December 1, 2025 • 16 mins
Zero-trust, device identity and cyber-physical resilience are now essential for securing modern energy grids. In this episode, CGI’s Andrea Grad speaks with PHYSEC CEO Prof. Dr. Christian Zenger about protecting OT, IoT, smart meters, substations and distributed energy resources (DERs) at scale. They also examine how regulations such as NIS2, the Cyber Resilience Act and the CER Directive are shaping global approaches to grid security, compliance and modernization.
Visit our Energy Transition Talks page
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Andrea (00:01):
Hello and a warm welcome to everyone who tuned in for
today's podcast.
My name is Andrea Grat.
I'm a lead consultant at CGIand based in Düsseldorf,
Germany.
In today's podcast, we willdiscuss the topic from air gap
to zero trust securityarchitectures from the energy
world 4.0.
But I'm not alone today.
(00:21):
Our guest is Professor Dr.
Christian Zenger, who is theco-founder of PISAC, which is a
successful spin-off from RuhrUniversity Bochum, specializing
in OT and IoT security.
Christian, it's so great tohave you as a guest today.
Please introduce yourself.
Christian (00:39):
Thank you very much.
Happy to be here.
Yeah, I'm uh I'm Christian.
I'm a professor at the RuhrUniversity, which is one of the
top universities forcybersecurity in Germany.
I have more than 40 professorcolleagues in this topic, which
maybe is an impressive numberand demonstrates how strong we
are here.
And I got lucky uh nine yearsago to um yeah uh found FISAC
(01:06):
together with my co-founderHeiko.
Yeah, and together we developeda technology and a strong team
specialized on OT and IoTsecurity.
Andrea (01:17):
Wonderful, thank you very much.
Well, with that, I think youbridged the gap to uh to the
topic, and I would suggest westart right away with the first
question.
Uh, looking at today's threatlandscape in the energy and
utility sector, what do you seeas the most common risks for
energy suppliers?
Christian (01:35):
Yeah, so I think first of all, what's interesting
is that the energy uh sector isattacked very specifically, and
um, there are attack vectorswhich are really uh tailored to
the energy sector.
Um next to the topic that uh inthis yeah sector we have a very
(01:56):
close, let's say, uh worktogether collaboration between
the IT infrastructure and the OTinfrastructure.
Um and um this means that thereare different attack vectors.
Number one is still ransomwareum against the IT, but also
ransomware uh which uh forcoincidence uh you know um
(02:21):
swapped from IT to OT, but alsoransomware which attacks OT
directly.
We have uh supply chain attacksthrough software updates and
the update um um the ecosystemby themselves, and we have also
sabotage um of skaters systemfrom remote access operations as
(02:44):
well as uh um closed accessoperations, so where attacker
really you know go physically tothe device and attack them.
Both attacks usually aim aphysical um threat.
Andrea (03:01):
Well, speaking of the physical threats, um, it kind of
bridges the point to the IoTdevices, and at CGI we often see
that utilities are challengedby the growing growing
complexity of those, uh, fromsmart meters to grid edge
sensors.
Um, and in that context,Christian, what what role does
IoT security play, especiallywhen it comes to critical
infrastructures?
Christian (03:23):
Yeah, so uh so let's say there are three generations.
Generation one is you know, allthe assets are air gapped, um,
especially due to very oldoperating systems, and they
maybe should you know keep airgapped.
Second is the classical Purduemodel where you have different
levels and different differenttasks are operating on these
(03:49):
levels, like the level zero arethe sensors, actors, control
level, um, etc.
etc., up to the business uhlevel.
And the uh all the levels aresegmented.
Yeah, you cannot justcommunicate from one level to
another.
There are strict rules veryclearly defined.
(04:10):
And uh the third generation isthe industrial IoT, so where you
are able to jump from one levelto another, like from level
zero to level five, just with asmart IoT technology.
And um this makes everythingcheaper, faster, and very
(04:31):
interesting and um umbusiness-wise uh something
people like because they theyget digitalization chances.
However, doing this uh conceptslike zero trust are getting
fundamentally important becauseyou cannot uh uh you know go
(04:54):
through these different levelswithout having a very proper
end-to-end encryption.
Therefore, it is important tolook at the requirements for
modern security by integratingIoT.
Andrea (05:10):
That actually really resonates.
Um, and I I think that yourguys' value preposition in that
is very important.
Um, we see that a lot ofutilities um they have a common
interest in also IoT AI forpredictive maintenance, um, but
that is always paired withquestions about regulatory
compliances.
It's just a reminder thatinnovation and governance they
(05:32):
really go hand in hand.
Um, and now if we're looking atEU regulations with NIS2, the
Cyber Resilience Act and theData Act, what are the biggest
compliance challenges for energyproviders?
And especially how do you thinkuh can collaboration between
players like CGI and Pfizec helpreduce the cost of compliance?
Christian (05:52):
Yeah, so I think um the most important is that you
know the known um regulationslike the NIST II, but also the
regulation, the CER, CyberEntity Resilience Act, which uh
manage the physical security.
My recommendation is to look atboth at the same time and uh
(06:15):
develop a converged approachwhere the cyber and the cyber
physical um attack vectors arehandled together.
Um, number one.
Number two is uh the CyberResilience Act, which is the
first one which is actually umproviding a minimum security
standard for the vendors.
(06:36):
This is really something uh youas an operator should use
because um uh with the knowledgeof what the you know what the
Cyber Resilience Act is actuallyum requiring, you can think
about what kind of um documentswhich the vendors are now you
(06:56):
know working on could actuallyhelp you with your own um
compliance strategy.
Um, this is somethingeconomically interesting, yeah,
because you don't need to doyour 100k uh risk analysis if
the vendor already did a hugepart of it.
Yeah.
From my perspective, uh thisinteraction between NIST2 and
(07:20):
Cyber Resilience Act is alsosolving a classical Prisma
dilemma between the vendor andthe operator.
And if we look at a very oldstudy from IBM from 1983, which
says that the relative costs offixing problems like adding IT
security afterwards uh cost 100to 200 times the cost compared
(07:45):
to if you do it by design in theproduct.
And this is a huge economicalthing.
So um I think uh thisregulation, which solved this
Prisma dilemma and also helpsthe operators to get more than
you know product description, issomething very useful.
(08:07):
And um, I think at FISAC wedeveloped a really important
piece of the puzzle oftechnology to do this in a very
smart, uh, clever way.
And together with CGI, we areable to provide a holistic
approach to this entire topic.
Andrea (08:25):
That makes a lot of sense.
I and I do think that that is agreat synergy we've created
between Pfizac and CGI.
Um now I want to come back tothe point where you mentioned uh
cost savings earlier, uh, withfines for up to 15 million euros
or the equivalent of 2.5% ofthe global turnover on the
table.
How do you think uh canorganizations map these risks
(08:48):
against uh current cyber spendto make the to make the business
case?
Christian (08:54):
Yeah, I think this is one of the most interesting
questions um to answer.
The standard answer is you needuh business case argumentation
for your cybersecurityinvestments, which are not just
risk-based quantization, butalso um provide like now the you
(09:14):
know the the potential fees youneed to pay if you don't do it
in a proper way.
So what you will do is like arisk analysis where you say,
okay, you know, the the attackscenarios lead to um problem
with the production, with thecontracts, uh, with the um
(09:34):
responsing, or you know, um uhbuilding, uh fixing the the
systems, and um making a list ofyeah, what are the biggest
risks and costs and how much doyou invest.
Yeah, this is like the let'ssay the standard answer to this.
Um, but um there are alsosecurity solutions which are
(09:58):
also providing really functionaladvantages.
For example, um the zero trustarchitecture um helps you to
troubleshoot.
It's easier to fix problems ifyou have a zero trust
architecture.
Or a single sign-on securityfeatures reduce the login effort
(10:20):
you have.
And a third example is uhsecurity uh information event
management, like a Xeom system,which can also be used for
predictive maintenance becauseyou are getting a lot of locked
files as well as in a convergedapproach from the physical
information.
And um, this is by the way,also something we are offering
(10:42):
together with CGI.
And yeah, these are actuallyfunctional advantages you're
getting with um security.
Andrea (10:53):
That sounds great.
And do you think that sharedevidence uh repositories between
device makers, integrators, andDSOs might also help reduce
audit duplication and compliancecosts?
Christian (11:06):
Yeah, absolutely.
Um like uh risk analysis is oneof my favorite topics here
because it's uh it's um it's alot of work to do this and
sharing them, of course, in akind of you know um
pseudonymized way, you know, notuh offering and you know
(11:29):
publishing like your internal IPaddresses, of course, but um
yeah, uh providing this kind ofaudit reports, risk analysis,
etc.
etc., uh will have a hugeimpact for uh reducing cost and
and improving efficiency.
And as I said earlier, I alsothink that this will be
(11:50):
something like a byproduct bythe vendors.
In the future, when you buy aproduct, you will get some
information about the securityof this product from the vendor
anyway.
But internally, the vendor isforced to um develop more
documentations, again, riskanalysis.
So, and this is something um Ithink uh the vendors will sell
(12:14):
together with the products inthe future.
Um, additionally, I alsobelieve that um um in
institutions like in Germany,the BSI will also provide um
some knowledge bases like this.
Andrea (12:29):
Thank you for those insights, Christian.
Now we've spent a lot of timediscussing the current
situation, but if we were tojump into action, um if you were
to put yourself into the shoesof the decision makers in the
energy and utility sector, umwhat piece of advice would you
give them if they wereconsidering new digital
initiatives?
Christian (12:50):
Yeah, I mean, in the role of a professor, I would
also recommend to look for avery strong academic partner,
like uh chair professor at theuniversity, because as I said
earlier, we are strong here inGermany and of course also in
other European countries.
Um, and um ask them for help,you know, see how they can
(13:15):
bridge the gap between thevendors and the operators from a
very neutral position.
Um, they will not just offeryou like the standard, let's
let's say old products, uh butalso the new innovative and
modern approaches.
And um, yeah, I think this ismy my my number one advice.
Andrea (13:40):
That's the advice.
Well, that sounds like um thereare a lot of different things
uh to take into perspective.
Um now, if you were to saywe've we've done all of the
research, we've talked to uh theacademics, and uh we know all
everything that we need to know.
Um, if you wanted to take alook into the future, uh looking
(14:02):
into 2030, knowing that youdon't have a crystal wall, but
what do you think?
Where does the trends lead us?
Christian (14:09):
Um I think currently our regulation is not really
accelerating innovation.
So um, in a let's say dystopicum book, I would uh say maybe a
lot of things we are working ontoday are still uh you know our
(14:30):
topics in five years, and itseems to be not unrealistic.
However, a positive scenariowill be that this kind of
regulation will be changed inthe way that innovation gets
accelerated, and you are able touse also technologies which are
(14:50):
really you know 21st century,but without any you know
compromise of security.
You know, they are as secure asthe current solutions, and with
this, you know, we will get theentire thing.
Yeah, we will get uh prosumerdynamic tariffs, um um being
able to uh use battery also tocharge back to the to the grid,
(15:16):
um and uh all the differentideas uh um we have, but from my
perspective, um the key pointis having a regulation which
yeah makes innovation possible.
Andrea (15:35):
Absolutely.
Well, I uh thank you for yourvaluable insights for today,
Christian.
It sounds like there's stillthere are a lot of uh pieces
that are already in place uh tomake sure that we have a safe
and secure uh cyberinfrastructure.
Um, and there's still otherthings that we need to work on.
Um, but unfortunately fortoday, we've reached the end of
the episode.
(15:56):
Uh thank you, Christian, forjoining us and uh sharing your
valuable insights.
Uh, and of course, a big thankyou to everyone who tuned in
today.
We hope you enjoyed theconversation.
Um, and if you'd like to knowmore about how CGI and Pfizec
are shaping the future of uhsecure energy infrastructures,
visit our websites or connectwith us on LinkedIn.
(16:16):
We look forward to having youwith us again next time.
Thanks.
Christian (16:20):
Thank you.
Hello and a warm welcome to everyone who tuned in for
today's podcast.
My name is Andrea Grat.
I'm a lead consultant at CGIand based in Düsseldorf,
Germany.
In today's podcast, we willdiscuss the topic from air gap
to zero trust securityarchitectures from the energy
world 4.0.
But I'm not alone today.
(00:21):
Our guest is Professor Dr.
Christian Zenger, who is theco-founder of PISAC, which is a
successful spin-off from RuhrUniversity Bochum, specializing
in OT and IoT security.
Christian, it's so great tohave you as a guest today.
Please introduce yourself.
Christian (00:39):
Thank you very much.
Happy to be here.
Yeah, I'm uh I'm Christian.
I'm a professor at the RuhrUniversity, which is one of the
top universities forcybersecurity in Germany.
I have more than 40 professorcolleagues in this topic, which
maybe is an impressive numberand demonstrates how strong we
are here.
And I got lucky uh nine yearsago to um yeah uh found FISAC
(01:06):
together with my co-founderHeiko.
Yeah, and together we developeda technology and a strong team
specialized on OT and IoTsecurity.
Andrea (01:17):
Wonderful, thank you very much.
Well, with that, I think youbridged the gap to uh to the
topic, and I would suggest westart right away with the first
question.
Uh, looking at today's threatlandscape in the energy and
utility sector, what do you seeas the most common risks for
energy suppliers?
Christian (01:35):
Yeah, so I think first of all, what's interesting
is that the energy uh sector isattacked very specifically, and
um, there are attack vectorswhich are really uh tailored to
the energy sector.
Um next to the topic that uh inthis yeah sector we have a very
(01:56):
close, let's say, uh worktogether collaboration between
the IT infrastructure and the OTinfrastructure.
Um and um this means that thereare different attack vectors.
Number one is still ransomwareum against the IT, but also
ransomware uh which uh forcoincidence uh you know um
(02:21):
swapped from IT to OT, but alsoransomware which attacks OT
directly.
We have uh supply chain attacksthrough software updates and
the update um um the ecosystemby themselves, and we have also
sabotage um of skaters systemfrom remote access operations as
(02:44):
well as uh um closed accessoperations, so where attacker
really you know go physically tothe device and attack them.
Both attacks usually aim aphysical um threat.
Andrea (03:01):
Well, speaking of the physical threats, um, it kind of
bridges the point to the IoTdevices, and at CGI we often see
that utilities are challengedby the growing growing
complexity of those, uh, fromsmart meters to grid edge
sensors.
Um, and in that context,Christian, what what role does
IoT security play, especiallywhen it comes to critical
infrastructures?
Christian (03:23):
Yeah, so uh so let's say there are three generations.
Generation one is you know, allthe assets are air gapped, um,
especially due to very oldoperating systems, and they
maybe should you know keep airgapped.
Second is the classical Purduemodel where you have different
levels and different differenttasks are operating on these
(03:49):
levels, like the level zero arethe sensors, actors, control
level, um, etc.
etc., up to the business uhlevel.
And the uh all the levels aresegmented.
Yeah, you cannot justcommunicate from one level to
another.
There are strict rules veryclearly defined.
(04:10):
And uh the third generation isthe industrial IoT, so where you
are able to jump from one levelto another, like from level
zero to level five, just with asmart IoT technology.
And um this makes everythingcheaper, faster, and very
(04:31):
interesting and um umbusiness-wise uh something
people like because they theyget digitalization chances.
However, doing this uh conceptslike zero trust are getting
fundamentally important becauseyou cannot uh uh you know go
(04:54):
through these different levelswithout having a very proper
end-to-end encryption.
Therefore, it is important tolook at the requirements for
modern security by integratingIoT.
Andrea (05:10):
That actually really resonates.
Um, and I I think that yourguys' value preposition in that
is very important.
Um, we see that a lot ofutilities um they have a common
interest in also IoT AI forpredictive maintenance, um, but
that is always paired withquestions about regulatory
compliances.
It's just a reminder thatinnovation and governance they
(05:32):
really go hand in hand.
Um, and now if we're looking atEU regulations with NIS2, the
Cyber Resilience Act and theData Act, what are the biggest
compliance challenges for energyproviders?
And especially how do you thinkuh can collaboration between
players like CGI and Pfizec helpreduce the cost of compliance?
Christian (05:52):
Yeah, so I think um the most important is that you
know the known um regulationslike the NIST II, but also the
regulation, the CER, CyberEntity Resilience Act, which uh
manage the physical security.
My recommendation is to look atboth at the same time and uh
(06:15):
develop a converged approachwhere the cyber and the cyber
physical um attack vectors arehandled together.
Um, number one.
Number two is uh the CyberResilience Act, which is the
first one which is actually umproviding a minimum security
standard for the vendors.
(06:36):
This is really something uh youas an operator should use
because um uh with the knowledgeof what the you know what the
Cyber Resilience Act is actuallyum requiring, you can think
about what kind of um documentswhich the vendors are now you
(06:56):
know working on could actuallyhelp you with your own um
compliance strategy.
Um, this is somethingeconomically interesting, yeah,
because you don't need to doyour 100k uh risk analysis if
the vendor already did a hugepart of it.
Yeah.
From my perspective, uh thisinteraction between NIST2 and
(07:20):
Cyber Resilience Act is alsosolving a classical Prisma
dilemma between the vendor andthe operator.
And if we look at a very oldstudy from IBM from 1983, which
says that the relative costs offixing problems like adding IT
security afterwards uh cost 100to 200 times the cost compared
(07:45):
to if you do it by design in theproduct.
And this is a huge economicalthing.
So um I think uh thisregulation, which solved this
Prisma dilemma and also helpsthe operators to get more than
you know product description, issomething very useful.
(08:07):
And um, I think at FISAC wedeveloped a really important
piece of the puzzle oftechnology to do this in a very
smart, uh, clever way.
And together with CGI, we areable to provide a holistic
approach to this entire topic.
Andrea (08:25):
That makes a lot of sense.
I and I do think that that is agreat synergy we've created
between Pfizac and CGI.
Um now I want to come back tothe point where you mentioned uh
cost savings earlier, uh, withfines for up to 15 million euros
or the equivalent of 2.5% ofthe global turnover on the
table.
How do you think uh canorganizations map these risks
(08:48):
against uh current cyber spendto make the to make the business
case?
Christian (08:54):
Yeah, I think this is one of the most interesting
questions um to answer.
The standard answer is you needuh business case argumentation
for your cybersecurityinvestments, which are not just
risk-based quantization, butalso um provide like now the you
(09:14):
know the the potential fees youneed to pay if you don't do it
in a proper way.
So what you will do is like arisk analysis where you say,
okay, you know, the the attackscenarios lead to um problem
with the production, with thecontracts, uh, with the um
(09:34):
responsing, or you know, um uhbuilding, uh fixing the the
systems, and um making a list ofyeah, what are the biggest
risks and costs and how much doyou invest.
Yeah, this is like the let'ssay the standard answer to this.
Um, but um there are alsosecurity solutions which are
(09:58):
also providing really functionaladvantages.
For example, um the zero trustarchitecture um helps you to
troubleshoot.
It's easier to fix problems ifyou have a zero trust
architecture.
Or a single sign-on securityfeatures reduce the login effort
(10:20):
you have.
And a third example is uhsecurity uh information event
management, like a Xeom system,which can also be used for
predictive maintenance becauseyou are getting a lot of locked
files as well as in a convergedapproach from the physical
information.
And um, this is by the way,also something we are offering
(10:42):
together with CGI.
And yeah, these are actuallyfunctional advantages you're
getting with um security.
Andrea (10:53):
That sounds great.
And do you think that sharedevidence uh repositories between
device makers, integrators, andDSOs might also help reduce
audit duplication and compliancecosts?
Christian (11:06):
Yeah, absolutely.
Um like uh risk analysis is oneof my favorite topics here
because it's uh it's um it's alot of work to do this and
sharing them, of course, in akind of you know um
pseudonymized way, you know, notuh offering and you know
(11:29):
publishing like your internal IPaddresses, of course, but um
yeah, uh providing this kind ofaudit reports, risk analysis,
etc.
etc., uh will have a hugeimpact for uh reducing cost and
and improving efficiency.
And as I said earlier, I alsothink that this will be
(11:50):
something like a byproduct bythe vendors.
In the future, when you buy aproduct, you will get some
information about the securityof this product from the vendor
anyway.
But internally, the vendor isforced to um develop more
documentations, again, riskanalysis.
So, and this is something um Ithink uh the vendors will sell
(12:14):
together with the products inthe future.
Um, additionally, I alsobelieve that um um in
institutions like in Germany,the BSI will also provide um
some knowledge bases like this.
Andrea (12:29):
Thank you for those insights, Christian.
Now we've spent a lot of timediscussing the current
situation, but if we were tojump into action, um if you were
to put yourself into the shoesof the decision makers in the
energy and utility sector, umwhat piece of advice would you
give them if they wereconsidering new digital
initiatives?
Christian (12:50):
Yeah, I mean, in the role of a professor, I would
also recommend to look for avery strong academic partner,
like uh chair professor at theuniversity, because as I said
earlier, we are strong here inGermany and of course also in
other European countries.
Um, and um ask them for help,you know, see how they can
(13:15):
bridge the gap between thevendors and the operators from a
very neutral position.
Um, they will not just offeryou like the standard, let's
let's say old products, uh butalso the new innovative and
modern approaches.
And um, yeah, I think this ismy my my number one advice.
Andrea (13:40):
That's the advice.
Well, that sounds like um thereare a lot of different things
uh to take into perspective.
Um now, if you were to saywe've we've done all of the
research, we've talked to uh theacademics, and uh we know all
everything that we need to know.
Um, if you wanted to take alook into the future, uh looking
(14:02):
into 2030, knowing that youdon't have a crystal wall, but
what do you think?
Where does the trends lead us?
Christian (14:09):
Um I think currently our regulation is not really
accelerating innovation.
So um, in a let's say dystopicum book, I would uh say maybe a
lot of things we are working ontoday are still uh you know our
(14:30):
topics in five years, and itseems to be not unrealistic.
However, a positive scenariowill be that this kind of
regulation will be changed inthe way that innovation gets
accelerated, and you are able touse also technologies which are
(14:50):
really you know 21st century,but without any you know
compromise of security.
You know, they are as secure asthe current solutions, and with
this, you know, we will get theentire thing.
Yeah, we will get uh prosumerdynamic tariffs, um um being
able to uh use battery also tocharge back to the to the grid,
(15:16):
um and uh all the differentideas uh um we have, but from my
perspective, um the key pointis having a regulation which
yeah makes innovation possible.
Andrea (15:35):
Absolutely.
Well, I uh thank you for yourvaluable insights for today,
Christian.
It sounds like there's stillthere are a lot of uh pieces
that are already in place uh tomake sure that we have a safe
and secure uh cyberinfrastructure.
Um, and there's still otherthings that we need to work on.
Um, but unfortunately fortoday, we've reached the end of
the episode.
(15:56):
Uh thank you, Christian, forjoining us and uh sharing your
valuable insights.
Uh, and of course, a big thankyou to everyone who tuned in
today.
We hope you enjoyed theconversation.
Um, and if you'd like to knowmore about how CGI and Pfizec
are shaping the future of uhsecure energy infrastructures,
visit our websites or connectwith us on LinkedIn.
(16:16):
We look forward to having youwith us again next time.
Thanks.
Christian (16:20):
Thank you.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Betrayal: Weekly
Betrayal Weekly is back for a brand new season. Every Thursday, Betrayal Weekly shares first-hand accounts of broken trust, shocking deceptions, and the trail of destruction they leave behind. Hosted by Andrea Gunning, this weekly ongoing series digs into real-life stories of betrayal and the aftermath. From stories of double lives to dark discoveries, these are cautionary tales and accounts of resilience against all odds. From the producers of the critically acclaimed Betrayal series, Betrayal Weekly drops new episodes every Thursday. Please join our Substack for additional exclusive content, curated book recommendations and community discussions. Sign up FREE by clicking this link Beyond Betrayal Substack. Join our community dedicated to truth, resilience and healing. Your voice matters! Be a part of our Betrayal journey on Substack. And make sure to check out Seasons 1-4 of Betrayal, along with Betrayal Weekly Season 1.