Malene Hein Nybroe is Head of Division at Danish Energy Agency, and she is one of the speakers at the large international Industrial Security Conference 15-16-17 November in Copenhagen. At the conference, you can hear Malene Hein Nybroe’s presentation on challenges and possible solutions in the light of the latest tendency of attacks on the supply chain.
In this article, you can read an interview with Malene Hein Nybroe.
How did you get into working with security and how did it develop throughout your career?
I have been working with energy infrastructure throughout my career. Security of supply is a natural point of focus. Since the big blackout in Eastern Denmark in 2003, risk preparedness planning came into increasing prominence, and with the digitalization cybersecurity became a natural add-on.
Since IT and OT systems are used to run processes that are essential for maintaining security of energy supply, cyber security is in my opinion an integrated part in the overall supply security and preparedness issues.
What are the biggest challenges within cybersecurity in your eyes?
The biggest challenge is to keep up with the development of both the digitalization and the evolving risks within the cyber domain. Another challenge is the lack of general awareness of cyber-attacks being part of hybrid threats and that even smaller, rural energy companies can be targets of advanced cyber-attacks. The challenges include the security of the IT and OT systems that the sector depends on, but also the fact that more and more systems are expected to be connected to the internet. These challenges come at the same time, that the green transition is changing the energy system with lots of new producers and prosumers that have to communicate with each other in order to maintain the balance in the energy system.
So the biggest challenge is in reality the many different changes and trends that are happening at the same time.
How do we get ahead of ‘the bad guys’?
I don’t believe that we will ever get ahead of “the really bad guys”. Both criminal groups and state actors potentially have enormous amounts of resources and can develop sophisticated tools that energy companies cannot match.
That being said, there is a lot that can be done at all levels to increase the energy sector’s collective resilience vis-a-vis cyber threats. All companies need to invest in cybersecurity and view such investments as investments in the continuation of their operations. Investments in cybersecurity training and awareness, conducting thorough risk-analyses and making security-conscious demands of vendors are things that even the smaller companies can do.
When looking forward just 5-10 years, what do you think will be different?
That is a good question – and if I could answer it, I would not be working in the administration.
Jokes aside, the ongoing transition to a greener energy system in Denmark is tightly linked to a rapid digitalization. While bringing more connectivity (and probably more efficiency) to the picture, the digitalization process does not necessarily have a primary focus on cybersecurity, thereby running the risk of introducing new attack vectors.
Another important development is the tendency among Danish energy companies to outsource their IT operations. If you do not have the necessary skills or resources in-house to manage the complex threat landscape, outsourcing can be a wise strategy. However, it also opens up the possibility that hackers may get through to you through your vendors. We have already seen a number of supply chain attacks so far. And unless the company is very observant of what they are sourcing and to which vendors there is a risk of a mismatch between the importance of the outsourced systems and the resources that is used by the vendor on keeping the systems safe and running.
So, seeing as the general development is going in the direction of more connectivity, in 5-10 years, cybersecurity will probably, out of necessity, be a primary focus for many companies as well as national authorities.
Besides more funds for security, what do you think would make a difference in the industry?
A deeper knowledge within and education of the OT community about cyber threats. And cooperation as well as increased information sharing, both between the different experts within the companies, between companies, and between cyber security experts and the industry.
What will your keynote be about?
I will be talking about the role that the Danish Energy Agency (DEA) as authority can play in mitigating the risks associated with IT and OT supply chains in the energy sector in Denmark. The DEA is responsible for regulating the sector and for auditing the companies. The DEA also plays a role in creating awareness about cyber security issues in the Danish energy sector, and supply chain risks is a good example of the issues that we focus on.
I hope the participants will learn about the tools an authority can use when pursuing this type of task – and what the effect of the different tools can be.
What are your own expectations for the conference?
I expect to learn a lot. I am especially looking forward to hearing Joe Slowik, who is a prominent expert in the field, and Kenneth Bjerregaard Jørgensen from the new Danish EnergiCERT, who is exceptional at communicating the technical aspects of cybersecurity measures in a manner that is understandable and relatable to the general audience.