A recent study by the E.U. Agency for Network and Information Security found that between 25 and 30 percent of E.U. member states have not addressed issues relating to cybersecurity. How do the European Union's cyberthreats differ from those facing the United States, and what steps is the European Commission taking to address threats? During today's OnPoint, Annabelle Lee, a senior technical executive and a cybersecurity expert at the Electric Power Research Institute, and an appointed member of a European Commission cybersecurity panel, discusses the unique cybersecurity challenges facing Europe as it works to advance its electric power grid.
Monica Trauzzi: Hello, and welcome to OnPoint. I'm Monica Trauzzi. With me today is Annabelle Lee, senior technical executive and a cybersecurity expert at the Electric Power Research Institute. Annabelle, thank you for joining me.
Annabelle Lee: You're welcome.
Monica Trauzzi: Annabelle, you were recently appointed by the European Commission to a cybersecurity panel that will assess cyber requirements for E.U. member countries. What is the EC's cybersecurity situation currently? And what are the specific threats that this panel is going to be taking a look at?
Annabelle Lee: The group, it's the Energy Expert Cybersecurity Panel Expert Group, is a group of 15 individuals that they selected. I am the only American on the team. We all submitted our applications, and then they selected the group. The European, the situation in Europe is different from the United States. In the United States, we have regulatory requirements for the bulk power system. It's called the North American Electric Reliability Corporation Critical Infrastructure Protection Standards. Europe does not have any comparable requirements on the bulk power system. They do have privacy requirements, and U.S. states have privacy requirements.
So they are looking at from a European Commission and an E.U. perspective of do we need regulations? What type of policy do we need? So they are very interested in getting input from experts on cybersecurity and looking at what best practices, recommendations and so on. So that is the goal of this group.
Monica Trauzzi: And a recent study by the E.U. Agency for Network and Information Security found that between 25 and 30 percent of E.U. member states have not addressed issues relating to cybersecurity yet. Why do you think that nearly a third of E.U. countries have not paid closer attention to this point?
Annabelle Lee: That NISA group I have participated in a number of their working groups, the utilities, and this is true around the world. If you look at the electric infrastructure in contrast to the information technology infrastructure, the -- some of the larger devices have been around, they've been deployed for 40 to 50 years. Fifty years ago we didn't worry about cybersecurity, or if you brought it up people would have probably said, what's that? What are you considering? And if you look at, again, the older technology, the transformers and generators, that was not an issue.
With the new technology, it is an issue. And as the grid is modernized, and I'll generically use that phrase, around the world, then you need to start worrying about cybersecurity. There still is legacy equipment in the United States that is 40 years old, 50 years old that has no cybersecurity in it. And when you then implement the new technology that has cybersecurity capabilities and features ... cyber capabilities and you have to deal with cybersecurity, then you need to figure out how do we put this legacy equipment with the new equipment and address cybersecurity. Because some of this older equipment, also, you can't implement cybersecurity on it. It won't. It won't operate.
So it's -- yeah, it's a difficult issue for all of the control systems. And you can't just go out and replace this equipment. The larger devices are very expensive. They're millions of dollars. And the lead time for a lot of the equipment can be one and a half, two years. So you can't just say, well, we'll just go out and replace everything. That doesn't work.
Monica Trauzzi: So as the grid becomes more sophisticated, then is there truly a way to avoid the risk?
Annabelle Lee: You cannot avoid the risk. If you look at all of, everything that we do, we drive cars. There are risks driving cars. There are risks with everything we do. You need to look at the risk and make decisions. And cybersecurity is one area of risk. If you look at utilities, they deal with financial risk, public perception risk. All different areas of risk. This is another area of risk they need to make decisions.
They also cannot spend all of their funds on cybersecurity. They have to do other things with the funding. It's required by the utilities. And so what they do is prioritize the risk, prioritize the vulnerabilities. You look at your highest-priority systems and then you make decisions about which ones do you want to look at from a cybersecurity perspective, which ones do you want to address the potential vulnerabilities and threats.
Monica Trauzzi: So as you look at the range of energy sources used among E.U. member countries, what is the unique risk posed by nuclear generation?
Annabelle Lee: Nuclear, I focus more on the electric side of this. I am not an expert on the nuclear side. We do have a representative on this panel that is an expert on the nuclear side of it. I focus more on the transmission and, and nonnuclear generation and distribution.
Monica Trauzzi: So you were in Brussels last month.
Annabelle Lee: Yes.
Monica Trauzzi: For the first --
Annabelle Lee: First meeting. Yep.
Monica Trauzzi: First panel meeting. What were your takeaways? I mean, how much can you share about what was discussed?
Annabelle Lee: OK. Yeah, so obviously the, the details of the meeting and the working groups is going to be held within the group as we're working on all the various drafts and so on. I think, I think the takeaways, it's a very strong group of individuals. We're in cybersecurity in electric sector, and it's a small community, so I knew a lot of the people in the room. It's, it's a very impressive group of individuals. People are committed to addressing the cybersecurity risk. The other side, and people say, well, gee, if there are all these risks with cybersecurity why are you modernizing the grid? If you look at the new technology, you look at renewable and so on, there's so much new capability and functionality that we want to take advantage of. You can only do that with the new technology. So you need to address cybersecurity as you're deploying all of this new technology.
I think the takeaway is everybody is really committed. There are two working groups. I lead one of the working groups. We have our first call next Monday. And what we're going to be focusing on in general as a group is looking at what's out there that we can use. Let's not just start over and say, gee, there's nothing we can use in terms of guidance or best practices. Let's look at what's there, and we're going to be putting together strategy for the European Commission to help them as they consider how they want to move forward in addressing cybersecurity.
Monica Trauzzi: It's a fascinating topic. I thank you for coming on the show.
Annabelle Lee: It's great. Great.
Monica Trauzzi: Yeah, more to come on this.
Annabelle Lee: Thank you.
Monica Trauzzi: Thanks.
Annabelle Lee: More to come. Thank you.
Monica Trauzzi: And thanks for watching. We'll see you back here tomorrow.
[End of Audio]