Welcome to the second part of the interview with René Böringer, Vice President of ESMIG’s Executive Committee and Co-Founder and CEO of Cuculus GmbH.
In this part, René critically examines the pace and relevance of today’s cybersecurity regulations, calls for system-wide security by design, and shares his thoughts on preparing for the quantum computing era. He also reflects on the mindset and patience needed to drive meaningful change in an industry that’s constantly shifting.
If you haven’t already, read the first part of the interview here.
How do current and upcoming regulations impact the way utility security is implemented, and do you think they are sufficient?
Are the current regulations sufficient? No, that I can already say. There’s a lot of thought and effort being put into regulatory frameworks, and they are meant to help utilities make the right decisions. I see regulation as guidance that pushes utilities beyond their commercial interests toward investing in things that serve the common good. Security is a perfect example of that. Everyone agrees it’s important, but it’s often the first thing sacrificed for the sake of cost, efficiency, or simplicity.
In the past, I used to say that when comfort hits security – which are usually in conflict – comfort always wins. People will eventually take the easy way, even if it’s less secure. That’s where regulation plays a crucial role. It ensures that everyone follows the same rules and carries the same costs. Nobody can gain a commercial advantage by cutting corners on security. From that perspective, regulation is essential.
But there’s a big problem: regulation is incredibly slow. Changing regulatory frameworks at the European or national level takes years – sometimes 15 to 20 – comparable to the time it took to build the internet from zero to as we know it today. Meanwhile, technology is evolving at a much faster pace. That gap is growing year by year. So we need to rethink how regulations are defined and how quickly they’re implemented. One of the biggest issues we face is that regulation simply can’t keep up with the speed of technological development.
To make that more tangible, consider the example of smart metering. When we invest in smart meters today, we expect that investment to last for at least 10 to 15 years. So whatever is implemented now needs to be secure enough to withstand the attacks that might come a decade or more from now. But do we have any regulations in place today that truly support that long-term vision? That’s a major concern.
We’re still in the process of implementing older frameworks like NIS 1 and the rules derived from it. Everything else – like NIS 2 – is still ahead of us. But the threats aren’t waiting; they’re already here. At the same time, we’re starting to implement new functions. For example, in Germany, flexibility management is already moving us in a new direction. As soon as we introduce two-way communication – where we can not only read measurements but also influence and control production, injection, and consumption of energy – new requirements emerge.
And we’re beginning to see that reflected in practice. On the RFI stage, and in some early RFPs, utilities are now asking for compliance with the newer frameworks. But the vendor landscape isn’t ready yet. There aren’t many out-of-the-box solutions that can be labeled as compliant. Everything still needs to be built, and we’re going to see many variations in how those new regulatory demands are interpreted and implemented.
Looking ahead, how do you see the evolution of cyber security in utilities over the next years, and what should industry stakeholders prioritize? What do you think about this, particularly in light of advancements in quantum computing?
Looking ahead, I believe that the focus in smart metering will shift away from just looking at the meters themselves and the communication link between meters and backend systems. Instead, the industry will move toward a more holistic approach, focusing on use cases end-to-end. This will mean moving away from building IT systems in isolated blocks – one vendor, next vendor, and so on – and then trying to enable security here and there. Security needs to be built into the entire system by design, from start to finish.
If a component in the system can’t meet high security standards, it should be replaced, rather than having its issues mitigated by weakening the overall security of the system. This shift requires viewing security as a holistic problem that encompasses the entire organization, including IT systems, internal processes, and the people working within and outside of utilities. Everything must be taken into account when aiming for a secure environment. I would emphasize the need for resilient systems, capable of reacting to unforeseen events like day-zero attacks, and ensuring the system remains operational.
We do have several standards and best practices that outline how systems should be implemented with protection by design. However, implementing end-to-end security is still extremely difficult because utilities are often divided into separate departments: IT, communication, processes, and subject matter experts in various use cases. These departments must collaborate across the entire system, but often they work on different parts of the project at different times, which hinders a truly integrated approach.
To address this, we need shared best practice frameworks between utilities. These frameworks should guide how utilities can build systems that cannot simply be secured by throwing them into a room and closing the door. These systems need to communicate with each other, and we lack sufficient frameworks that span the whole utility, incorporating all involved departments, to build a robust end-to-end security solution.
In terms of standards, we need integrative solutions that provide a holistic approach to security, ensuring all departments are aligned in protecting the entire system.
Looking even further ahead, particularly with the advancement of quantum computing, we must consider how we are designing regulations and standards now to withstand the threats of the future. Quantum computing will undoubtedly be used to both protect systems and, potentially, to attack them. This creates an ongoing race between securing systems and exploiting vulnerabilities, and utilities need to be proactive in this race.
To approach this, I categorize threats by their probability, impact, and the cost of mitigating those risks. We need to consider what could be attacked by quantum computing – whether it’s the meter key, a key management system, or the simulation of the entire grid. Each of these scenarios requires different protections. The challenge lies in preparing for these possibilities, and while there’s no definitive solution yet, it’s clear that the industry needs to start planning for the potential impact of quantum computing.
The key challenge we face is not only dealing with current threats but also preparing for future ones. This will require continued research, adaptation, and collaboration to stay ahead of potential risks. It’s an ongoing race, and utilities must be ready to evolve continuously to meet the challenges ahead.
What is the most important lesson you learnt throughout your career?
The most important thing is that there’s always a way. You just have to find it. And if it feels like there isn’t, then it’s worth asking a few more times why certain things need to be done the way they are – or whether there are alternative ways to implement them. That mindset fits perfectly with the topic of cybersecurity. If a system can’t be protected with one specific security measure, maybe there are other ways to mitigate the risk. Maybe there’s a way to avoid being completely impacted or shut down. Thinking outside the box is critical. That’s the first lesson.
The second is that everything takes much longer than you expect. Patience is essential. High-security solutions for metering have been available for more than 15 years, yet even now, when starting a new project, we sometimes find the security level is where it was over a decade ago – levels we were already arguing against back then. Still, we don’t give up hope. Things may change.
This perspective comes not only from being a co-founder but also from my background in electrical and telecommunications engineering. From a technical standpoint, everything I’ve said holds true. We’ve seen many technologies emerge, but adoption always takes time. The positive trend now is that the cycles are getting shorter. Attacks are evolving faster – but so are the solutions. There is hope. And that’s a good note to end on.
Conclusions:
Regulations play a critical role in pushing utilities to prioritize cybersecurity, especially when commercial interests might lead them to cut corners. However, the slow pace of regulatory development struggles to keep up with rapidly advancing technologies, creating a growing gap between rules and real-world needs.
A holistic, end-to-end approach to cybersecurity is becoming essential as utilities implement more complex and interconnected systems. Ensuring security requires collaboration across departments, the adoption of shared frameworks, and designing solutions that can withstand future threats, including those posed by quantum computing.
Success in securing utility infrastructure depends not only on technical solutions but also on mindset and perseverance. The industry must remain flexible, question assumptions, and be prepared to adapt continuously as new risks and opportunities emerge.
Question for the audience:
In a rapidly evolving landscape of technology, regulation, and security, what do you think is the single most important mindset shift the utility industry needs to make?