Guest blog: Securing our digital energy future: trust in software resilience
Embedded technologies – low-cost microprocessor-based computer systems, made up of software and hardware and designed to perform a specific function, often as part of a larger system – are everywhere. So many of our everyday tasks are increasingly enabled by their existence. From using an electric toothbrush and driving a (modern) car to recording your daily exercise through fitness trackers and getting on a train.
This is no different in the energy sector. Embedded systems are fundamental building blocks of a truly interconnected, digitalised and smart energy system. Whilst their function can vary significantly, they are often used for sensing something in the physical environment, real-time computing to control something in response and communicating with other devices. They include everything from sensors enabling grid operators to have unprecedented oversight of their networks, to routers allowing offshore wind companies to remotely monitor the condition of wind turbines, to the 25 million smart meters and increasing number smart energy devices installed in homes and businesses across the UK[1].
The social, economic and environmental opportunities these technologies present are immense, but they also bring new risks. Oftentimes, the software underpinning embedded systems is provided by a third party, rather than the operator of the system itself. If the third party is no longer able to supply the software – for example if they have been compromised by a cyber attack or they cease operating as a business – energy system operators are left exposed. Supply chain resilience has been identified by the UK Government as one of the most pressing issues to address as it seeks to protect the UK’s critical national infrastructure and future-proof the digital economy[2]. Indeed, its Cyber Security Breaches Survey 2021[3] found that only 12% of businesses review the cyber security risks posed by their immediate suppliers.
A low-cost, but inexplicably often unknown, solution to the inherent vulnerabilities of embedded systems like smart energy devices is a software escrow agreement. At its simplest, these agreements entail the depositing of source code, or other underlying technology / data assets, by the developer with a trusted third party, that would release it to the customer (i.e. the energy system operator) in agreed circumstances. As a result, this technical insurance policy offers the long-term availability of system-critical technologies and applications, while protecting intellectual property rights, enabling energy businesses to prepare for anything and innovate with confidence. Despite its increasing use across other sectors such as financial services, many in the energy sector are not aware that such a solution exists.
We were pleased to see the UK Government recognise that robust cyber security practices will be crucial to the stability of the future energy system in its recent Energy Digitalisation Strategy[4]. We couldn’t agree more with its assertion that security should be embedded into new systems by design, to reduce the need for costly retrofitting in future. Software escrow agreements are a perfect example of a straightforward solution that, if built into embedded systems from the outset alongside other end-to-end security measures, would provide effective insurance against the risks posed by increasingly complex digital supply chains. The Government has established a new Energy Digitalisation Taskforce which is due to publish its recommendations for the next phase of energy digitalisation by the end of 2021. We hope that the Taskforce will consider the role of practical steps like software escrow agreements in enabling a secure digital energy future for us all.