Jones, 2003).

On a technical level, Westinghouse and Tesla arguably had the upper hand for the needs of the times (Reid, 2016). DC had many limitations for systematic electrification in contrast to AC. For starters, DC power stations were limited to supplying electricity to 1 km from the station, whilst AC could transmit electricity across long distances, which it proved to the public when it connected a hydraulic generator at the Niagara Falls that transmitted electricity 300km south to New York (Jones, 2003). In addition, DC power stations became increasingly more complex to maintain as more appliances with different voltages were added to the power station. This made DC power station impractical for a society that was starting to mass electrify many aspects of its societal and economic life, an issue that the AC system did not have to deal with.

(18)

18

However, though retrospectively these technicalities may seem immediately obvious, it was not the case in those years. Most of the debate was centred around the security and risk concerns around the wide implementation of AC systems. In contrast to DC, which was far safer, AC was mortally dangerous. There were cases of workers being electrocuted by stray wires, though the number of mortal victims paled in comparison with many other causes of death of the time, such as car accidents.

Despite the association of Westinghouse and his company to the accidental death of workers and the execution of William Kemmer, AC was winning the War of Currents by the end of 1890. In addition, Edison was no longer in full control of his own company and shareholders pressured him to accept that his DC had lost the war of currents. This led to him to be marginalized in his own company and therefore, the anti AC stance he stood for. In 1892, the War of Currents would end when the financier J.P Morgan orchestrated a merger between Edison General Electric Company and an emerging rival company that commercialised AC systems, Houston-Thompson Company, creating General Electric (Jones, 2003). By then, Westinghouse and General Electric, thanks to their patents and their size, had a practical monopoly over the electrification market. The history of how systematic electrification came to be, is also the story of regulatory trends as important as the operational and technical aspects themselves. For example, a deregulated market introduced risks and insecurity that would eventually cause enough concern in the government and the public to introduce regulation, agencies and municipal committees to monitor the implementation of AC and DC systems by the electric companies. It also illustrated how despite the market being crowded with many players, two corporations, Westinghouse and General Electric, had practical control over most of the market especially due to their possession of patents, company size, unparalleled access to capital as well as their access to human and material resources. The victory of AC and the context and the position of the actors from both the private and public sector would condition how the US national grid would be developed and managed in the following decades, and by proxy, how it would be developed in Europe.

2.3 The architecture and stakeholders of the electric grid

As states understood that electrification was necessary for the development of a modern economy but required large investments up-front, specific partnerships with companies were pursued to develop the grid. States arranged special regulatory conditions that guaranteed companies exclusive legal rights in their territory to develop the grid or long-term contractual benefits that allowed companies to comfortably reap benefits from initial large investments to develop the grid. The state arranged the development in such a way that there would not be competition between companies, as either they would only operate in a specific territory or would oversee a specific aspect of the grid (Cruciani, 2015, p. 9). Enjoying this special status meant that utilities were subject to major regulations which aimed at reducing the abuse of such priviliged position within the economy. Therefore, centralized regulated monopolies and oligopolies were considered the most viable and effective manner to generate, transmit and distribute electricity in modern national economy. In the countries of the EU this system has been kept in place from the beginning of the twentieth century and has lasted until the beginning of the twenty-first century (Cruciani, 2015, p. 8). Some authors have argued that this arrangement could be considered one of the first public-private partnerships (PPP), many decades before the term was conceived (Katherine, 2010, p. 396).

(19)

19

There are three stakeholders that cooperate with the public authorities in the traditional electrical grid to supply electricity to consumers (Erbach, 2016, p. 2):

• Generators, who produce electricity through nuclear, fossil fuel, solar, wind and hydroelectric power stations. Deal with ultra-high voltage quantities in the case of certain power stations.

• Transmission System Operators (TSO), who are in charge of transmitting through high voltage lines the electricity from the generator to the distributor, which handles lower voltage. The change of voltage is handled by substations.

• Distributed System Operators (DSO), who handle low voltage distribution and oversee the network that transmits electricity to the consumers.

FIGURE 2THE PHASES OF THE GRID AND THE ROLE OF EACH STAKEHOLDER (ERBACH,2016, P.3)

Normally every member state of the EU has one TSO and a variety of DSOs, though when it comes to the latter there is a variation between countries (ENTSO-E, 2014). Germany is the only country in the EU with 4 TSOs (Next Karftwerke, 2016). These are regulated monopolies and oligopolies adapted to the specific historical and economic conditions of each country. Pre-smart grids were technically managed by Supervisory Control and Acquisition System (SCADA), as utilities and grid operators rely heavily on industrial networks and automated responses (Knapp & Langhill, 2011, p. 26). Due to the unidirectional flow of information from grid operators and utilities to consumers, the former decided how much electricity would be generated for the grid, which was estimated based on historical data (Flick & Morehouse, 2011, p. 6). In 1977, technological advancements in Automated Meter Reading (AMR) allowed to receive more accurate information remotely from the consumer, improving production and distribution of electricity. However, due to the unidirectional communication of the grid, even though estimates of consumer consumption greatly improved thanks to AMR, the utilities and grid operators had no way to follow in real-time the state of the grid. If there was a blackout, the company would not be aware unless notified by authorities or consumers of the situation (Flick & Morehouse, 2011, p. 11). Due to the regulated monopolies and the technological limitations of the functioning and management of information within the grid, the grid is “organically” centralized with only a few stakeholders in control of the generation, transmission and distribution of electricity.

(20)

20

2.3 The electric grid as CI

Due to the nature of the monopoly, the utilities had to legally guarantee a “good service” (Katherine, 2010, p. 402) through the security of supply. From a security governance perspective, it was the responsability of the utility companies to guarantee the integrity of the grid and the supply of the electricity to the consumers. However, it is safe to argue that when the initial PPPs between the state and utilities were arranged at the beginning of the century, concepts such as “CI” or “national security” were far from predominant or part of the broader security policy of the state. Therefore, even though both the state and utilities were the main stakeholders of the security governance of the grid, the original arrangement did not specifically adress the responsability of the continuity of CI on a national scale.

As the twentieth century progressed, it has been argued that the electric grid became the largest engineering infrastructure of the world (Mo et al., 2012, p. 195). Its importance transcended its size as society and the economy relied on the continuous supply of electricity to function and prosper. Therefore, its management and operation has been closely regulated by the respective national governments to guarantee supply and accessibility. The electric grid soon became such a vital aspect of any industrial nation that modern military strategic thinking from the 1930s include the targeting and bombing of electric grids. This was thoroughly put into practice in the Second World War (Griffith, 1994, p. 15). However, despite its importance in offensive military strategic planning, it would not be until the late 1990s that the government of the United States took a more active role in the protection of CI, considering it a matter of national security (Roy Rosenzweig Centre for History and Media, 2011).

There are a variety of reasons for this increased awareness towards the protection of the electric grid happened as late as the 1990s. The Roy Rosenzweig Centre for History and Media highlights three. First, the fall of the Soviet Union reduced considerably the threat of nuclear war, which until then had monopolized national security strategies and policies. The absence of the hegemonic threat of nuclear devastation gave space to raise concerns about other threats and domestic vulnerabilities, such as terrorist attacks against federal government buildings and CI. Second, CI throughout the developed world was beginning to undergo its own material transformation, due to advancements in computing, digital and telecommunication technologies, which hinted at a new dimension of risks that had not been seriously pondered until then. Third, the United States suffered two domestic bombings: on the World Trade Centre, 1993, and in Oklahoma City, 1995 (Roy Rosenzweig Centre for History and Media, 2011). These two events would lead in 1996 to the creation under President Clinton’s administration of the Presidential Commission of Critical Infrastructure Protection (PCCIP), which concluded with a report delineating the relationship between CI continuity and national security. The commission was elaborated by different federal agencies, private industry leaders and academic researchers. The PCIPP concluded in 1997 that there were relevant vulnerabilities within the country’s CI and specifically warned of the possibility of cyber-attacks (PCCIP, 1997). Furthermore, in the context of the electric grid it concluded that “the exponential growth of information system networks

that interconnect the business, administrative, and operational systems contribute to system vulnerability” (PCCIP, 1997, p. 28). In the wake of the September 11 2001 attacks and the War

on Terror that ensued, concerns of CI being continuously disrupted by terrorist attacks, both physical and cyber, would be at the forefront of national security strategies in the United States and the European Union (Burguess, 2007, p. 479). Nevertheless, in the context of cybersecurity

(21)

21

in the smart grid the European Union would take a different approach to the United States, as will be explained in the following section.

The cyber dimension of the grid has gained importance in equal proportion as the emerging smart grid. For this reason, as information and communication technology (ICT) has begun to converge with industrial operational technology (OT) to improve the functioning of the grid, new dynamics between the physical and the cyber interplay adding new dimensions of risk and vectors to be exploited by cyber-attackers (Flick & Morehouse, 2011, p. 18). From a cybersecurity approach, if the assets and the control systems that must be protected from threats are not identified and protected, it could both expose the vulnerabilities of a nation’s CI and impact the continuity of the CI. In the United States and the European Union, public authorities have a set of security standards for CI protection (CIP), which the corresponding utilities and grid operators must comply with. If not compliant with the standards set, the corresponding company will be fined (Flick & Morehouse, 2011, p. 106). From a cybersecurity perspective, normally the most important asset of any industrial process, including the grid, is the control system, the Supervisory Control and Data Acquisition (SCADA). If infiltrated by hackers, they could technically get access to information and management of the grid (PCCIP, 1997, p. 28).

The embedment of ICT into OT, which has connected industrial processes to information networks, has added a new layer of vulnerability which can play out in different ways. If the OT behind the stable functioning of the grid is air-gapped from information and communication networks, then there should not be concerns of the industrial control systems (ICS) being accessed by cyber-intruders. A physical threat, such as a terrorist bomb attack, or a malicious insider, is far more dangerous in this context. The infamous Stuxnet is the most notable case of SCADA systems being successfully targeted despite not being connected to a network. The Iranian nuclear plant’s SCADA was not hacked from the ‘outside’, but rather by an insider who inserted a pen drive with a malicious computer worm. By taking over the control system, it forced 1,000 turbines to exceed the recommended speed to the point of physical deterioration, rendering them useless (Albright et al., 2010). However, once OT and IT start to converge through digitalisation, OT increases its chances of being vulnerable to cyber intrusion from the ‘outside’. Therefore, a worst-case scenario for grid operators is if the hackers through different tactics eventually get hold of the grid’s SCADA (Knapp et al., 2013). The December 2015 attack on the Ukrainian electric grid was done through the hacking of the SCADA. The hackers deactivated seven 110 kV and 25 35kV substations for three hours, which affected 225,000 customers (SANS ICS & E-ISAC, 2016). This explains why cyber protection of CI the focuses on protecting ICS. If the industrial processes that guarantees the reliability and functioning of the electric grid are adequately protected, both on a physical and cyber level, then so is the availability and integrity of the CI of the electric grid.

2.4 Next step: Smart grids as CI

In the 1990s, in parallel to increasing concerns about the disruption of CI, there were growing issues with the reliability of the electric grid, which was having problems to forecast the energy consumption due to its constant increase in demand. The outages and power quality disturbances would lead to yearly costs to American businesses of around 120 billion dollars (Energy Future Coalition, 2002, p. 40). In addition, traditional grids were having increasing

(22)

22

problems to deal with the societal pressure of incorporating renewable sources of energy to the power grids (Energy Future Coalition, 2002, p. 74-75). The unreliable nature of these renewable sources and the necessary ICT upgrades to incorporate them challenged the governance established by the architecture of the existing grid. With the advent of information and telecommunication technologies, many energy experts, policymakers and grid operators began to see that the grid´s management could be upgraded to deal with these issues, making it ‘smarter’, which lead to the idea of ‘smart grid’ (Ardito et al., 2013).

There were added calls for digitalizing the grid as it seemed that the emerging digital economy could not develop with a power grid thought for a pre-digital era (Rifkin, 2011). The introduction of Advanced Metering Infrastructure (AMI), more commonly known as “smart meter”, substituted the Automated Meter Reading (AMR), which enabled two-way communication between the meter and supplier. This changed how information flowed through the grid and allowed to get as close as possible to live monitoring of the grid. Not only would the grid operators and distributors be able to improve the management of energy, but also it was expected that consumers would become more active in the management of their own energy. In addition, thanks to the technological developments in network and automated processes, it would allow to incorporate and manage distributed generation of renewable energy, favouring a transition towards an energetically sustainable economy. Lastly, national security would also benefit from this transition. It was defended that a grid that operated based on flexible sources of energy and improved performance due to increased automatization of industrial processes would react flexibly and automatically to outages, making the grid far more resilient against terrorist attacks (Energy Future Coalition, 2002, p. 76-79). This last argument holds special weight in the context of a post 9/11 world where there were concerns of terrorist attacks to CI and a need to increase CI resilience.

The policy-oriented definitions reflect these types of benefits within their description. From a European Union perspective, all these benefits in contrast to the previous architecture of the grid, are reflected in a normative definition that delineated that a smart grid should aspire to be an:

“…electricity network that can intelligently integrate the actions of all users connected to it—

generators, consumers and those that do both—in order to efficiently deliver sustainable, economic and secure electricity supplies. A smart grid employs innovative products and services together with intelligent monitoring, control, communication, and self-healing technologies. Smart grids development must include not only technology, market and commercial considerations, environmental impact, regulatory framework, standardization usage, ICT and migration strategy, but also societal requirements and governmental edicts” (Ardito et al., 2013,

p 253).

In general, this definition focuses on broad generalizations of efficiency, coordination and monitoring whilst also acknowledging the systematic implementation of sustainable and market-based logics as drivers, from which consumers, businesses and society would benefit. The smart grid embraces increasing complexity in its distribution and generation as it upgrades with information and communication technology that the previous grid had difficulties handling due to its own rigidity. The increasing number of sensors and devices at the ‘edge’ of the grid in homes, factories and other buildings, and the substations throughout the grid all update

(23)

23

automatically and constantly and are monitored on energy consumption and needs. The interconnected networks and automated process embedded within the operational technology allow for flexible responses to increasing demands.

The fact that the grid’s architecture is not fundamentally changed allows for established stakeholders such as TSOs and DSOs to upgrade and digitize the infrastructure according to their own needs and plans. They rely on minor stakeholders that naturally appear in emerging markets, such as renewables, smart products and devices, that must be compliant with existing standards of security. The TSOs and DSOs oversee how the grid operates and from a security perspective, how cybersecurity is articulated in the main smart grid. The whole process of digitalisation is implemented by the companies, which in many cases are supported and coordinated by governmental agencies.

In the early 2000’s, the US and the EU diverged in the strategy of protection of CI, the latter limited by its supranational nature. The US created the Department of Homeland Security as part of its National Strategy for the Protection of CI and Key Assets, centralising all security agencies into one department (DHS, 2003). In the context of the smart grid, this meant that utilities would be directly in contact with the DHS. In contrast the EU failed repeatedly to arrange a successful policy programme to protect European CI, despite the momentum generated by the 2004 Madrid and 2005 London terrorist attack (Bossong, 2013, p. 214). Each Member State had their own national strategy and it would not be until 2013 that new policies of CI protection would be attempted. In the context of the smart grid, this new strategy led to the creation of the Decentralised Energy Security Knowledge (DENSEK) programme, which would create the first European Information and Security Analysis Centre (EE-ISAC) for the energy sector. However, this does not mean the European smart grid had lacked any kind of cybersecurity approach, especially since the introduction of the NIS directive that sets the European standard for national and cross-border cybersecurity strategies. Furthermore, because critical information infrastructures were not contemplated in the original conception of European CIs, cybersecurity measures were implemented through the scope of economic competitiveness and development (Bossong, 2013, p. 215). An example is the creation of the European Network and Information Security Agency (ENISA) in 2004, which was not contemplated as part of any CI programme.

In the energy sector, since 2009 the European Commission tasked DG Energy with developing task forces with the mission of establishing standards for smart grids within the framework of harmonising a common energy and digital market (DG Energy, 2009). In contrast with DG Home’s attempts at bringing stakeholders to the table in its 2005 CI programme, DG Energy has created task forces who elaborate guidelines and standards with the input and collaboration of the relevant stakeholders of the grid. Therefore, compared with the US where the energy sector interacted with the DHS, a security actor, cybersecurity measures were being developed and arranged by European stakeholders within a broader harmonisation of regulation for the common energy market. It has only been since 2016 with the introduction of the NIS and the 2019 Cybersecurity Act, that a European cybersecurity strategy has materialised to protect ‘essential services’, which in many cases such as the power grid, could be understood as CI.

(24)

24

Currently, cybersecurity has become an increasingly important issue, both for the protection of essential services as for development of the smart grid.

This convergence has led to identify specific threats and risks related to the development of the smart grid, which have been identified by reports and presented as a recommendation by the European Commission (European Commission, 2019):

• Real-time requirements of energy infrastructure components: the Commission warns to the operators of the grid identified under the NIS directive and their technology suppliers, about the difficulties of implementing cybersecurity measures in some elements of the energy system that perform under real-time constraints. Many operations require immediate responses, which do not consider the added time required by cybersecurity measures, such as authentication.

• Cascading effects: due to the increasing interdependencies, if one element within the grid were to fail due to a cyber-attack, it could have a cascading effect throughout the system. New devices connected to the grid, including Internet of Things (IoT) devices, must be evaluated according to their criticality and their relevance in the interconnectedness.

• Legacy and new Internet of Things devices: the co-existence of older technology with a life span of 30 to 60 years with no cybersecurity considerations and modern devices, which are digitalized and interconnected, can lead to unexpected vulnerabilities. The number of devices and products, ranging from house IoT appliances to electric vehicles and photovoltaic panels, that can be maliciously controlled and used to manipulate the energy demand can endanger the stability of the grid.

This timely recommendation is in line with the scope of this research as it introduces the risks that the smart grid is currently facing and will increase in the following years. More specifically, it is the interaction between the legacy grid and the new grid edge technologies (GET) and the possible cascading effects that may ensue, which will be the most relevant.

(25)

25

3. CONCEPTUALIZING GRID EDGE

In this section, the term “grid edge” is conceptualised according to the data from existing reports and from the answers of interviewees. The first subsection explains how the concept was first used and how it slowly became mainstream in some international discourses on the future of electricity. This is followed by identifying the technologies and stakeholders that are behind the emerging ecosystem within the smart grid. Lastly, the last two sections conceptualise grid edge and identify the most pertinent risks associated with widespread commercialization of grid edge technologies.

3.1 What is happening at the edge of the grid?

The grid edge, or how it was originally named – the distribution edge – has only recently appeared within discourse. Some scholars have warned that right now it only exists within a business context that favours buzzwords (Sioshansi, 2017, p. i). Therefore, an adequate conceptualization of grid edge is necessary to begin understanding the cybersecurity challenges that emerge from the digitalisation and decentralization of the edge of the grid. However, before this conceptualization, it is necessary to explain how the emergence and consolidation of the concept today was led by a series of institutes and key media outlets.

Initially, it was the Rocky Mountain Institute that classified the “distribution edge” as a microcosm of its own within the smart grid (Rocky Mountain Institute, 2012). It released a series of reports that focused on the emerging business model, defining the distribution edge as “…the

interface between the electricity distribution system operated by utilities and the rapidly growing portfolios of energy assets, control systems, and end-use technologies at or near customers’ premises” (Newcomb et al., 2013, p. 2). According to the institute, the emerging technologies

that allow for electricity to be generated where it is consumed was fundamentally being enabled by the digitalisation of the economy and an increasing commercialization of energy related technology and services. These are called Distribution Energy Resources (DER). The distribution architecture of the grid was beginning to undergo a transformation of how it functioned. The reports emphasised how this transformation changed the established business model structure of the traditional power grid “from a traditional “value chain” to a highly participatory

network or constellation of interconnected business models at the distribution edge “ (Rocky

Mountain Institute, 2012). It was advised that policymakers would have to engage with the challenges this supposes for existing stakeholders, as the traditional and current business model would become gradually obsolete in the medium and long term.

The term “grid edge” gained traction through the specialised renewable energy media outlet and consultancy firm Greentech Media (Lucas, 2016). In the same year the Rocky Mountain Institute published its research on new business models, Greentech Media started publishing about grid edge (Thompson, 2013) and organizing events with US stakeholders in the electric distribution sector. Greentech Media focused on two trends: grid modernization and customer evolution. In addition, it defended that these trends were distinct from broader smart grid changes that were happening throughout the grid. Greentech Media began using the name grid edge instead of “distribution edge”. It defined the grid edge as comprising “…technologies,

solutions and business models advancing the transition toward a decentralized, distributed and transactive electric grid.” (Chen, 2017).

Is Europe ready for the energy transition? – European Governance of cybersecurity in a transforming power grid