Comment by Emily Southgate, Senior Digital Consultant at Energy Systems Catapult, and Jake Verma, Freelance Cyber Security Consultant and a PhD student at Birmingham University.

The energy sector is undergoing a rapid transformation to meet the UK’s Net Zero goals. One of the most exciting parts of this transformation is the proliferation of digitally enabled products and services. Polestar – an electric vehicle manufacturer – and chargepoint providers are introducing bi-directional charging hardware enabling software defined vehicle to grid charging. Octopus are conducting flexibility trials, using digital infrastructure to manage demand. Electrification is continuing at pace as the share of renewables also rises. But this proliferation of digital technologies mean that if we do not get cyber security right, we could expose this essential system to new vulnerabilities.

When a program uses a chip to process data, it is able to read and write memory which is arranged in blocks. When a program calls a block of memory, memory security ensures that the program cannot access a block it shouldn’t have access to, keeping data used by other programs private. When this goes wrong, though, it introduces a potential vulnerability by exposing data. The largest sources of software and firmware vulnerabilities by wide margins are memory security issues. By Microsoft’s estimates, memory security bugs make up 70% of their identified bugs. For Google it’s close to 90% and for iOS it’s around 66% (All 2019 figures).

The proliferation of devices across the sector, many of them based on memory-insecure languages, threatens to slow or even significantly disrupt the digitalised path to Net Zero by introducing significant volumes of  vulnerabilities where there were none before. This rapid digital transformation must go hand in hand with an accompanying increase in the capability of cyber security to ensure safe and consistent operation of the energy system. The recent cyber attacks on the Danish energy sector in May 2023 demonstrate that the sector needs to be more prepared for the digital energy future. This is where the Digital Security by Design (DSbD) programme comes in.

Today’s cybersecurity focuses quite rightly on the human behavioural element, still a significant source of vulnerability. However, it is true to say that these attempts at entry to a system via the user are only part of the problem. In fact, once into a system, the objective is to exploit vulnerabilities in the systems used by an organisation. UKRI, Cambridge University, ARM and their project partners have developed a new chip architecture and prototype system-on-chip which addresses this significant problem. Capability Hardware Enhanced RISC Instructions (CHERI) extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalisation.

The Digital Security by Design programme aims to roll out the CHERI design, which can be used by the energy sector to create a more digitally secure environment for the Net Zero transition to take place in. This will be key as the proliferation of smart devices on the energy system takes hold on a large scale, reducing the attack surface of the industry will be critical to maintaining momentum.

As part of Digital Security by Design, Energy Systems Catapult are running a set of roundtable sessions within the energy sector, to understand the current state of the industry, what its key cybersecurity challenges are, and how they can be addressed by the DSbD programme. We’re looking for front-line cybersecurity experts to join in, as well as senior stakeholders, such as CISOs, to contribute.

We aim to understand:

• how the industry is preparing for the proliferation of digital devices
• how the industry is preparing their own estates for the wave of digitalisation
• the awareness of the industry of bugs and vulnerabilities caused by memory safety

This project, part of the broader DSbD programme, is the first in a long term set of initiatives that will embed a radically more secure foundation for software into the energy sector. For those in organisations who are at the forefront of building security into network operations, critical national infrastructure, upgrading systems, digitalisation of processes, or building new digital products and services, this is an opportunity to be at the forefront of a paradigm shift in system security. If you’re building the digital future of the sector, but are concerned about vulnerabilities being introduced, this is a programme you should be involved with.

For those that are working on the frontline of cybersecurity, DSbD and Energy Systems Catapult are holding an initial briefing webinar for the energy sector to lay out the aims of the programme and the key objectives. This webinar will contain more background detail on the programme and the achievements using CHERI that could address key challenges to digitalisation in the energy sector. Register your attendance for the webinar here.

Our research roundtables will engage senior energy stakeholders, the CISOs and CTOS of major energy companies, to get deep into sector cybersecurity strategy, determining how DSbD can create a more secure foundation for the Net Zero transition.

Please reach out to Emily Southgate or Jake Verma if you’d like to participate in this exciting programme.