Welcome to the second part of our interview with Mr. Maximilian Urban, vice-chair of the Eurelectric Working Group Sustainable Network Technology and representative of the Austrian DSOs in the Distribution and Market Facilitation Committee. In addition to his role as Information Security Officer, Maximilian is also representative of NOe Netz at E.DSO for Smart Grids and chairs the Task Force Cyber Security. He also participates in the EU DSO Entity within the Expert Group Data Interoperability and the Joint Working Group with ENTSO-E.
In this part, we explored the impact of evolving regulations on utility security, the challenges of implementation, and the future risks posed by quantum computing.
If you haven’t read the first part, we recommend checking it out before coming back to this one. Read it here.
How do current and upcoming regulations impact the way utility security is implemented, and do you think they are sufficient?
I believe the current regulations are sufficient, but let me explain which ones I am referring to. The NIS Directive, both NIS 1 and NIS 2 at the European Union level, led to the implementation of NIS 1 law in Austria and in only a few member states the NIS 2 law. However, most EU member states have yet to implement the NIS 2 law and are now in the process of catching up.
NIS 2 itself builds upon NIS 1, introducing additional measures. In our case, NIS 1 covers system operations related to energy delivery, such as SCADA systems, remote terminal units, and the communication between them. NIS 2, however, extends this coverage to the entire company. This means we must also consider processes like meter-to-cash, covering everything from meter measurement at the customer site to communication with the billing engine and the final invoice presented to customers.
Beyond NIS regulations, there are other relevant laws, such as the Cyber Resilience Act. Initially, we assumed this wouldn’t affect us, but that turned out to be incorrect. This act specifically targets suppliers, users, and sellers of equipment in the EU—especially those using equipment manufactured outside the EU. It mandates that spare parts, patches, and upgrades remain available for up to 20 years after a product is put into operation to maintain security. Initially, we thought this would only impact our suppliers, but it also affects us. For instance, some of our smart meter equipment originates from outside the EU, making us the responsible implementers within the region. This means we must ensure spare part availability and patch management for the long term.
Additionally, the Resilience of Critical Infrastructure (RCI) guidelines introduce a new perspective on risk analysis. These guidelines focus not only on IT and OT risks but also on physical security, such as protecting infrastructure from potential terrorism threats. Terrorism is not explicitly mentioned in the NIS regulations, but it is addressed in the RCI guidelines. A recent discussion with colleagues highlighted this issue—our company uses drones, which are often overlooked as cybersecurity assets. While some initially dismissed concerns, pointing out that drones do not store information, I argued that they capture images and are therefore part of our security landscape. If their control software were compromised, an attacker could steer them into critical infrastructure, such as substations, which are outdoor facilities with limited overhead security. While we have alarm systems and surveillance for ground-based intrusions, aerial threats require additional consideration. This broader security perspective is crucial.
Regarding the implementation of NIS 1 and NIS 2 across EU member states, only six of the 27 countries have implemented NIS 2 on time. The directive, released in January 2023, set a deadline of October 2024 for adoption. This means 21 member states still lack NIS 2 legislation. In Austria, we already have a draft law, which we are familiar with through our NIS authority. However, national elections in September 2024 delayed its official adoption. With a new government in place, I am confident that Austria will implement NIS 2 very soon.
Despite the lack of a finalized law, we have not waited to begin implementation. Delaying would be a mistake. Since we have access to the draft, we started implementing NIS 2 measures in 2023—about a year and a half ago. Our information security management system originally focused on system operations, covering fewer configuration items and employees. However, NIS 2 expands this to the entire company, including approximately one million smart meters and a significantly larger workforce. Recognizing this, I urged management to continue the NIS 2 project under my leadership, even before the law is formally in place. Since we know what is coming, we have taken a proactive approach to avoid unnecessary ramp-up time when the law is finally enacted.
Our operational network is physically segregated to protect against foreign cyber threats and hackers. We also rigorously test equipment to ensure there are no unauthorized communication channels, allowing us to maintain full control. However, one major security concern is the human factor. Historically, the two biggest risks we have encountered involve untested software and user behavior. To address this, we now test 100% of the software in a sandbox environment before deployment. Additionally, we conduct mandatory annual security awareness training for all personnel. We have also introduced a role-based competence matrix that outlines training requirements for specific roles, ensuring employees receive the education they need. This structured approach is particularly important for specialized roles, such as system administrators for switches, firewalls, SCADA servers, and public key infrastructure for smart meters. Given the variety of assets and systems we manage, trained personnel are essential for minimizing errors.
Another critical security measure is avoiding single points of failure in personnel management. Just as we segregate our network into smaller segments, we apply the same principle to our workforce. We have specialists in different areas, ensuring redundancy in expertise. In a large organization like ours, it is crucial to prevent any single individual from holding excessive control—what we call “head monopolists.” This is not only a risk in terms of knowledge dependency but also a potential issue if that individual is unavailable due to vacation, illness, or other unforeseen circumstances. Additionally, there is always the risk of malicious intent, which is why we actively work to distribute critical responsibilities across multiple experts.
Looking ahead, how do you see the evolution of cyber security in utilities over the next years, and what should industry stakeholders prioritize? What do you think about this, particularly in light of advancements in quantum computing?
The first step into our future is to expand the scope of our Information Security Management System (ISMS). Currently, it covers system operations, but our next step is to extend it to the meter-to-cash process. This expansion presents significant challenges, primarily due to the large number of new configuration items that will be incorporated into the ISMS.
For instance, our field operations are based in a very rural area of Lower Austria, where we have a highly decentralized service structure. More than 700 field employees work across this region, all of whom must be trained and made aware of cybersecurity protocols. Additionally, we now have 950,000 smart meters in the field—configuration items that were not previously within the ISMS scope. Until now, our focus was on SCADA systems and remote terminal units, totaling approximately 10,000 configuration items. With this expansion, we are adding nearly one million more, along with a significantly larger number of employees requiring cybersecurity training. The challenge is to extend our existing security procedures from system operations to the meter-to-cash process and ensure that all personnel are adequately prepared.
One key lesson I have learned is the importance of knowing your assets. Departments newly integrated into the ISMS often struggle when I ask them to identify all their assets, but this step is crucial. Risk measures are based on assets, and before we can apply those measures, we need to determine which assets are at risk. For example, we have identified smart meters as a high-risk asset.
Currently, Austria is in the process of defining Smart Meter 2.0. Unlike the old Ferraris meters, which could remain in operation for up to 40 years, digital smart meters have a limited lifespan of just eight years. After this period, they must be replaced entirely because they lose both their calibration and communication certificates. Instead of reissuing certificates, we replace the entire unit since technology evolves rapidly, and an upgrade is more practical. These new smart meters will enter operation in 2030.
Looking further ahead, we face an even greater challenge: quantum computing. According to consultants, by 2029, quantum computers will be powerful enough to crack cryptographic certificates in less than a day. This means that from 2029 onward, our current encryption methods will no longer be secure. We need to prepare for this now. The concept of post-quantum security is completely new for many of my colleagues. When discussing Smart Meter 2.0, most assume it’s a simple upgrade, but they don’t yet consider the long-term security implications. If a smart meter’s cryptographic certificate can be compromised during its operational lifespan, what should be done from an architectural and operational standpoint? Addressing this issue now is like trying to hit a moving target—we don’t yet fully understand all the variables involved, but we know the challenge is coming.
The fact that digital meters have an eight-year lifespan is surprising to many, especially since Ferraris meters lasted up to 40 years. However, this is largely due to strict calibration laws. Austria and Germany have some of the most rigorous calibration requirements in Europe. While older meters only required periodic sample testing, digital meters must be fully recalibrated every eight years. Given the complexity of recalibration, it is more efficient to replace them entirely rather than attempt re-certification.
Returning to the broader issue of cybersecurity, the rise of quantum computing represents one of the biggest future threats. These powerful computers will be able to decrypt what we encrypt today in just one day. Since we cannot realistically change encryption keys daily, this poses a serious risk. Physical network separation will still provide some level of protection, but knowing that encryption could be broken so quickly is concerning.
This also ties into the Cyber Resilience Act. If equipment is manufactured outside the European Union, we—the buyers and implementers—become responsible for maintaining cybersecurity standards. This includes ensuring security patches and updates remain available. The potential threat of quantum computing makes this even more critical, as we may need entirely new security measures to counteract emerging risks.
I only recently became fully aware of this issue, but I plan to bring it up at tomorrow’s cybersecurity working group meeting with E.DSO. It is essential to raise awareness, though I anticipate resistance. No one is eager to undertake the massive effort required to make our systems post-quantum secure, but we cannot afford to delay. As with the NIS 2 law, we must begin preparations well before enforcement becomes mandatory. Waiting until the last minute will be too late.
What is the most important lesson you learnt throughout your career?
I would say: stay curious and learn how things work. Let me give an example from cybersecurity. When I started working in cybersecurity in 2013, during the voluntary agreement with our regulator, I didn’t know much about it—just like everyone else. Nobody did. But I was curious, interested, and I warned people about what was coming.
At first, nobody liked what I had to say. As I mentioned earlier, people saw it as requiring too many resources, too much money, and they questioned the business case for it. The business case, however, is simple: we will not be compromised. Try telling that to a CEO—they won’t be thrilled. Their focus is on making business, not just ensuring stability. But in reality, stability is the business case.
So, stay curious. Learn how things work, even if others see you as a burden. Even if they think you’re not helping, keep going, because at some point, they will realize that you can help them. That was the best compliment I received after we completed the NIS 1 project. One of my bosses, who had been very critical of my work—particularly regarding ISMS—spoke at our final celebration. He said, “Max, you told me something I didn’t want to hear. I thought it would cost too much. But now I understand what you were saying and what you did, and I think it’s a good thing.” That was the best validation of my efforts.
This is good advice not only for young engineers but also for experienced professionals. When you enter a new field, take the time to learn how it works—and then share that knowledge with others. It applies to all engineers and, really, to people in general.
Conclusions:
Even when formal adoption of laws like NIS 2 is delayed, companies that take a proactive approach can avoid rushed compliance efforts and reduce security gaps. Acting ahead of time ensures a smoother transition and better protection.
Organizations must prepare for post-quantum security now, as encryption methods in use today will become vulnerable in just a few years. Delaying preparations could lead to significant cybersecurity risks.
Security improvements often face resistance due to cost and resource concerns, but long-term stability is the true business case. Professionals who persist in learning and advocating for security measures will ultimately be recognized for their contributions.
Question for the audience:
How can organizations balance the need for regulatory compliance with practical business considerations and resource constraints?