Securing smart grid infrastructure from cyber threats

The development of smart grids was part of Indonesia's national strategy to build an efficient, reliable, and sustainable electricity system by optimising the utilisation of renewable energy.

With smart transmission and distribution systems, the electricity grid would be able to accommodate an additional 28 gigawatts (GWs) of renewable energy by 2040.  

However, behind this significant opportunity lay an increasingly complex security risk.

During a panel Cybersecurity for the Power Grid: Protecting Critical Infrastructure from Cyber Threats at the recent Digital Transformation Indonesia Conference and Expo (DTI-CX) 2025, speakers from the government and academia shared ways to address cybersecurity challenges to smart grid infrastructure.

Indonesia National Cybersecurity Agency’s (BSSN) Director of Strategy, Sigit Kurniawan, opened the session by reminding attendees that the electricity sector was part of Indonesia’s critical information infrastructure, (CII), and any disruption would have far-reaching impact on other sectors.  

“Given that the entire smart grid system – from power generation, transmission, to distribution – is connected to the internet, this makes it highly vulnerable, so we must be prepared to anticipate all risks,” he said. 

According to him, the electricity sector required detailed risk management, which necessitated strict monitoring of all hardware and software connected across the entire supply chain.  

“Although we see that our systems are already quite robust, attackers are always looking for the weakest points. We must examine the potential vulnerabilities of even the smallest details more closely,” he added.  

Beside Kurniawan, other panellists were Ministry of Energy and Mineral Resources’ (ESDM) Coordinator of Electricity Transmission, Muhadi, Computer Security Incident Response Team Academy’s (ACAD-CSIRT) Chairman, Prof Richardus Indrajit, and Indonesian Internet Service Providers Association’s Secretary-General, Zulfadly Syam.  

The panel was moderated by National ICT Business Association’s (Aptiknas) Secretary-General, Fanky Christian. 

Think like an attacker  

The energy sector, like the financial sector, has always been a primary target for attackers. The more valuable a system was, the greater the motivation for people to attack it, said ACAD-CSIRT's Prof Indrajit.

To enhance security at the weak points of the smart grid network, he urged to view this from the attacker's perspective, as he did at the CSIRT academy, thinking like an attacker would make it easier for defenders to recognise the characteristics, patterns, and potential of attacks.

“A cybercriminal will persistently scan for vulnerabilities one by one, asset by asset, even person by person, until they find the weakest point,” he said. 

To illustrate how cybercriminals operate, he cited examples from spy films that incorporate cybersecurity themes into their plots, such as Mission Impossible: Dead Reckoning or James Bond’s Skyfall.  

These films have presented attack scenarios that once seemed impossible but were now considered highly plausible.  

However, Prof. Indrajit also highlighted that attacks do not always come from those with advanced technology but could also come from simple attacks such as sabotage or negligence by staff.   

ESDM’s Muhadi added that the government has designated power plants and transmission networks as National Vital Objects that must be strictly secured. 

However, protection required basic procedural readiness and excellent cross-sector coordination. This included the roles and responsibilities of each stakeholder, from the government, the State Electricity Company (PLN) as the operator, and security personnel. 

To subscribe to the GovInsider bulletin, click here.

The proactive measures  

Furthermore, Muhadi highlighted the importance of an end-to-end perspective and the need for specific regulations to strengthen cybersecurity in the electricity sector, given the public's heavy dependence on electricity supply and the risks that could arise if the system were disrupted.

“To improve the security of the electricity system from cyber-attacks, we need to take strategic steps starting now. Not reactive, but proactive.” 

He revealed that to date, there were no specific regulations governing cybersecurity in the electricity sector. Binding technical standards were also not yet available, although there were international references such as ISA/IEC 62443.  

“The absence of regulations has led to weak requirements regarding human resources with specialised competencies in cybersecurity for the electricity sector,” Muhadi noted.    

Therefore, he said that the government would soon invite all stakeholders in the electricity sector to formulate specific regulations that include standards and competency requirements needed to enhance the expertise of cybersecurity personnel specifically for the electricity sector.  

Specific technical guidelines  

In response to Muhadi’s explanation, BSSN’s Kurniawan stated that Indonesia has already adopted ISO 27019, an international standard governing information security practices in the energy sector, which serves as a reference for security management in the electricity sector.

However, he emphasised that the energy sector has subsectors with distinct characteristics and needs that could not be addressed by a one-size-fits-all regulatory approach.  

“BSSN is advocating for the development of technical guidelines or specific instructions for the electricity sector so that operators have clear guidelines for securing their systems,” he added.  

Kurniawan also highlighted the importance of Operational Technology (OT) security used in the operation of electrical systems. In the industry, this technology was often associated with Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) that directly control technical processes.  

According to him, attacks on SCADA or ICS systems in the energy sector in Indonesia was still a rarely detected actively. Threats such as low and slow attacks could evade monitoring if there is no adequate detection.  

“Enhancing active monitoring, strengthening security infrastructure, and close collaboration with the industrial sector are important steps that must be taken,” he noted.  

Prof Indrajit added that cybersecurity in the electricity sector was a shared responsibility effort that requires the government, operators, and supply chain players to collaborate with the principle of “your security is my security”.