In the first part of our interview with Maximilian Urban, Vice-Chair of the Eurelectric Working Group Sustainable Network Technology and Information Security Officer at Netz Noe, we dive into the early days of Austria’s cybersecurity efforts, the challenges utilities face today, and the innovative solutions his team has pioneered—from implementing strict zero-trust strategies to launching one of Europe’s most collaborative security initiatives.
Read on to discover how a proactive mindset and cross-industry collaboration are shaping the future of utility cybersecurity in Europe.
You are holding the position of Information Security Officer of NOe Netz (part of EVN Group) and head of the department Controlling-Regulation Management-Information Security. Can you tell us a little bit more about the work related to Cyber Security in your organization?
What is your role in Eurelectric, E.DSO, EU DSO and ENTSO-E organisations?
We started as DSO and were invited by the Austrian regulator in 2013 to address concerns about cybersecurity. At that time, the regulator feared that the introduction of smart metering in Austria could increase the risk of a blackout. In response, we entered into a public-private partnership with the regulator and signed a voluntary agreement to implement risk analysis and mitigation measures. This allowed us to enhance our information security operations.
Later, the European NIS Directive was introduced, leading to the creation of the NIS law—what we now refer to as NIS 1. While we expect the implementation of NIS 2 in the near future, it remains pending.
The NIS 1 law, enacted in 2018, designated us as an essential service operator. As a result, we were required to report to the NIS authority, which in Austria operates under the Ministry of Internal Affairs. We had to implement an Information Security Management System (ISMS) in compliance with ISO 27001 within a three-year timeframe. By 2022, we successfully submitted our report and obtained ISO 27001 certification for our ISMS.
Currently, we are preparing for our second report, scheduled for 2025. We plan to complete this process in the fall of this year, around September and October. If the NIS 2 law is enacted by then, we will adjust our report to align with its updated requirements and functionality.
What do you see as the biggest cyber security challenges for utility companies today, and how can the industry address them?
As DSO, we have always been classified as critical infrastructure. From the beginning, we were told that our operations were essential. Initially, we assumed the scope of the NIS directive only applied to our system operations. Our company has two major functions: first, system operation, which involves the delivery of energy, and the meter-to-cash process, which measures customer consumption and generates bills and second, supplier management for equipment sourcing.
At first, the focus was solely on system administration, which is primarily an Operational Technology (OT) domain rather than traditional IT. One of the biggest challenges was getting OT personnel to adopt an IT-oriented mindset. Although they managed IT assets, they approached them from an OT perspective. It was difficult to introduce concepts such as defining services, identifying assets, implementing authentication, and writing system administration protocols. Once we had established this framework within OT, we were able to extend the Security Management System (SMS) to the rest of the company.
Although this expansion introduced a significantly larger number of assets in the meter-to-cash process, it was easier to implement security measures because this part of the business is predominantly IT-based. We could clearly apply our information security activities.
The second major challenge we faced was supplier management. Since we do not produce our own equipment, we rely on external suppliers. Ensuring that the equipment we purchase meets cybersecurity standards required a new approach. We had to establish clear guidelines for testing and verifying equipment before deployment, define when and how to conduct these tests, and manage supplier maintenance personnel. We also needed to determine under what conditions suppliers could access our sites for activities such as patching.
Information security is a zero-trust business, so building trust while maintaining strict security controls was a significant challenge. Some suppliers initially lacked cybersecurity awareness and did not fully understand where their equipment would be used or how critical it was to our operations. We had to teach them that producing and operating cyber-secure equipment is important to us.
Regarding foreign manufacturers, particularly Chinese suppliers, there have been various concerns. For example, one story claimed that when a certain meter was turned on, it automatically connected to a server in China and transmitted data. This raised the question of how to ensure that data is only sent where we want it to go and not elsewhere.
In our case, we do not see this as a problem because we manage it. We have multiple smart meter suppliers, including one from China, but we follow a strict zero-trust strategy based on ISO 27001. Our approach requires that all hardware be tested in our laboratories before installation at customer sites. Every component undergoes a 100% testing process. We do not use the firmware that comes pre-installed on the meters; instead, we erase it completely and replace it with our own software. This software is tested in our sandbox environment before deployment, ensuring that we know exactly how it functions.
This process forced our suppliers to adapt to our strict requirements. Many initially thought of a meter as just another piece of hardware, but we consider it a critical configuration item. When new meters arrive in our storage facilities, we reconfigure them before installation. However, this requires additional logistics and expertise, making it a resource-intensive process.
Once meters are deployed in large numbers—whether in batches of 1,000 or 100,000—the challenge becomes ongoing management. Our approach includes physical security measures: each meter is sealed, and if a seal is broken, the meter is immediately classified as compromised and removed from service. Additionally, all communication between meters and our systems is encrypted using public key infrastructure (PKI). Each smart meter contains 16 unique cryptographic keys, ensuring secure communication. To gain unauthorized digital access, someone would have to break these certificates. We use the strongest cryptographic methods available today.
However, we are aware that quantum computing is rapidly advancing. Our consultants have warned that once quantum computers become powerful enough, they could break current encryption keys within a single day. At that point, we will need a different system.
While we have not yet experienced cyberattacks on our operational IT, we remain vigilant. Our operational IT is physically separate from our economic IT and is not connected to the internet. We do not even allow demilitarized zone (DMZ) connections. Whenever maintenance is required, personnel must be physically present at the site, and remote maintenance activities are strictly monitored.
This strict network segmentation is a fundamental security measure. We divide our communication grid into smaller, isolated segments, making it difficult for an intruder to move from one section to another. By avoiding any physical internet connections, we minimize the risk of external cyber threats.
Regarding consumer concerns, there has not been much public discussion about cybersecurity. Unlike in countries such as the Netherlands, consumer organizations in Austria have not focused on this issue. Instead, the main debate has been about whether smart meters should be mandatory.
Austria implemented a full rollout of smart meters from 2019 to 2022, and very few consumers opposed it. However, smart meter installation is required by law, so there is little room for refusal. Consumers can opt into a 15-minute metering cycle, which allows for more detailed energy usage data collection. Those who do not opt-in only have a monthly consumption value transmitted for billing purposes.
Interestingly, people who initially resisted smart meters often have no issue opting into an energy community, which requires the same measurement cycle. Their perspective changes when they see a direct benefit.
The main reasons for rejecting smart meters included concerns about electromagnetic radiation —despite the fact that they all had mobile phones. Others distrusted the idea that smart meters could reveal whether someone was at home or what they were doing, such as which television program they were using. So it was mainly about data security.
Can you share some best practices or innovative solutions that have been successfully implemented to strengthen security in utilities?
Yes, this is a good question, and it’s not the first time I’ve been asked. The technology for cybersecurity is already available—it just needs to be implemented. Of course, some solutions are more affordable, while others are more expensive.
One of the most significant steps forward in Austria was the collaboration among all DSOs after we started the voluntary agreement with the regulator. This cooperation led to the co-founding of an energy CSIRT (Computer Security Incident Response Team), which is now called Austrian Energy CERT (Computer Emergency Response Team).
This was quite surprising because, historically, the utility sector in Austria was not particularly interconnected. Although we all operated in the same sector, there wasn’t always a strong exchange of information. However, with the establishment of the Energy CERT, we agreed that when one DSO encounters a cybersecurity issue, we report it to the CERT. The CERT then warns neighboring DSOs to be on alert or take preventive measures. Every DSO supported this initiative, making it a best practice within Europe.
Through my work in European cybersecurity associations, I have learned that no other EU member state has implemented such a system at this level. We are very proud of this achievement. After successfully operating the Energy CERT for three years, we are now taking the next step.
In the Energy Sector Management Systems (ESMS) we operate, we are required to run a Security Operation Center (SOC). We recently decided to establish a cooperative SOC, operated by the same company that manages the Energy CERT. Just two months ago, we began building an Energy Security Operation Center (E-SOC) to further enhance cybersecurity within the sector.
This decision was based on our positive experience with the Energy CERT. Additionally, our holding company, EVN, had already started building a security operation center, and while we have one at the holding level, we still decided to establish one specifically for the energy sector. These SOCs will be interconnected, ensuring a higher level of security.
For example, if an incident occurs in Salzburg and does not initially appear in our own systems, we can still receive information from the shared SOC and act preemptively. Even though each company operates its own SOC, we maintain a direct connection to the Energy SOC in Austria. This level of cooperation and trust within the sector ensures that incidents are reported, mitigation measures are shared, and proactive actions are taken.
This approach is forward-thinking and focuses on prevention. If one DSO experiences an issue, it is likely that others will soon face the same challenge. By sharing alerts and collaborating, we can prepare in advance, perform necessary checks and mitigate risks before they escalate.
Conclusions:
Utilities must implement strict zero-trust policies to safeguard their infrastructure. This includes firmware replacement, encrypted communication, and rigorous supplier controls to prevent unauthorized access.
Austria’s Energy CERT and sector-wide SOC enable real-time threat sharing and coordinated responses among DSOs. By working together, utilities can detect, prevent, and mitigate cyber threats more effectively.
As quantum technology advances, current encryption methods may become obsolete. Utilities must start developing post-quantum cryptography to ensure long-term cybersecurity.
Question for the audience:
What do you see as the biggest challenge in securing smart metering infrastructure, and how can the industry address it?