In the second part of the Smart Talks webinar, the conversation with Mr. Rene Boringer, Vice President of ESMIG’s Executive Committee and CEO of Cuculus; Mr. Maximilian Urban, Vice-Chair of the Eurelectric Working Group and Information Security Officer at Niederösterreich Netz; and Mr. Brecht Wyseur, Director of Cybersecurity Standardization at Kudelski IoT and Board Member of the DLMS User Association, shifts toward mindset changes, long-term preparedness, and navigating future threats like quantum computing.

Our panelists explore what utilities need to rethink, how to deal with the influx of third-party devices, and whether current strategies will hold up in the fast-changing digital landscape.

In a rapidly evolving landscape of technology, regulation, and security, what do you think is the single most important mindset shift the utility industry needs to make?

René Boringer:
We need to be guided by a vision—what I call the triangle of affordability, sustainability, and security. Utilities should continuously refer to this vision, rather than simply replacing one technology with another. The goal should always drive the choice of technology, not the other way around. This requires an end-to-end perspective, where security isn’t isolated in one department but viewed holistically. Someone must oversee the entire scope to ensure decisions are aligned with broader goals and implemented efficiently.

Maximilian Urban:
I’d add two thoughts. First, stay open-minded toward new technologies—they can be both a threat and a solution. Take AI: it’s all over the media, and it’s both a risk and a potential remedy. Second, treat security as a closed-loop process. Analyze your risks, implement measures, and then evaluate whether the risks have decreased. If not, take further action. Old technologies in the field can still be major vulnerabilities. We must stay active in the cycle of risk management—always analyzing and adjusting.

Brecht Wyseur:
There are a lot of new technologies emerging—AI, new wireless communication protocols like RedCap and DECT NR+, and smart home standards like Matter. At the DLMS User Association, we’re creating companion profiles for these new device types. My advice is: embrace new technologies and see how they can improve network resilience and enable new use cases. But don’t forget—they come with new threats, so you must think about how to mitigate those risks using available standards and security features.

As we move toward a decentralized energy landscape, how prepared is your organization to adopt zero trust principles and validate the trustworthiness of every connected device?

Maximilian Urban:
We apply Zero Trust strictly—no external devices are allowed. Only our own certified devices can communicate in our smart meter network. Customer-owned devices like inverters are placed in separate communication sectors, or even physically isolated networks. There’s no way for those devices to jump into our secure communication sectors. Everything is verified before deployment.
We don’t trust devices from manufacturers outright—we test every batch. For us, 100% sandbox testing is mandatory before integrating any device into our network. We have about a million smart meters, and each sample goes through full validation. Only after that can it be installed in the field. It’s a logistical challenge, but necessary.

Brecht Wyseur:
I have a slightly different view. While testing smart meters before deployment makes sense, it’s not realistic to have complete control over every device that connects to your grid—especially with the rise of EVs, heat pumps, and so on. Zero Trust means designing your system as if the attacker is already inside. That’s where third-party certification comes in.

At DLMS, we’re developing features like device attestation. In our new specifications, you can verify not only that a device is certified, but also what type it is—EV charger, gas meter, heat pump, etc. Once a device has a secure identity, you can use that identity for secure communication, data protection, and trust-based interactions. If you’re a network operator, you can choose to accept third-party-certified devices and implement use cases like peak shaving securely.

René Boringer:
We started calling our system an IoT application early on—not just a metering head-end—because we saw third-party devices entering the grid as inevitable. Trying to keep them out entirely isn’t practical. For example, PV inverters can cause real problems if not properly integrated, as seen in Spain.

That’s why we built in capabilities that go beyond client demands. We use individual encryption keys per device, rather than one key per meter. Our system integrates certificate and key management to support secure onboarding of devices like EV chargers and heat pumps. These are real threats to grid stability, so we need to prepare now—not later. Trying to control everything isn’t feasible long-term.

With new regulations and quantum threats on the horizon, how confident are you that your current cybersecurity strategy will still be effective five years from now?

Brecht Wyseur:
Quantum threats are real, and standardization is ongoing. We work with NIST and other regulators to include quantum-resilient algorithms in DLMS specs. But implementation takes time—chips must be developed, certified, deployed. Device makers need time. Utilities need time. Having a migration plan within five years is feasible. Full deployment may take ten. Since devices stay in the field for 10 to 15 years, we need to start now.

René Boringer:
Yes, our strategy will still be valid—but not the specific tools we use today. Cybersecurity is a race, and you can’t stop running. Hardware changes slowly, but software and monitoring allow faster adaptation. We have to reinvent ourselves frequently to stay ahead.

Maximilian Urban:
I agree. As long as we follow the closed-loop control principle—assess risks, apply remedies, and repeat—the strategy remains valid. But quantum computing might one day break encryption faster than we can rotate certificates. If that happens, we’ll need new solutions. Cybersecurity is never a one-time fix—it’s a continuous cycle. That mindset is key.

Conclusion:

Effective cybersecurity in the energy sector requires a mindset shift where technologies are selected based on clearly defined goals, and security is integrated throughout the entire system rather than treated as a separate function. This approach enables faster adaptation in a dynamic environment and more efficient decision-making.

As third-party devices become more prevalent, relying solely on full control is no longer sustainable; instead, trust must be built through standardized verification mechanisms and secure onboarding of devices into the network. In this context, Zero Trust does not mean exclusion, but rather designing the system with the assumption that an attack is already underway.

While a cybersecurity strategy can remain relevant over time, specific tools and methods quickly become outdated, especially in light of emerging threats like quantum computing. Continuous adaptation, learning, and improvement are therefore the only way to maintain long-term security in energy systems.