Imagining the Energy Cybergeddon

Home , Cybergeddon

Imagining the energy cybergeddon

Digitalization and security epistemics in the energy system

Lars Gjesvik

Master Thesis in Political Science, Department of Political Science

UNIVERSITY OF OSLO

Spring, 23.05.2018

Imagining the energy cybergeddon

Digitalization and security epistemics in the energy system

2018

Imagining the energy cybergeddon

Lars Gjesvik http://www.duo.uio.no/

Print: Reprosentralen, Universitetet i Oslo

Word count: 37 587 4

Abstract

In this thesis, I examine how the process of digitalization in the energy system is leading to changing understandings of its security. More precisely I track how discourses place themselves into different epistemic logics of security when debating digital incidents versus non-digital ones. I draw on the work of several critical security studies scholars, most notably Claudia Aradau (2014) and her work on security epistemics and the rise of resilience-thinking in modern societies. The creation of problems, through expressing concerns, assessing impacts, and promoting solutions, creates an overarching narrative that frames how we understand security events and dangers. Analyzing a broad collection of texts, I examine how expert discourse make sense of security concerns, impacts and solutions, centered around four main cases. These cases are the Baumgarten explosion in 2017, the Industroyer malware taking down the Ukrainian power grid in 2017, as well as a broader reading of security concerns pertaining to digital technologies and non-digital risks. The analysis highlights how digital security concerns are in part understood as radically uncertain, being unable to be understood both in terms of occurrence and impact, which implies certain security practices of preemption and societal resilience. As digital technologies and tools become more commonplace in the energy system, protecting these systems becomes more centered around the security practices “allowed” by the dominant understanding of cyber security. As a consequence, the digitalization of energy systems pushes societies further along in the move away from threats and existential dangers, and towards catastrophic risks, resilience and the management of uncertainty.

Acknowledgements

First of all, a large portion of gratitude and thanks is owed my supervisor Kacper Szulecki, for answering emails, providing valuable feedback, exerting stoic calm and for pushing the right buttons.

A special thanks to everyone who contributed input and crucial feedback in the process of writing this thesis. I owe Håvard Markussen a great deal for his unrivaled knowledge on Discourse Analysis and anything having to do with methodology. My parents are owed months of gardening work and dog-watching for sacrificing weekends proofreading and debating text selection to no end.

Every discussion I had with co-workers at NUPI provided valuable input. In particular this applies to Malin, Henriette, Maja, Ole Martin, Emil, Helene and everyone at the Security and Defence Group. Furthermore, everyone at the NUPI Cyber Security Centre participated with valuable feedback, I thank Niels Nagelhus Schia, Lilly Muller and Karsten Friis for support and excellent ideas. In particular I owe Erik Reichborn-Kjennerud for the lion’s share of the theoretical foundations.

Finally, I thank Sarah for support, encouragement and being willing to bear with me through it all

Lars Gjesvik 23.05.2018

Table of Contents 1. Introduction ...... 8 1.2 The Research Question ...... 9 1.3 Approach ...... 11 1.4 Structure ...... 13 2. Theory ...... 16 2.4.2 Practice and experts ...... 16 2.2 Risk and Uncertainty: a history of vital systems ...... 18 2.3 Cyber security as risk and uncertainty...... 21 2.4.1 Epistemics of security...... 23 2.4.2 Known and measurable impacts: risk, redundancy, and resilience ...... 25 2.4.3 Unknown impacts, societal resilience, and the role of imaginings ...... 27 2.5.4 Enter the actor: terrorism, preemptive security, and the departure from the accident 29 3. Methodology ...... 33 3.1 Materialism and the role of objects ...... 34 3.2 Discourses and representations...... 35 3.3 Research design ...... 36 3.4 Operationalization and the research process ...... 39 3.5 Clarifications, validity and reliability ...... 43 4. Background ...... 47 4.2 The changing energy system ...... 47 4.2 A brief history of cyber security...... 51 5. Analysis: ...... 54 5.1 An Austrian Gas Explosion ...... 54 5.1.2 Understanding Baumgarten ...... 57 5.2 Hacking the Ukrainian Grid ...... 60 5.2.1 The makings of a cyber threat ...... 63 5.3 The reliable and resilient power grid ...... 66 5.3.2 Managing uncertainty in the system and society...... 71 5.4 Smart meters and the radical uncertainty of IoT ...... 72 5.4.2 Understanding the smart grid ...... 80 6. Discussion...... 85 7. Conclusion...... 95 Main Findings...... 95 7

Avenues for further research ...... 96 Broader implications ...... 97 Bibliography ...... 101

1. Introduction

It was 3:30 p.m. last December 23, and residents of the Ivano-Frankivsk region of Western Ukraine were preparing to end their workday and head home through the cold winter streets. Inside the Prykarpattyaoblenergo control center, which distributes power to the region's residents, operators too were nearing the end of their shift. But just as one worker was organizing papers at his desk that day, the cursor on his computer suddenly skittered across the screen of its own accord.

He watched as it navigated purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.

The operator grabbed his mouse and tried desperately to seize control of the cursor, but it was unresponsive. Then as the cursor moved in the direction of another breaker, the machine suddenly logged him out of the control panel. Although he tried frantically to log back in, the attackers had changed his password preventing him from gaining re-entry. All he could do was stare helplessly at his screen while the ghosts in the machine clicked open one breaker after another, eventually taking about 30 substations offline. The attackers didn't stop there, however. They also struck two o ther power distribution centers at the same time, nearly doubling the number of substations taken offline and leaving more than 230,000 residents in the dark. And as if that weren't enough, they also disabled backup power supplies to two of the three distribution centers, leaving operators themselves stumbling in the dark. (Zetter A, 2016)

Such is the description of the 2015 cyberattack against the Ukrainian power system. The attacks, occurring simultaneously at numerous sites across the country, had seemingly crossed a threshold. What had previously been hypothesized, but not yet seen performed in the real world, had taken place: A cyberattack had taken down the critical energy systems of a nation state, causing blackouts during the darkest days of winter. Subsequent investigations were to point to lackluster security practices as the main cause of why the attackers were successful, with the Russian military considered the prime suspect of the incident (Zetter, 2016). Precisely one year later the attackers struck again: this time attacking not ill-secured network devices, but state-of-the-art equipment provided by the European Union. The attack, over in a few hours and not causing any fatalities, raised questions of the digital security of our energy systems (ESET A, B, 2017).

Our world and our energy systems are growing digital. Since the widespread commercialization of the Internet in the early 90’s the digital world and its tentacles has spread to almost every corner of the world, instantly connecting people, devices, and systems (Klimburg: 23-53, 2017). This process of “digitalization”, the increased dependence on the digital world for everyday functions, has taken place in the energy systems as well. Driven in part by the “normal” process of using digital solutions to improve efficiency and economic gain, and partly as a means of combating climate change and facilitating for the move towards an energy system running on renewable sources. These digital solutions are implemented in all stages of the energy system: running machinery through Supervisory Control And Data Acqusition (SCADA) control systems, controlling flows of electricity and measuring and timing our consumption through smart meters (Slayton, 2013). As these digital devices has become prominent in the energy systems, the security of the digital components is a key and growing concern for those tasked with protecting said energy system. The result is an increased and intensified focus on cyber security, as securing energy hinges on the stability of the digital components (Ibid). Simultaneously the field of cyber security has received more thorough attention and scrutiny over the last decade, resulting in a list of conceptualizations and theories that argues that cyber security is a novel form of security, challenging established conceptions of what security is and how it works (See for instance Kello, 2017, Klimburg, 2017).

1.2 The Research Question

This increased dependence on digital solutions throughout the energy system is changing not only how the system works, but how we understand its security. If the digital domain is different, working under a different logic and assumptions than we are used to, how does it shape the way we look at problems? Or to be more precise: if the nature and material “reality” of the digital domain affects the tools and mechanisms we can use to protect them, how is this reality different from what we are used to? As the energy systems becomes digital the security of those systems becomes about the security of the digital systems. If the security problems of the digital domain are understood differently, being a “novel” form of security, then the solutions and ways we talk about energy security must change to. This leads to the research question:

How is the digitalization of energy systems changing the way we understand their security?

The security of energy systems has been discussed and conceptualized in myriads of ways, some of which deals with drastically different ideas. On the one hand energy has been considered a strategic resource, and the security of energy has been the focus of geopolitical maneuvering and war (Yergin, 1991). On the other hand, energy security can deal with complicated topics like climate change and economic opportunity (Ciuta, 2010). At its most extreme energy security deals with a list of concerns and mitigating actions that are so expansive in scope and topic that the argument can be made that the concept is useless (Sovacool, et.al, 2011). This thesis, however, approaches energy security from another angle, that of “vital systems security” and the preoccupation with securing critical infrastructure from a host of unpredictable and uncertain risks (Collier & Lakoff, 2015). To further this understanding of the unpredictable events and how to deal with them I will draw on different theorizations of how security is perceived, and the consequences of those perceptions. I will distinguish between Known Unknowns and Unknown Unknowns, or the difference between those security events that are uncertain in their occurrence but predictable in their consequence, and those “radically uncertain” events that cannot be measured either in occurrence nor impact (Cleden, 2009). As cyber security becomes a more pressing issue for energy systems, the security of said system must deal with more and new forms of uncertainty that results in novel techniques for managing security, having large impacts in the wider society.

This leads my thesis into the topic of “risk security”, and how the problematizations and practices of security are changing. Since the end of the cold war the modern understanding of security has changed. What was previously centered on cold war-logics, great power rivalry, and ideological standoffs has greatly expanded. Security has taken on many and varied forms, addressing a multitude of concerns and issues. One of these concerns has been the perceived vulnerability of critical infrastructures, vulnerable to a long list us uncertain, unpreventable, and unmanageable risks that challenge the traditional modes of dealing with and securing these “vital systems” (See: Collier & Lakoff, 2015, Corry, 2012). Of all the various infrastructures that have been termed “vital” or “critical” few rivals the energy system in its importance for modern societies. Frequently dubbed the “lifeblood of societies” the energy system underpins a host of functions that are considered essential for modern life, the failure of which is hypothesized to have large and life-threatening implications (Szulecki & Kusznir, 11

2018). Thus, the security of the energy system moves towards “risk security”, which entails both a shift in how problems are understood, and the techniques and tools used for managing them (Collier & Lakoff, 2015). This newfound preoccupation with “uncertainty, novelty and surprise” has been highlighted as the main reason for the rise of “resilience” as a concept used widely in society (Aradau, 2014). This thesis will address this shift in both problematizations and practices through the lens of digitalization in the energy systems.

1.3 Approach

In order to answer my research question, I will examine both problematizations, practices, and how they co-constitute each other. Based on several critical security scholars, I will primarily frame the analysis on the work of Claudia Aradau (2014). Arguing for the role of epistemic regimes in reshaping security practices towards “resilience”, Aradau shows how security practices function as answers to certain ways of understanding the “question of security” (Aradau, 2014). Furthermore, it bases itself on a reading of Vincent Pouliot (2010) and the argument that security practices becomes an answer through a set of problematizations, understandings, and conceptualizations of the issues we are dealing with (Pouliot:5, 2010). The language and concepts we use to frame and make sense of events, making them into examples of larger problems, influence what solutions are presented and whether they are accepted or not (Aradau, 2014). This allows us to focus on how cyber security is understood to be different than other strands of security, and take seriously the impacts this has on security practices. It is argued that security practices are not necessarily post problematizations, rather that the practices, solutions, and tools of management help shape our understanding of a problem as well (Pouliot: 28-29, 2010).

Contemporary understanding of risk-security is based either on the works of Ulrich Beck or Michel Foucault. The former argues that the rise of risks is a result in growing complexity in modern societies (Beck, 1992, 2007), while the latter approached the topic as the result of modes and rationales of governing (Foucault, 1994). This thesis will primarily take the Foucauldian approach to the topic, yet it will be more vary of the role of materiality in shaping the social world. This is not contrary to the writings of Foucault himself, yet the role of material objects has frequently been relegated to the background of social research (Aradau, 2010). This thesis looks at how objects and artefacts co-constitute the social world, 12 helping shape and influence our opinions about it (Jasanoff, 2004). I will therefore take as a vantage point the idea that the digital devices come with their own understandings, discourse and ideas that will shape and influence how the discourse of the system at large takes place. As the energy systems become digital the security adopts and integrates the security practices inherent in those digital devices.

The analytical focus on the way dangers and vulnerabilities are understood and represented makes it natural to utilize a post-structuralist research program focusing on texts as the empiric material. I have therefore chosen to utilize a Discursive-Analytical methodology to examine the ways in which the security events are made into problems, or the problematizations of the different events (Aradau, 2014). Basing myself in large parts on the methodological arguments and rationales as discussed by Lene Hansen (2006) I will conduct an examination of expert discourses relating to cyber security, energy security and events where the two merges. It will draw upon a wide selectin of texts, such as newspaper articles, academic publications, speeches, threat analysis and more.

This thesis addresses three distinct academic debates on the impacts of digitalization. Primarily it is an analysis of how the understandings and problematizations leads to a set of security practices, and vice versa. These practices and problematizations change when the energy systems become digital. As such it lends itself to the debates in critical security studies on both the epistemics of security (Aradau, 2014), and the rising concern with catastrophic risks that challenges traditional means of managing said dangers (Collier & Lakoff, 2016, Corry, 2012, Beck 1992, Foucault, 1994). Secondly the thesis takes seriously the theorizations on cyber security and examines how cyber security as understood today, changes and influences societies. In this it lends it understandings of cyber security from several key contributions, among them Myriam Dunn-Cavelty (2008), Alexander Klimburg (2017), Joseph Nye (2011), Hansen & Nissenbaum (2009), Thomas Rid (2013), Singer and Friedman (2014), Jordan Branch (2018), Christensen et.al. (2017), Kremer and Muller (2014), and Lucas Kello (2017). Primarily, however, I will utilize the theoretical approach wherein cyber security is understood as risks, as proposed by Friis & Reichborn Kjennerud (2018). I will flesh out this theory with the analysis of cyber security’s preoccupation with imagined and catastrophic risks, as argued for by Tim Stevens (2016). Finally, I attempt to consider an overlooked aspect of the energy transition: while the security implications of a move to “smart” and renewable energy systems has been analyzed before, an analysis on how 13 digitalization introduces new problematizations, conceptualizations, and security practices, has not received thorough attention. The thesis therefore builds upon and takes further the works done by Andre Månsson (2016), O’Sullivan et.al (2017) and Nie & Yang (2016).

The contribution of the thesis is to help further the understandings of how security practices and understandings are changing in modern societies. By examining this shift through the addition of new devices it can help shed a light on the role of objects (and the discourses attached to them) in entrenching and enabling this shift. As such it offers a new perspective on changing understandings of security, considering both practices, materiality and social factors. Furthermore, it sheds a light on how theorizations and understandings of cybersecurity impacts the larger society: as digital services become more critical cyber security does as well. The existing theoretical debates on cyber security therefore become more pressing, as their increased importance allows them to play a greater role in modern societies. This thesis maps how those theorizations impact security practices, which again has larger societal implications. Finally, it looks at the energy transition and the move towards renewable sources of energy from a novel point of view: taking as a vantage point not the uniqueness of the energy system, but the uniqueness and impact of the tools and digital equipment that is frequently cited as the solution to obtaining energy systems that are clean, efficient, and affordable (Slayton, 2013).

1.4 Structure

This thesis will lay out its argument through several steps and chapters. Chapter 2 deals with the theoretical underpinnings that substantiates the argument. It will examine how security problems and practices are made, co-constitute each other, producing a frame of understanding and making sense of security events. Expanding on this point I will examine the rising concerns with unpredictable and unpreventable risks in modern societies, through the lens of “vital systems security”. Subsequently I will debate some main theorizations on cyber security, what the digital world is conceived to be and why it is thought of as different than other modes of security. Finally, I will examine four different epistemic regimes that shape and frame security concerns, how and why dangers are placed into these regimes is examined, as are the consequences that certain understandings imply. As such it will create a theoretical framework on how security problems and solutions are made, and how these understandings build upon one another.

Chapter 3 will discuss the methodological choices and considerations made in this thesis. It will start off with placing the thesis as a discourse-analysis within a broadly defined poststructuralist research program, with an added emphasis on material factors and the impacts of technological change. It will then look at how to create a methodologically sound framework for examining texts, arguing for the utilization of a “broad” collection of texts in order to track how expert discourses are explaining and categorizing dangers. It will subsequently further flesh out the methodological approach by placing the texts and approach within the four dimensions of discourse analysis proposed by Lene Hansen (2006). Thus, having established a methodological approach and a theoretical framework the thesis will be operationalized and the criteria for selecting texts will be explained and examined. Finally, I will explain the choices made, addressing the main arguments against my approach and debate the validity and reliability of my choices.

Chapter 4 will be a quick examination into a set of background factors. Primarily it will focus on the changes that are occurring in the energy system. A variety of factors and considerations are driving these changes, such as liberalization, economic efficiency, and a desire to curb carbon emissions and halt climate change. These changes depend increasingly on the utilization of digital equipment and solutions to manage and control ever-larger parts of the energy system. This digitalization of the energy systems merges energy security with cyber security, and correspondingly the background will offer a brief depiction of how cyber security has evolved over the last decades.

Chapter 5 will constitute the backbone of this thesis, and includes the reading and analysis of the selected texts. It will circle around four main cases/events to map out how security concerns and dangers are understood. Primarily it will focus on how digital security events are understood differently, working under other logics to produce different practices and understandings. The chapter will look at each case/event in a two-pronged approach: firstly, presenting the main arguments and representations identified in the texts and subsequently discussing what those representations entail and the logics underpinning them. Basing myself on this analysis and empiric material, chapter 6 will discuss how we can best understand these changing security practices and logics, and to what extent the digitalization of energy system really does lead to changing security logics and practices. Before summarizing the main arguments in the conclusion in chapter 7.

Throughout this analysis this thesis hopes to highlight how security practices change and evolve not only as the result of new discourses and challenges emanating from the social domain, but through the introduction of devices that is perceived to function in novel ways. The digitalization of the energy system is helping move the security practices involved in securing it towards imagined events and worst-case scenarios. This is not just the result of a general move towards risk-logic in the modern world, but the result of how we understand and make sense of new technologies. The novelty and ways in which we deal with these new technologies creates new and profound expressions of uncertainty, that in turn translates into new practices of security. As the digital world is perceived to be dynamic and rapidly evolving the security practices take this “reality” into account. The resulting practices and understandings become oriented towards surveillance and preemptive security, societal resilience and preparation for disasters, as well as techniques for “unveiling” the inherent vulnerabilities and risks within the systems. These practices are again shaping and transforming modern societies, having a real impact on how we relate to our vital energy systems, the digital world, and how the digital world is being made.

2. Theory

In this chapter I will explain and present the theoretical framework for this thesis. I will draw on a set of different theories and scholars to create a framework for how problems are made and the solutions that follow those problematizations. I will argue that solutions and problematizations co-constitute each other, creating an understanding of a security concern that presents a set of solutions to a set of problems. Following this I will look at how problematizations of security has changed over the last decades, promoting a framework of risk-security where uncertainty and unpredictability replace hostility and threats as the dominant form of security concerns. Subsequently I will place cyber security within this development, and highlight some different theorizations on cyber security. Finally, I will address how security concerns and dangers are placed within different epistemic regimes, of logics of knowledge, which again help frame those dangers. Placed within epistemic regimes how we understand the security concerns helps influence and shape the solutions and practices we utilize to deal with those concerns.

2.4.2 Practice and experts

Before examining some theoretical works on problematizations and practices it is important to assess how the two relate to one another. The intuitive casual explanation is to see a solution as emanating from the way the problem is conceived: a problem poses a question and the solution is the answer to said problem. Yet, in the real world this understanding of how problems and solutions influence one another is arguably too simplistic. While the way in which problems are understood helps shape and define the solutions that are deemed reasonable and applicable, the relationship between security practices and problematizations are rarely so straightforward. As argued by Pouliot (2010) the assumption that every practice follows rationally from the problematization is hard to square with our knowledge about social life and how the mind works (Pouliot:24-25, 2010). While this thesis is based upon texts and not field studies, thus limiting the ability to observe practices, it will take seriously the impact of existing solutions to problematizations, or the argument that specific tools and techniques of managing security concerns activates and frames the understanding of the problem (Balzacq, et.al, 2010). These tools are not uniform, they are regarded as more or less appropriate in certain settings, less so in others. The relevance and applicability of said tools and practices in turn helps define and shape what the problem is conceived as. The prominence and influence of a certain set of solutions helps frame problems so that the 17 solutions are appropriate, thus the causal relationship can at times be reversed and solutions and problems co-constitute and shape each other (Ibid).

Interpreting the problem, proposing solutions, and making sense of events has to be done by someone. When a security concern is raised it is made into being by actors who shape and influence how the problem is understood and what solutions are applicable. This production of knowledge, through sorting and making sense of security concerns, devices and events is increasingly done by experts of (in)security. These groups of experts provide authority and legitimacy through “expertise, which accumulates data, frames categories of analysis, targets specific populations” (Balzacq, et.al., 2010). In this sense experts, and the interpreters of scientific knowledge, are political actors as well as any. The role of experts in shaping and framing how events are understood, what they are regarded as examples of, and what they can tell us about the larger implications for the world we live in is crucial (Rychnovska, et.al, 2017). Thus, experts insert themselves between security events/concerns and the larger society, interpreting and making sense of the events and transforming them from singular events to larger manifestations of something which in turn shapes and influence policy and societies (Ibid).

Thus, understanding and creating problems is done by experts, and solutions and problems are seen to co-constitute each other. In the following segment we will look at how one prominent problematization has grown in the western understanding of security over the last decades, namely the increasing concern with risks, or the uncertain and unpredictable harmful events that challenge traditional understandings of security.

2.2 Risk and Uncertainty: a history of vital systems

As modern societies progressed in the wake of WW2, taking in the lessons from the war, new concerns started emerging. As airplanes had highlighted the value of targeting industrial systems and vital nodes of production, security planners in the west (and primarily the US) started recognizing how vulnerable their own systems were. The lessons coupled with a growing concern for the wellbeing of the population and started examining the security of vital systems underpinning societies. Thus, the way in which American air force had targeted industries, became a lens with which to view one's own societies. The perceived efficiency and weaknesses exposed by airplanes was re-imagined in new security contexts, such as for instance a war between America and a coalition of states. The rise of the airplane as a strategic tool in armed conflict thereby changed the role and functioning of cities, industries, and societies. Further fueled by the advent of the nuclear weapon, various features of American society became reimagined as vulnerabilities. The concentration of cities meant that they would also be vulnerable targets in the event of a nuclear war, and even more pressingly: the concentration of industries in a limited geographical area meant that the targeting of said area could cause widespread harm. Still, the risks associated with these «vital systems» were primarily concerned with armed warfare and conflict. (Collier & Lakoff, 2008)

In the 70s and 80s however, the concerns surrounding these systems migrated from the area of warfare and nuclear cold-war logic into a more generalized concern with the vulnerability of vital systems. Various terrorist attacks, the 1977 American blackout, and the oil crisis in the wake of the 1973 Egyptian Israeli war meant that the vitality and vulnerability of those systems became an issue not only in the case of war, but in the case of a long range of immeasurable risks and disasters. The vitality of those systems indicated that they might not only be vulnerable in the case of a military attack by an equal adversary, but that they could easily be targeted by individuals, groups or «saboteurs» leveraging the dependency on critical systems to inflict harm in an asymmetrical conflict. More so, the general vulnerability of these systems meant that they could be harmed not only by targeted efforts, but by accidents, natural disasters, or technological failures. In short, a list of low-probability events that, while unlikely, could be so damaging if they were to take place that preparing for - and trying to predict - them became a pressing political matter (Collier & Lakoff, 2015).

This development coupled with an expansion of the concept of security. While it previously dealt mainly with interstate conflict and great power rivalry, it has over the following decades incorporated a variety of threats and concerns. As the topic of security has taken into account all of these various and different dangers, as sketched out above, the focal point of security has moved from the focus on threats to a focus on risks (Kessler & Daase, 2008, Corry 2012). Risks, characterized by their uncertainty and probabilistic nature, has changed the way in which security practices take form and play out. As other forms of security concerns have taken over from the strict “logic” of the cold war, the logics of unstructured and undefined uncertainties has become a key issue for security practitioners all over the globe (Kessler & Daase, 2008). Risk has been described as a “estimation of the dangerousness of the future”, and as such been defined by their relationship with the events to come. More precisely risks invoke a monitoring and attempted calculation of what the future might hold, in order to control and minimize the harmful effects that might come to pass (Aradau, et.al. 2008). As risks become prominent the practices of security have changed as well, moving away from deterring foes and defending, towards risk-management practices like assessing probabilities, preventing incidents from happening, imagining future scenarios and managing risks through resilient and reliable systems (Corry, 2012).

Risks as a security concern has been imagined in a variety of ways, but primarily the understanding has been structured along two main camps. On the one hand is the understanding of risks as laid out by Ulrich Beck in his 1992 “Risk Society” (Beck, 1992). Departing from the understanding of risks as probabilistic and measurable he understands risks in modern societies to be inherently immeasurable and incalculable, thus exceeding the ability of bureaucracies to rationally plan for, and protect against, them. As these risks have become prominent in modern societies the anxieties related to their prominence has called for ways to deal with risks that cannot be managed, as they exceed the imagining capabilities of those trying to protect against them. Furthermore, by trying to protect societies against one set of risks the state is inevitably opening the door for new and not-known risks. As the modern society tries to control more and more aspects of the world, the impact on the vast «unknown» become more and more pronounced giving rise to new risks (Ibid).

The other major camp has based itself on the writings of Michel Foucault and his concept of “governmentality”. In contrast to Beck the risks are perceived as not a biproduct of modern societies evolution and increasing complexity, but as a form of thinking about and 20 representing risks that shape subjects and subjectivity (Kessler & Daase, 2008). In this understanding of risks, they are understood as a tool of governance: by claiming to protect against risks, the state finds itself needed as a bulwark against a set of diverse, incalculable, and incomprehensible risks. These risks are conceived to be potentially catastrophic if they were to occur, and go beyond the ability of individuals to deal with. By conjuring images of such risks, they are able to expand their role and power in modern societies, creeping into the personal lives of its citizens in the name of security and protection (Ibid). Collier and Lakoff (2008, 2015) follows in this line of reasoning, and analyzes how a conceptualization of security concerns and vulnerabilities shape practices for securing vital systems, and makes the vital systems a concept in the first place. In this understanding the attempts to control and manage insecurity are done through the creation of new mechanisms and tools of government (Collier & Lakoff, 2015). In this line of risk, the imagining of security events allows for planning in the case it was to happen. Thus the «facts» of the system, and the perceived vulnerability, allow for contingency planning, preparations in case a catastrophic event were to take place and generally accepting the fact that risks might occur while simultaneously trying to limit their impact when they do (Collier & Lakoff, 2016)

This thesis does not want to take sides in the debate between those risk-scholars based on the interpretation of risks based on Beck and those approaching the topic from a Foucauldian point of view. In fact, both the increasing complexities of societies and the attempts to use risks as a governmental tool are considered interesting and valid points of departure for a study of the security implications of digitalization. However, they cannot be done at the same time, and while taking sides in which theoretical positions is the most “valid” might be futile, any research program has to choose one theoretical framework for its purposes. In this thesis I have chosen a Foucauldian approach, wherein the problematizations of different security issues is evaluated critically, and not necessarily the result of any inherent fact of modernity.

In modern societies then, the threats and security logics of old have been partly replaced by a logic of risks and uncertainty. Taking on many forms and interpretations the understanding of security events as risk gives rise to as diverse technologies of management as there exists problematizations. Before moving on to how the problematizations and practices of risks are made a detour is needed to place the practice of cyber security within the framework of risks and uncertainty. 21

2.3 Cyber security as risk and uncertainty

This thesis is centered on the practices of security, and the understandings and conceptualizations that makes those solutions usable and meaningful in light of particular problematizations. Before moving on to the subject of how the problems are understood, it is necessary to correctly place cyber security in the landscape of risks and uncertainty. Cyber security is an underdeveloped topic in the literature of security studies, and as such it is the subject to various, conflicting, and not finalized conceptualizations (Kello: 23-58, 2017). The many variations and understandings of cyber security has led to claims that cyber security is not a uniform security, but that one in a truer sense is dealing with cyber securities. This argument is that cyber security is not a singular reality understood as epistemologically different, but that there are ontologically different cyber securities operating (Christensen et.al., 2017). While an interesting point, the narrower scope of this thesis, examining how digitalization of vital energy systems affects their security, would deal with a cyber security either way. This thesis can therefore not be said to cover all of the various ways in which digitalization and cyber security impacts security thinking. It will instead highlight some effects and understandings of cyber security, and primarily those that are understood as risks.

Cyber security is a complex topic in the security literature. As it deals with a moving target of technological development and social interactions, cyber security challenges the traditional separation between discursive practices and materialism and technological change. Understanding the issue therefore needs to incorporate both how technological change has an impact and is agentive, and how that change comes to be understood and practiced (See: Branch, 2018, Christensen et al. 2017). Building on this assumption Friis and Reichborn- Kjennerud (2018) argue for a utilization of risk-logic in understanding cyber security as a practice of security. The nature of the cyber realm give rise to a security logic that works in somewhat novel ways, due to some key characteristics. First, cyber security is argued to be ongoing in its nature. The exposure to potential harm is conceived as more or less unending and constantly evolving: as long as digital systems are exposed to the internet, and there exists actors with an interest in harming those systems, the potential for a harmful incident is present. Cyber security, then, is an ongoing process which cannot be said to “start” or “stop” or be reduced to dealing with extraordinary situations (or at least, reduced solely to dealing with such incidents). The actual cyber security work is being done by technicians and management on a daily scale, not in the high-politics war rooms of great powers. Cyber 22 security, as it is performed, is often about the mundane tasks of updating digital systems frequently, establishing cyber hygiene practices at key facilities and monitoring their networks (Friis, Reichborn-Kjennerud 2018). This is partly because most cyber incidents are smaller in nature, taking the form not of catastrophic attacks but of a large flurry of smaller incidents, and partly because the larger attacks are often unknown or kept secret, thus not serving as framing incidents for others than those directly affected (Ibid).

The fact that most cyber-attacks are not made public complicates the ability to prepare for and prevent them. The problem of attribution is one source for this problem, as the difficulties in identifying which actor has perpetrated an incident obfuscates the ability to create a clear image of such a threatening actor (Rid, et.al. 2015). This inability to create clear ideas about actors, and even more so their capabilities and intent, necessitates a security focus inward towards the systems and vulnerabilities (Friis, Kjennerud, 2018). This is further strengthened by a more “material” element of the digital systems: cyber exploits are based upon leveraging mistakes in code or software to do harm. Therefore, the root cause of insecurity lies not with the external actor, but with the system as the external and potentially threatening actor is made possible by vulnerabilities in the system itself (Klimburg, 2017). Whether this is merely a theoretical point could be debated, but the question of whether the perfectly secure digital system can exist as anything other than a hypothetical construct has not been resolved as of yet (Ibid). An extended point of this logic is that the types of vulnerabilities in the system, and the ease with which they can be manipulated, defines the set of actors. The more secure the system the more advanced the actor needs to be to exploit them. By creating more secure systems you are also limiting the list of actors, while insufficient security practices enable a long list of actors, possibly down to the cliché of the “bedroom hacker”, to exploit those vulnerabilities. Taking as a vantage point the actor and the external threat becomes meaningless in cyber security, as the threats are a product of the system itself, the root cause of (in)security. The result is that cyber security is preoccupied with the constitutive causes of harm, focused inwards towards the causes of insecurity more than the external environment (Friis, Reichborn-Kjennerud, 2018).

The more complex and advanced attacks utilize weaknesses in the systems that has not previously been identified, so called zero-days named after the fact that they have been known to the technical community for zero days. As these attacks are by their definition unknown, defending against them is made difficult and borderline impossible. The impossibility of 23 defending and preventing provides a need for managing digital incidents after they occur, giving rise for a need to respond to incidents through reactive measures and resilience in the systems (Friis, Kjennerud 2018). As If 100% prevention is a practical impossibility the idea of security being solely about prevention becomes useless as a starting point, and the idea of creating security must incorporate an idea that harmful events will happen.

While cyber security can be said to be, at least in part, about risks and unpreventable events, there exists some differences that needs to be considered. While the issue of cyber security certainly touches upon issues of technical failures, accidents and incidents that cannot be traced back to any particular actor, this is not the main consideration (Friis, Kjennerud, 2018). When considering threats and vulnerabilities in the digital systems the main concerns are the acts of malignant actors, primarily nation states but to a lesser extent criminal elements and terrorists (Archer, 2014). This introduces a set of security practices more reminiscent of those used in counter-terrorism than those used when protecting against technical failures and weather phenomenon’s. This consideration will be considered and noted when relevant, as some of the practices introduced by digital systems is not only the result of changing perceptions of the vulnerabilities and consequences, but also the nature of the threat and to what extent someone can be made responsible for the occurrence of security failures.

Cyber security then, can in part be conceptualized as practices of risk and uncertainty due to the dynamic and ever-changing nature of the digital world. As cyber security can never be achieved in full, the practices of security deals with the management of the evolving domain through a wide set of measures and responses. How these solution and technologies of management come to be rests on a vital point: how problems are made, what we understand them to represent, and the solutions these understandings make relevant. In the following segment I will look at how security solutions and problematizations co-produce each other.

2.4.1 Epistemics of security

Why do security practices change? If modern societies understand security different since the cold war, framing and making sense of security events in novel ways, then these changing problems and practices must stem from something. Taking as a vantage point that security practices changes as the “logics of knowledge” changes, Claudia Aradau (2014) argues that the “questions” security concerns poses dictates the security practices we choose (Aradau, 2014). Noting the rise of resilience-thinking in modern societies Aradau traces the rise of 24 resilience not as a novel solution, but as a result of changing ways of framing problems (Ibid). The change in security practices does not stem from an exogenous shock that makes old forms of prevention outdated, nor is it necessarily emblematic of a large shift in the mindset and ideologies of societies. Rather the new and novel practices stem from new ways of understanding problems, or new problems that is made into novel epistemic regimes. As new (and old) problems are understood to work under a different logic than the problems of old, the solution that made sense yesterday become outdated (Ibid). This should not be taken as an argument that the new problems necessitate novel solutions, something scholars following in the logic of Beck might argue, rather the formulation and creation of the problem makes it a novel problem. Our understandings and creation of a problem frames a danger as novel, or increases emphasis on certain aspects of said danger at the exclusion of others. Examining how the problems are created, and which truth-telling practices are made into “reality”, help make certain understandings and problematizations the dominant interpretations. These problematizations in turn lead to a set of technologies for managing those risks, which reflect the way in which the risks are understood and the methods for managing the unknowable (Aradau, et.al. 2008).

Aradau (2014) further argues that there are three dominant epistemic regimes dealing with uncertainty and the unknown security concerns that produces different forms of knowledge about contingencies and security concerns. One of these is the logic of ignorance/secrecy, which understands security problems as arising because of non-knowledge. Yet this non- knowledge plays a particular function not as inherently unknowable, but as obscured through ignorance and/or secrecy. The problem is not that the danger could not have been predicted, but the failure of doing so. This problematization can often be traced back to and coupled with responsibility and fault: the knowledge to prevent a danger from manifesting is accessible, it is “hidden in the depths” (Aradau, 2014), and by accessing the knowledge we can prevent the situation from occurring. As the information to know and prevent a security event was present, the security event can often be traced back to an actor either failing to investigate properly, or an actor hiding information that could have prevented the event (Ibid).

This epistemic regime again calls for practices of prevention and investigation. The practices of exploring, investigating, and making apparent the knowledge that exists can transform non- knowledge to knowledge. This ability to gain an improve knowledge makes the security concerns inherently knowable. While they are not known today there is nothing preventing 25 them from being known tomorrow. The inability of predicting and preventing security concerns is not a factual feature of the security concern, rather it is a state of being. The danger might not be known today, but it can be made known (Aradau, 2014). As it can be made known it can be prevented, and if it can be prevented the failure to do so implies fault.

2.4.2 Known and measurable impacts: risk, redundancy, and resilience

The second epistemic regime will be analyzed in greater detail, and expanded upon through the lens of other contributions. This epistemic regime, dubbed risk/uncertainty assumes that the knowledge is not accessible to the same extent. There is no obfuscation of facts, and the practices are therefore not centered on the unveiling of some reality that we do not have access too. Yet, while the concerns cannot be made known at the individual level they can be known statistically at the level of mass populations. What is unknowable at the individual level can make sense when aggregated into large datasets, this allows for the accumulation of knowledge to be done through statistical and computational means (Aradau, 2014). The practices involved in this epistemic regime relies on computation and the logics of statistics to make events known on the level of mass populations (Ibid)

Basing myself on this epistemic regime I will expand on it through the application of other theories on uncertainty and unknowability. An additional differentiation on the amount of knowledge will be drawn from the risk-assessment literature and applied in this context, namely the division between known unknowns and unknown unknowns. A security event can be made into knowledge through two dimensions: the knowledge of a risks occurrence, and the knowledge that exists on the potential impact of a given event. For both classifications the knowledge spans a spectrum from perfect knowledge to no knowledge whatsoever, yet it is frequently debated as a bimodal form of knowledge where something is either known or unknown (Cleden 2009). While both forms of “unknown” occurrence challenges the ability to prevent a security event from unfolding, the difference in “knowing” their impacts produce widely different practices of security.

Danger, Security Concern

Security problem, problematization

Impact, Consequence

Based on Cleden (2009)

The security practices examined here deals with the events that, while uncertain in their occurrence, can be mapped and measured in their impact. The ability to understand not when and how a security concern might come into fruition, but the consequences if it were to take form, allows for a particular set of security solutions. To better grasp this differentiation, it is worth examining two dimensions of the term “resilience”. Resilience, widely used as a term in a long range of disciplines and academic subjects (Ibid) has been defined as the “ability to recover from or adjust easily to misfortune or change” (Merriam Webster, 2018). Yet the term resilience has been used and applied differently in different contexts and by different scholars.

One dimension of resilience is the distinction between “soft” and “hard” resilience, two categorizations of resilience practices that are both frequently used in the management of risk. (Proag, 2014). In the hard form of resilience, the goal is for the system to overcome disruptions and security events, being able to “shake off” the effect of any unwanted incident. On the other hand, “soft” resilience is preoccupied not with the prevention of incidents, but in managing and coming back from them as they occur. The point of this “soft” resilience then is based on an acknowledgement that the system might fail, and allows for the creation of systems that can fail without losing their core functions. A useful analogy for this soft resilience is in modern cars and the creation of “crash zones”: parts of the car that is intended to break first so as to avoid harm to the more vital part of the system (the human inside) (Ibid). 27

A second dimension is the level at which resilience takes place. Taking the energy system as an example, resilience can be made into practice both within the system and in the societies as a whole. This first mode of resilience sees the creation of systems that are “resilient” as they are able to withstand stress and manage disruptions. Societal resilience on the other hand prepares for the failure of the energy system and creates practices of resilience in the larger society, or modes of preparing for and dealing with the sudden collapse of for instance the energy systems (Bourbeau, 2013).

The ability to know and map the impacts of a security concern, or the understanding of a problem as a “known unknown”, allows for resilience measures to deal with the system, not society. This form of “systemic resilience” takes the form of practices like redundancy and reliability, or the creation of spare capacities that can deal with the failure of a single component. The security practice thereby becomes about not preventing incidents, but restoring the system after a failure occurs and creating systems that can withstand stress and avoid damages. In this the practices of resilience are closely related to the term of resistance, or “the ability to avoid suffering significant adverse effects” (Evans, Reid, 2013). This ability to measure and map the consequences of an uncertain security concern allows for the identification of “possible states”, making the universe of things that can fail a limited space (Cleden, 2009). Taken to the energy system the understanding of a certain facilities function and criticality for the wider system allows for risk-management techniques that measure how a failure would play out. The reduction of security failures to quantifiable states of shortage further allow for security techniques like redundancy, defined as “to prevent or recover from the failure of a specific component or system” (TechTerms, 2018). Creating systems that muddle through the failure of one or more parts, through hardening, building redundancies and excess capacities, is again contingent on the ability to understand and comprehend the security failures. As a practice of risk-management it replaces the knowledge needed to prevent a security event with the ability to manage any events through knowing its impacts (Taleb: 312, 2007).

2.4.3 Unknown impacts, societal resilience, and the role of imaginings

The final epistemic regime described by Aradau is one of novelty and surprise. In this regime the novel and surprising is an inescapable part of our world. As the world is inherently unknowable, and the unforeseen can always happen, preparing for the failure of vital systems 28 is essential. If surprises can occur, and in this understanding of the modern world they someday will, they must be prepared for (Aradau, 2014). The world were unpredictable and unknowable security events can occur, the “promise of security” becomes meaningless. It is not possible to prevent the events that we do not know about from happening. If surprises cannot be known they cannot be prevented, they are inherently unknown, and the promise of security becomes about resilience: not the prevention of events but the management of them (Ibid).

Modern societies understand risks not only in the traditional form of managing the unexpected. Rather the rising concerns associated with the low-probability risks that are unpreventable, as well as catastrophic in their impact, has led to new modalities of governing (Aradau & Van Munster, 2007). These events are the ones discussed by Collier and Lakoff (2015) that escape the boundaries of traditional risk-management techniques and involve new ways of providing security. In this understanding of risks the security events are conceptualized as “catastrophes”, or “sudden and unpredictable events that disrupt the systems that are critical to economic and social life” (Collier & Lakoff 2015). Dealing with this type of security events take the form of simulations, exercises and preparations that are all trying to prepare for and mitigate the effects of a future and possibly catastrophic event (Aradau & Van Munster, 2007). Through the creation of “realistic worst-case scenarios” the unpredictable future catastrophes are made possible and manageable (Ibid). In contrast to both earlier modes of population security, and techniques of risk-management in critical infrastructures that bases themselves on measurements, this type of “vital systems security” escapes the ability to prevent them, or confine them within the system (Ibid).

As our ability to know the impact and consequence of a security event becomes limited, the practices of calculation and measurement becomes replaced by imagined scenarios, simulations, and stress-testing (De Goede, 2008). In this epistemic regime, here dubbed catastrophic risks, the basis for decisions on matters of security becomes detached from the practices of knowing and is instead replaced by “reflections on all manner of disastrous (un)expected future scenarios” (Ibid). Yet, in planning for the future we do not deal with certainties. It is, after all, not possible to know what will happen and the consequences of something failing. The future is not something we can factually know, and the practice of visualizing how events will unfold has more to do with the easing of concerns and anxieties in the present than making any factual prophecy of how the future will play out (Stevens:38-41, 29

2016). These imaginings of how the future will play out, in turn forming the basis for security practices and decisions, is developed through security discourses and mutually held understandings that reflects the need for making decisions on imperfect knowledge (Ibid). This “plurality of futures” is in turn fostered by the media, which help promote visions of disasters and catastrophes that make practices of security relevant and accepted (Ibid). This move towards security based on non-knowledge becomes about all the imaginings and scenarios that are deemed plausible, not about the retrospective analysis of events in the past (Ibid). As such it can be said to expand the universe of threats and risks beyond the historical events that have happened, and towards the total sum of all events that are deemed probable and could happen. The way of governing uncertainty moves from the realm of stable prediction based on past events and towards “imaginary of expectations” (Aradau & Van Munster, 2007).

2.5.4 Enter the actor: terrorism, preemptive security, and the departure from the accident

So far, the risks and security practices has been understood as working along an axis of known and unknown impacts. This formulation of the problem of security as one that cannot be prevented has been shown to foster a range of security practices and understandings in the mold of different epistemic regimes. While the ability to know and asses the impacts are theorized to lead to a particular set of security practices, the inability to know how an event will play out leads to another. While both of these conceptualizations fit roughly within the umbrella of “resilience”, the many meanings of this term have been fleshed out by examining its precise implications and the extent to which it builds on different problematizations. This expanded concept of resilience, and the way in which it combines problematizations and epistemic understandings in order to promote a set of solutions and understanding of the threats, will be one of the main theoretical legs for this thesis. In the introduction it was hypothesized that the novelty and dynamic nature of cyberspace would pose problems on the ability to know how the impacts would play out. Yet, it is not the only way in which cyber security shapes and influences how the security of the energy systems is practiced. Another crucial difference is the difference in the source of the insecurity. A lot of the risks debated are manifestations of naturally occurring phenomenon that cannot be traced back to any particular actor. Cyber security, on the other hand, is usually the work of a hacker, or an actor. 30

As such practices of cyber security can be seen as more closely resembling those of terrorism prevention than preparing for all and any event.

Similar to the risks associated with “vital systems security” the risks of terrorism are frequently understood as something else than conventional risk. In particular the “sheer uncertainty and randomness” are perceived as making traditional modes of risk-managements obsolete and inadequate (De Goede, 2008). Unlike the practices of resilience however, the inability to manage terrorism through traditional means of security has led to an emerging trend of trying to prevent security events, or acts of terrorism, before they occur. This mode of security, often dubbed “preemptive” security, seeks to act on incomplete knowledge in order to prevent an uncertain but catastrophic threat. At times framed as a mutation of the principle of precaution, or the avoidance of uncertain but catastrophic effects, preemptive security allows for security practices to take place that seek to identify and neutralize a threat before it comes into fruition (Ibid).

As such the practices of preemption moves from an understanding where risks are “acceptable”, on the basis that they can be repaired and fixed after the fact, to practices of drastic prevention (Aradau & Van Munster, 2007). To prevent security events that are so dramatically uncertain the practices of security takes on forms of surveillance and profiling, where the collection of vast amounts of data on ordinary actions becomes the basis for categorizations of threats. The logic and functions of this catastrophic risk necessitates actions that prevents the risks from coming to pass (Ibid). In this there are clear similarities with imagined and simulated security practices mentioned above, yet the move away from accidents and towards people means that the practices takes on another form, as for instance the criminalization of terrorism, retention of data and stemming the financial flows of suspected terrorist organizations (De Goede, 2008, Amoore, et.al., 2008). Unlike the security practices that deal with natural disasters, the various experts and bureaucrats dealing with risks and threats, dubbed the “managers of unease” by Didier Bigo (2007) are seen at fault if they do not deliver on the promise of security.

As the dangers cannot be managed the security practices and understandings belong under an epistemic regime of extreme precaution taking on a set of characteristics: The governing of the unknown through extreme precaution and preemptive practices, the institutionalization of those practices and the use of simulations and imagined scenarios as a basis for decisions, and 31 finally a continuous “expectation” that the catastrophe will occur (Jackson, 2015). In this understanding a third form of knowledge is framing the unknown occurrence and unknown impacts: the knowledge that catastrophes will occur and that they are unpreventable. This taken-for-granted of the catastrophe obfuscates possible solutions to the source of the problem. Taken to the issue of cyber security no technological advances or security practices can ensure that the systems will never fail, and therefore striving towards avoiding danger is both senseless and futile (Ibid). The apparent contrast is that the management of risks that are regarded as undetectable and unavoidable takes the form of drastic prevention, in absence of other techniques of governance. The fear of the impending catastrophe makes the catastrophe “real”, as “fear feels threat into being” (Massumi, 2015). As the catastrophe cannot be managed or accepted the sole solution is to do everything possible to prevent something from occurring, even though meeting this goal is unachievable (Ibid).

In total, how risks and threats are perceived, the extent to which we can know their occurrence and their impact leads to widely different practices of security. Presented in the simplified table below, the ability to map and prepare for dangers is the result of both the perceived knowledge of the events occurrence and the extent to which the impact can be mapped and predicted. Impact/ Known Unknown Occurrence

Known Prevention/NA Prevention/NA

Unknown Uncertain Risks “Unfathomable Reliability, Measured Uncertainty”, Precaution, impacts, Redundancy, Preemption, Resilience, Resilience Imaginings, Simulations Ignorance/Secrecy, Systemic Resilience/Manageable impacts, Societal resilience Preemptive security

This chapter has looked at a set of different theorizations on security practices and problematizations. It has argued that the solutions we propose and the solutions we have at 32 hand co-constitute each other: the solutions we have at hand helps us makes sense of the security concerns, correspondingly how we make sense of those security concerns shape the solutions we deem appropriate. The categorization of security concerns into different epistemic regimes, or logics of knowledge, allows us to prioritize certain truth-telling practices over others. Examining how we relate to uncertainty and unknowability, I have sketched out how certain understandings of our ability to know impacts the practices we use to manage insecurity.

3. Methodology

As this thesis is focused on how understandings and problematizations are made, the thesis needs to access formulations of those understandings. To achieve this I aim to place the thesis within the broader understanding of “science” as argued by Patrick Jackson (2011). To map out and gain knowledge on how problems are understood this thesis will base itself on a set of texts that relate to an “expert discourse” on the issue of security. The underlying assumption in analyzing how dangers are represented and understood is in line with a poststructuralist research program, in that it is focused on meaning, representations and how understanding risks are impacting the attempts to mitigate them (Hansen, 2006). The formulations and representations of problems are not naturally given, nor are they insignificant. The way in which we portray and understand problems in turn define the adequate and natural responses to them. Lene Hansen (2006) stated that “representations of identity place foreign policy issues within a particular interpretative optic, one with consequences for which foreign policy can be formulated as an adequate response” (Hansen: 6, 2016). While this quote talks about the issue of “identity”, the wider logic is applicable in this context as well. The way in which problems are identified and formulated makes sense of the way in which they are mitigated. A particular understanding of a problem is in turn highly influential and relevant for the way in which it is approached. In the same way that identity creates policies (Hansen: 21: 2006), the way in which problems are created and understood sets the parameters for the way they are mitigated (Bratberg: 35, 2017). For the question of security, the representations of dangers helps place the issues within “interpretative optics” that help frame and make sense of the security concerns. As the logic and rationale are similar I will therefore use the methodological arguments of Lene Hansen as a baseline for the research design, complementing and altering the framework were deemed necessary.

This chapter will lay out the methodological approach utilized. It will start of by explaining the chosen approach to materialism and the role of objects. After all, the digitalization of energy systems is happening through the addition of new “things”, not addressing the implications of this reality would be a neglect of an important aspect. It will then move to how the research question is operationalized and the different dimensions and representations that are examined in the texts. I will also lay out the research design, how the research process played out and the choices that were made. Finally, I will address some concerns, shortcomings and trade-offs taken in the process. I intend to highlight that the design and 34 choices were taken after careful deliberation, and while other choices could have been made not one of them were taken lightly or without thought.

3.1 Materialism and the role of objects

In poststructuralist ontology lies an understanding of “things”, objects and facts as not existing independently of the meaning attaches to them (Hansen:18, 2006). This is not the same as saying that the things do not exist by themselves, but that our understanding and reaction to the material world is constrained and made by the collective social understanding of said material world (Hansen: 22, 2006). This thesis does not interject itself into the ontological debate on the relationship between the material and ideational world, yet some points are worth elaborating on. While the basic question as to whether material factors work outside of their socially constructed “functions” might not be answered, a deliberate choice is taken to include material changes as agentive in the larger discourse. It is therefore an attempt to avoid relegating “things” to the role of passive objects, instead accepting that objects are able to initiate change to our conceptions and understandings (Aradau, 2010). The catalyst for change examined here is not the challenge of the hegemonic discourse by another political actor, but the addition of digital devices to the energy system. These devices in turn come with their own discourse and conceptions about the way in which they “work”, and the vulnerabilities and security issues they bring with them. As such, the devices are not empty “things” relegated to the sidelines of the socio-political fabric, on the contrary they act as “political agents” (Jasanoff, 2004). This thesis does not venture too far into the agential roles of materialism as evident in the Actor-Network theories of Bruno Latour (2007), rather it takes the approach of co-production championed by Sheila Jasanoff (2004). In this approach the agential roles of the material objects, and the impact of culture in making sense of objects and technologies, are considered co-constitutive and co-producing (Jasanoff, 2004).

The discourse on cyber security, and the way in which we understand how it works and its properties, are therefore taken as the starting point for the analysis: Given our understanding of cyber security today, in what way does it differ from the understanding of energy security as done traditionally. Or put more precisely: what is ‘new’ about cyber security in energy security, and “what difference does today introduce with respect to yesterday?” (Foucault, 1984). This necessitates an analysis of how cyber security is understood, and what the constraints and properties of the digital domain are perceived to be, but it does not extend to a 35 wider discussion as to whether this is “correct” or simply a social construct of the digital realm. The basic ontological question of whether cyber security and the digital domain “exists” separate from our social world is thus left unanswered, and the consequences of cyber security “as it is” is instead deployed to answer the research question.

3.2 Discourses and representations

In the theory chapter it was argued that the reformulation of dangers and security concerns into problems and solutions is done by “experts”, or what Didier Bigo has called “managers of unease” (Bigo, 2002). Related to this Lene Hansen (2006) puts forth four different models for discourse analysis: One focusing solely on the official discourses, official texts and speeches made by high ranking civil servants and officials. One broadened to include political opposition, the media, and large corporate institutions. And finally, Hansen puts forth two of the “broadest” models, including either film, television, and other expressions of “low” culture, or the inclusion of marginal political discourses in academic and NGO circles (Hansen:64, 2006). For my research the most relevant of the models is the latter of the four, as this allows for including a collection of varied expert statements for analysis. And to do so I thought it relevant to include as “broad” a discursive material as possible. As such I draw upon sources from political establishments, media sources and niche publications. While the scope of sources is broad, I am only looking for expert statements and representations of reality in these publications. Therefore, I would include media articles where a set of experts are utilized to make sense of the problem, examining how those experts classify and categorize the danger or the security concern.

This thesis is not interested in one particular set of sources: it is not narrowed to how one particular publication defines and understands risk, rather the broader understanding shared between a wide variety of experts and producers of knowledge. In order to do so I have tried to draw on different sources that represent the larger ‘public sphere’ (Hansen: 72-79, 2006). This in turn is based on a desire to not analyze the differing opinions and ‘battles’ over how to understand the changing energy systems, but to understand and map how digital devices are providing a ‘new’ hegemonic discourse on the security risks inherent in the energy system (Hansen: 19, 2006). I chose this approach based on two assumptions, one that the relative “newness” of cyber security as a concern could indicate that the issue is less contested 36 resulting in less contested opinions.1 Secondly the complicated technical nature of digital security, and the fact that the representations of threats and risks are mostly reproductions of expert statements and briefs, indicates that the way in which the threat is formulated might be less contested as well, as the source for the differing perceptions to a large extent is the same (Crosston, 2014). While I do not expect the perceptions of risk to be widely differing there are some ways in which they might be slightly at odds. Differing perceptions and conceptualizations will be accounted for when they are encountered, and the existence of different understandings is considered interesting in its own right.

3.3 Research design

This thesis is employing a methodology taken from discourse analysis, analyzing a variety of texts and documents as the empiric material on which to draw conclusions. In any discourse analysis the primary concern is the choice of discourses and texts on which the analysis is drawn, the same can be said for this paper (Hansen: 73, 2006). Hansen proposes designing discourse analysis through four dimensions, the scope and number of different discourses and texts that are included, the number of “selves” that are examined, whether the analysis is based upon on one particular moment or a longer historical development and whether the analysis is based on one or multiple events (Hansen:73, 2006).

As a starting point this thesis has chosen to limit its scope to a “European” context. This is done out of several reasons: first of all, the focus on digitalization limits the number of possible cases to states and societies were digitization has reached a certain point. A lot of the digital solutions in the energy system are dependent on developed infrastructure for wireless connectivity, access to sophisticated technology and developed economies that are utilizing automation and digital technologies to a large extent (GeSi, 2008, 2015). Secondly, European states have developed ambitious goals on combating climate change, aiming for a widespread adoption of renewables and energy efficiency targets throughout their societies (European Commission A, B, 2014). As will be shown later on, the adoption of renewables and efficiency targets is one of many driving forces for digitalization of energy systems. The

1 Healey (2013) argues that cyber security has been “new” for over three decades, and that the construction of cyber security as “novel” is a social construct more than a fact. While I am sympathetic to this argument, why cyber security is considered novel is not as important for this thesis as the fact that it is considered novel. For more see Jason Healey (2013) A Fierce Domain. 37 adoption of renewable sources of energy also promotes certain types of energy systems, and it is the digital solutions within these energy systems that I am primarily preoccupied with.

The choice of a European context posed some serious problems in terms of language. Valid, interesting, and critical states which could have enlightened the analysis had to be discarded due to an inability to read and understand the primary sources. This meant that sources stemming from states that would have been included on relevance alone had to be left out (Dunn & Neumann: 84, 2015). Of particular note is Spain, with a fairly developed program on digitalization in critical infrastructure (Klimburg, 2017), Germany, of critical importance due to its “Energiewende” (Szulecki, 2017), Poland or another Eastern European state to catch dissonant perspectives on energy security (Ibid), France, due to its relative importance in European politics, and Italy, for reasons which will become evident in the analysis. The inability to include these perspectives and states is to the detriment of this thesis, but the inclusion of sources that would be translated (and with lacking knowledge of context) meant that the exclusion of these sources was considered the best option. The analysis is drawing on sources from the UK, Norway and the EU, as well as some international outlets that are preoccupied with the various security “niches”. This inclusion of niche media outlets expands the perspectives, in particular for cyber security. In the early mappings of the discourses on the different security concerns it became evident that these expert discourses are to some extent internationalized, or at least there appeared to be a certain common western understanding. On cybersecurity for instance it was evident that a lot of expert formulations and understandings referenced in the European discourse was emanating from US security experts. The inclusion of these sources will be elaborated on later in this chapter.

The number of events analyzed posed a challenge for this thesis. As I am interested in comparing how risks are understood with or without the digital components, my analytical focus is in a sense limited to two “events” or different topics. These events are approximate and overlapping in time, but relates to different material realities. It is therefore a comparison not of how understanding is developing over time, but on how different material objects within the same timeframe and same entities are understood differently. The selection of “events” is narrowed down then to those texts and discourses that relate to the risks in the “old” energy system, and those that relate to the newer digital systems (Hansen: 80, 2006). Yet the selection could not, for the sake of feasibility, be an examination of all texts on digital versus non-digital risks. I therefore chose to further narrow the events down to four main 38

“cases”. Two of the cases are based around a digital and a non-digital security event in the energy system, both happening approximate in time and gaining widespread media attention. The non-digital case was a gas explosion in Austria, blamed on a technical failure, which lead to shortages and disruptions in the European energy system. The other is a cyberattack against a Ukrainian power plant, serving as a framing event for the larger concerns with hacks targeting the energy system. As these two cases were considered to be too limited as stand- alone cases for a wider debate I chose to complement them with a reading of a broader set of concerns relating to the power grids, both digital and non-digital. The latter case is based on a larger set of texts as the scope of the concerns are broader as well. The process of text- selection will be examined in more detail later.

Secondly, I had to set the temporal limitations of the thesis: energy systems and our understandings of them have changed over the years, as such it became a point to only include contemporary understandings of the risks to the systems. As a preliminary limit I therefore based myself on sources spanning from January 1st, 2014 up until the time of writing. This was done so as to only include the most relevant sources for the current discourse on energy systems and risks. Still, these limitations put some severe constraints on the ability to gather enough material, particularly on risks as understood in the digital system. As I started collecting and analyzing the material there was a large discrepancy in the number of articles, statements and publications on the two issues. I therefore faced a choice of either dealing with a smaller set of sources for the digital risks, or expanding the timeframe from which I gathered sources. In the end I opted for the latter choice, allowing for articles and empiric material going back as far as 2009 for the digital risks. This could be considered somewhat problematic, as it introduces possibly disturbing elements that could impact the thinking, yet in the end I deemed it necessary to gather sufficient sources. Furthermore, the main focus of this thesis is not to map the developments in understanding over time, but mapping the understanding as it relates to different material objects in the energy system. The understanding and writings on cyber security is still fairly new, and might even be considered to be in its infancy, and as such I did not expect (nor observe) any shifts in the understanding of the risks inherent in the digital systems. I considered it to be more harmful to the validity of the thesis had the temporal scope been expanded on the issue of energy security, as this could have been the subject to larger shifts in the understanding of the topic.

3.4 Operationalization and the research process

To make sense of the different statements and logics the understandings and formulations of problems needs to be operationalized. That is, the theoretical framework needs to be taken down to the level of the individual text, so that they can be analyzed as more or less representative of certain understandings. In this context I have chosen to examine the texts in light of three dimensions, or “representations” of the problem of security.

First of all, I will analyze how the texts portray and understand the “source” of security. A danger and security concern must stem from something, and is understood in a particular manner. As argued by Aradau (2014) these understandings of what the problem is, and the questions they pose, are important factors to consider when formulating a response or a “solution” to a problem. I will therefore select texts that look at different security concerns, and map and look at the way in which the systems are considered threatened. What the threat is made up of, how it is conceived to work, and the features it has will be the main focus of this segment. I will look for how uncertainty and unknowability is framed and understood, if the security-problem is conceived to be unknowable¸ centered on a threatening actor or the system itself, and the implications of this understanding of the problem.

Secondly, I will look at how the impact is represented and presented. Is the impact of a security event small and local, or is it a large and catastrophic event? A primary interest will be to what extent the impact is conceived of as known and measurable, or if it defies the ability to measure the impacts. In this sense I will look at the perceived knowability of the impacts of a security event. The main dividing line will therefore be between the impacts that are “known”, and thereby able to be planned for and dealt with, or whether they are “unknown” and impossible to predict. Together these two aspects of the security concerns, danger and impact, constitute the “problem” of security, which again defines the solutions and tools of management that are deemed reasonable and appropriate.

Finally, I will assess how the mitigating responses are formulated, or at all. It is an assumption that the proposed “solutions” to security will be a result of the previous two representations: as the way in which we solve problems are dependent on the way in which the problems are understood, and the impact they might have. In light with the theoretical underpinnings of this thesis different representations of the security events is understood as giving rise to different 40

“solutions” to security as a problem: aiming for resiliency, prevention, or other means of combating security events. As argued in the theoretical framework it is not expected that this relationship works exclusively in one direction: the solutions and tools of management available could also impact the way in which the problem of security is framed. The reading of the proposed solutions and tools of management will be wary of this dynamic as well, attempting to avoid the assumption that the problem is necessarily prior to the solution.

I do not expect that all the selected texts will provide representations on all three of my risk- dimensions. On the contrary I expect that most of the texts will deal with only one, or possibly two, of the three dimensions. I do not consider this as particularly problematic as the larger “corpus” of text will hopefully provide sufficient data on all three dimensions to draw valid conclusions (Hansen: 53, 2006). The texts analyzed in this thesis will be drawn from a variety of sources primarily subdivided into three groups.

One grouping is a variety of policy documents, strategies and communications by the European Union, and the relevant governments and their agencies. In mapping these publications, I used a variety of methods, from accessing government websites, assessing secondary literature to identify key texts, as well as simple web searches. While I cannot claim to have analyzed and examined all policy documents and publications on the issue the total corpus of the texts should include most key texts. In these publications I looked for examples and statements on how they visualize and debate the security concerns relating to the energy system, the solutions and mitigating attempts that are suggested, and what they imply about how the security concerns are visualized and though about

Secondly, I will draw from a set of media articles and publications internationally, looking at the wider discourse and debate on the security issues of energy and digitalization. These texts represented the largest body of texts, numbering in the hundreds from a variety of different international and national outlets. The outlets examined were The Guardian, BBC, Bloomberg, Reuters, Interfax, Aftenposten, Verdens Gang, NRK, The Economist, The Telegraph, The Independent, The Times, Politico.eu, and EU Observer. The sources are chosen due to the existence of archives and/or searchable databanks on the content. I have chosen a set of papers and publications attempting to cover as large a set of ideological foundations and considerations as possible, so as to maximize the potential for drawing valid conclusions. While this is not considered as a “whole” universe of the media discourse on the 41 topic I hope to analyze a large enough set of articles and data points to make the analysis valid to some extent. It is important to note that as I am tracking how “experts” create problems the articles analyzed had to have some form of expert statement or analysis to be included.

Finally, I have examined a set of expert and niche newspaper, organizations, companies, and publications on the issue, locating websites and magazines that deal more in-depth on the issues of energy security and/or cyber security. These outlets were by nature more “international” in their outlook than the media outlets chosen, and far more international than the policy papers. For the sake of cyber security, the discourse could to some extent be called a “western” discourse, as the different expert outlets to a large extent referenced the same sources. For the sources on cyber security the main sources were a set of dedicated “niche” webpages dedicated to issues of cyber security, the publications and lectures held by key security firms, as well as academic articles on the topic. For the case of “traditional” energy security discourses the main outlets were a set of international organizations dedicated to the topic, niche webpages, as well as academic articles. These included the Oxford Energy Institute, GasConnect Austria, Energypost.eu, International Energy Agency, Global E- sustainability Initiative, International Renewable Energy Agency, World Energy Council, Security Affairs, Dark Reading, Schneier On Security, Krebs On Security, Security Week, Tripwire, Computer Weekly, Wired, FireEye, Symantec, Darktrace, Kaspersky, ESET, Dragos, McAfee, F-Secure.

For the two gas explosion and Ukrainian hack I collected data from the chosen outlets and examined all texts and publications on the issue.2 As the events produced a limited set of articles I did not have to perform a selection beyond choosing the relevant outlets and sources. For both events I attempted to collect from a wide variety of sources, never less than 10, representing different positions and coming from all three types of sources.

For the cases depicting the wider discourse I had to select the content, and I therefore used a filter in searching for texts. For the articles on cyber security I examined the web-archives of the aforementioned websites, using a variety of search words: “smart meter”, “smart grids”, “cyber security grids”, “cyber security critical infrastructure”, “cyber security energy”, “cyber security electricity”, “Internet of things”, “Risk+cyber”, “cyber+resilience”, “preemption”.

2 The exact outlets utilized in the different analyses will be noted in a footnote in the analysis chapter. 42

After a brief reading of all articles matching that search the articles that were deemed relevant were catalogued and re-read for conceptualizations at a later date. The criteria were formulating a security concern that could be mapped in one of the three dimensions, the inclusion of expert statements and analysis as well as relevance for the case. For example, an article on cybersecurity relating to criminality and scams was not included, as it was not deemed relevant for the security of the energy system. The initial search yielded hundreds of texts, which were filtered down to 112 articles, texts, reports and statements.

For the texts on energy I used the same method for searching and filtering the articles, utilizing the search terms: “energy security”, “gas security”, “power grid security”, “power grids”, “energy shortage”, “supply security”, “supply disruption”, “risk+energy”, “resilience+energy” and “redundancy+energy”. As the focus of this thesis is on energy security in terms of risks and vital systems I attempted to sort out those that were not deemed relevant, for instance those that focused on the purely geopolitical and strategic side of energy. In those cases where these geopolitical aspects could be considered as a “risk” to the vital system (for instance in terms of gas pipelines and dependence on Russia as a supplier), I chose to include them. I also narrowed my focus to deal with energy security in terms of the vital systems, incorporating those articles that focused on gas pipelines and electrical infrastructure, not peak oil and other related concerns. The initial search here also resulted in hundreds of matches, filtered down to 171 articles, texts, reports and statements.

For all texts I followed the references to subsequent material that was considered relevant. The inclusion of sources referenced and mentioned, explicitly and implicitly, rests on the assumptions of intertextuality. The concept, coined by Julia Kristeva, argues that the full meaning of a text is never given by the text itself but rests on other texts and writings that underpins certain arguments and understandings (Hansen: 55, 2006). Thus, the references, links and connections created a sprawling web of interconnected texts and narratives that rested on a larger body of textual work (Ibid). Acknowledging this I attempted to include these texts and references in the analysis to a large extent. While I did not set any clear boundaries on the extent to which I would follow these links and references, I attempted to do so consistently throughout my readings. This led to an inclusion of sources beyond the primary filtered content, which was included to the extent the texts fit into the framework and research question.

3.5 Clarifications, validity and reliability

This thesis is in line with a qualitative research program, and as such it ought to be considered on the basis of the criterions of the program. This means, among other things, that the research process implied above has not been as straightforward as the methodology might suggest. In particular the circular work on collecting data, working with concepts and theories, reformulating the finer points of the research question and collecting further data, has been the mode of operation in this thesis (Bryman:378, 2016). Initially I attempted to map the articles in a short span of time, dedicating two weeks to the gathering of the material and categorization. This was done to minimize the impacts of other potentially disturbing elements in the data-gathering process. I assumed that spreading the mapping over a large time-span could lead to the criteria shifting (unconsciously) during the process. As a result, the main body of texts were mapped and gathered during the same period. Yet, the thesis underwent revisions along the way. This has led to several rounds of collecting data, recalibration of the search filters and assembling theoretical clarifications along the way. While the overarching theme and direction of the thesis has been constant, it has taken many incarnations and followed different paths. One illustrative example was the increasing focus on concepts of resilience and risk in the formulation of the research program, which necessitated additional rounds of data collection in order to incorporate articles or events that could otherwise have been forgotten in the research. This should not, however, be interpreted as a sign that the theoretical foundations were absent in the earlier stages, or that the theoretical arguments came from the empiric material (Bryman:381, 2016). The theoretical focus and foundation of this paper was present all along, but during the many rounds of recalibration the focus and scope of the concepts analyzed grew narrower for each incarnation.

As mentioned the thesis includes texts analyzed that were not part of the additional search, but which were included through references, quotes, and links. This process of intertextuality, or the referencing to and building upon other texts, posed some questions towards the scope of the analysis. First, this lead to an expansion of the geographical area of the analysis. The different publications and statements did not deal exclusively with European or domestic events, and as such this thesis had to look at how incidents happening in other parts of the world was interpreted. This should not be considered a large problem, however, as the events had to be interpreted and made sense of in the discourse and setting analyzed. This is most 44 evident in the analysis of security practices in the electrical grid, were the primary incident occurring in the given time-span was a major blackout in Southern Australia. This event became important for the debate and the understanding of the security concerns, in particular for the UK publications. Therefore, the analysis and arguments addressing that blackout is included in this analysis, but is given through the prism of the European discourse. Secondly, and as mentioned above, on the topic of cybersecurity the texts referenced and quoted implied an international discourse. This has led to the inclusion of experts, scholars and publications that are not exclusively “European”, but which nonetheless has been important and critical in the framing of security events in Europe. As longs as the publications and statements were used and contributed to the understanding of the problem also in a European context I will argue that their inclusion is relevant and defendable.

Reliability, the ability to reproduce the findings of a particular research program, and validity, whether or not the claims in the thesis can be said to hold true, are somewhat contested as to their application for qualitative research. A further concern is whether the concepts can be transferred as they are, using the same basic concepts as in quantitative research, or whether one needs another set of meanings for the concepts when utilized on a qualitative research program (Bryman:383, 2016). While an argument can be made that the concepts have less significance in terms of discourse analysis, this thesis will attempt to address the concerns regarding reliability and validity that is deemed most relevant.

Internal validity is concerned primarily with causality, or whether the argument that x causes y holds true, or whether they are merely correlating due to another factor (Bryman:41, 2016). This thesis does not imply any strict causal claims, attempting instead to analyze the difference between how problems are understood and solved. Yet, there are certain arguments that could be made that should be addressed: First, the nature of the underlying energy systems is worth consideration. If the texts and events sampled in this paper was preoccupied with energy systems that were fundamentally different on a long list of features and functions comparing a digital case and a non-digital one would be futile. An example of how this could have played out would be a comparison of the security of an oil-production facility and the electricity grid. While both systems are in a strict sense parts of the energy system, and could be considered vital, the list of differences in functions and vulnerabilities could be so vast that the main characteristics were the result of these inherent differences more than anything the digital systems could contribute with. To address this concern, I have included a diverse set of 45 cases for both the cybersecurity concerns and the non-cybersecurity concerns. For the systems that are so different than the rest that a comparison might be difficult, such as the smart meters, the new functions and possibilities the digital equipment introduces are meant as a point in their own right.

This thesis is drawing mainly from one set of sources, namely texts. An argument could certainly be made that it would have benefited from the inclusion of a broader methodology of data collection, in line with a mixed methods approach (Bryman: 636-639, 2016). Complementing the reading of texts with other methods would certainly be beneficial for answering my research question, and doing it through a set of semi-structured interviews would be a possible and natural addition (Ibid). In the end I opted to stick the single-methods approach on account of two main arguments. One was a concern that the constantly evolving and shifting theoretical foundations made the completion of interviews difficult, and risked being useless if they became obsolete. Secondly the limited time allotted to a master’s thesis forces one to prioritize, and in this instance, I chose to prioritize the examination of a broader set of texts (and cases) over the inclusion of other methods. While I defend the choice I made, I can certainly appreciate the benefits a more varied approach could have provided, and the choice was among the harder ones to make in this process.

A second argument that could be made would be a critique of the sources, and in particular that they do not address the larger spectrum of events and understandings. This thesis tries to address the consequences of digitalization in a broad sense, and it is therefore vulnerable to arguments that the selected texts represent a limited part of the discourse, and as such not representative. These readings do not cover “all” texts that could be relevant and provide input to understanding how the problems are made. For a topic as large as this, in the limited timeframe provided for a thesis, covering the entirety of the debate was not possible nor desirable. But when has one read enough? This is a fundamental question for every discourse analysis, and I have chosen to take a pragmatic stance (Wæver, Hansen, 2002). To address this concern, I have tried to sample a large amount of texts and data from a wide variety of sources. Not all texts read were relevant, and are therefore not included, simultaneously not all outlets that could be relevant have been consulted. This does not guarantee that all main and minor positions and arguments have been included, but I have tried my best to incorporate as much material as I could feasibly analyze in a coherent and thorough manner. In the end I have based my analysis on 387 different texts from 37 different sources and 46 outlets. While no argument can be made that this covers the entirety of the discourse, I would argue that it strikes a balance between including a large enough amount of empiric material and making a thorough reading of the texts possible.

A final critique I have considered is the choice to not list all of the texts used in the analysis, instead referencing the outlets and my criteria for selection. The decision to not create an exhaustive list of all texts analyzed could be said to harm the reliability of the thesis, as it makes it more difficult to reproduce the result. In the end I am confident that I have provided enough information on my criteria and outlets to make such a reproduction possible, choosing a less time-consuming route of presenting my empiric material. In my consultation of previous discourse analysis including all texts read did not appear to be common practice either, and I have only referenced those texts directly referenced to our cited (See: Szulecki et.al., 2018, Hansen, 2006). It is, however, evident that listing all texts analyzed would have enhanced the reliability, and be a boon to the thesis. I hope that listing the outlets and the methodology used to access those texts is a valid replacement, the choice was taken after much deliberation on the pros and cons.

4. Background

To understand the impacts of digitalization, the process of including digital solutions into the energy systems needs to be described and understood. While digital solutions are implemented widely across all industries, the way in which this happens is not necessarily the same. Therefore, I will briefly map the different processes, reasons for, and ways in which the digital solutions are being included and added to various parts, new and old, of the energy system. Following the examination, I will go through the history of cyber security highlighting how different events help shaped the understanding of cyber security today.

4.2 The changing energy system

In a sense energy has always been vital to societies, yet in pre-industrial societies that vitality was primarily dealt with at the level of the individual and the family: the dependence on firewood for cooking and keeping warm was not the task of the state, but resolved within smaller social units. As modern societies transferred to fossil fuels like coal and oil, the dependence on the energy sources intensified and deepened (Yergin, 1991). Energy now became increasingly vital to our ways of life, underpinning a long list of functions and systems in our modern societies. Furthermore, as energy systems became complex, and the expectancy became uninterrupted supply of energy in societies, protecting the energy systems became the role of the state in line with the rise of “vital systems security” (Collier & Lakoff, 2015). In addition, the uneven distribution of energy sources, in particular oil, meant that the energy sources increasingly were viewed as having strategic value. In the wake of the 1970 oil crisis, the strategic importance of energy became striking: the uneven distribution of energy fuels giving rise to ideas of competition and dependencies (Yergin, 1991). Energy thus became an object of security both in a strategic sense, and in a critical infrastructure protection sense. The security of energy became a multifaceted beast, covering notions of war and strategic competition, vital systems, and the dependence on energy in societies, and ideas of climate change, pollution and societal wellbeing (Szulecki, 2018).

Since the mid-2000’s however, the nature of energy systems in Europe has been changing. Partially the sources of energy have changed, as renewables sources of energy has become a larger share of the energy mix, simultaneously the addition of digital systems to all industries has taken place in the energy sector as well (See: Eurostat, 2018). Partially this has been a 48 political choice by institutions like the European Commission pushing for a larger share of renewables in all of its member states, partially it can be explained by technological innovations making renewable sources of energy more feasible (See: European Commission 2006 and 2010). As concerns on issues like climate change, rising sea levels and pollution in general has risen to the fore the push for sources of energy that are less harmful has become more prominent (Ibid). An additional rationale for the move towards renewables are the economic considerations, particularly the fluctuating prices of fossil fuels. As these prices fluctuate their importance for modern societies have repercussions in the economy of states that depend on them. Replacing these volatile imports with domestically produced energy makes economic sense in a variety of ways, through the creation of jobs, lessened imports, and less volatility (Ibid). These economic rationales also result in attempts at harmonizing the energy systems across states, creating an internal market for energy and increasing flexibility through increased cooperation (O’Sullivan et.al., 2017). The dependence on imported fuels has also become an argument in a strategic sense, as is puts the importing state in a position of disadvantage. For Europe this has primarily meant that the dependence on Russian gas and oil is problematic, even more so in later years when the tensions between Russia and the rest of Europe has been rising. While some have argued that this dependence might be beneficial, as liberal economic theory states that economic dependence fosters cooperation, the overriding narrative has been one where supply dependence is considered a security problem (Johansson, 2013).

The move from fossil sources of fuel to renewable ones come with their own problems and challenges however. While renewables mean the utilization of energy flows instead of energy stocks, the way in which these flows produce variable output are not uniform (Moriarty et.al, 2016). Up until the mid-2000’s renewable sources of energy were synonymous with hydropower or biofuels like wood (See: Eurostat, 2018). Both hydropower and biofuels have been categorized as one “tier” of renewable sources as they are to a large extent able to be stored. The construction of hydro dams and reservoirs mean that the energy potential of rainy days can be stored and saved to periods of time when it is needed. While rainfall is highly varied and intermittent, the use of rainfall as a source of power does not have to be (Moriarty et.al, 2016).). This is not the case for the second group of renewables, mainly solar power and wind. Unlike the first group of renewables the intermittent nature of wind and solar results in energy outputs that fluctuates form one day to the other. The fluctuating and intermittent nature of renewable sources has been used as the main argument against a move towards 49 renewables, aside from costs and feasibility (Ibid). At the same time the renewables have the added benefit that they do not need large industrial facilities to be effective, this has led to a growing number of energy consumers producing energy in small-scale plants that might be as small as a single consumer. The rise of distributed energy systems and companies has been a strong factor in the implementation of computer chips and digital components in the energy systems (Slayton, 2013).

To manage these new and intermittent sources of energy a varied set of solutions has been proposed. Some, like the storage of electricity in batteries, has so far not been made commercially viable. Other, like the creation of integrated «supergrids» spanning large regions or even continents, being able to transport energy from areas of high input to areas of low input have started to take place with the construction of “interconnectors” between different geographical locations (Slayton, 2013). To deal with the fluctuations of renewable sources the energy systems themselves must become more flexible, able to deal with sources of energy that might completely dominate the energy mix one day and provide almost no output the next. To manage these unpredictable and fluctuating energy sources the electrical grid is growing more dependent on automated control systems that can manage and respond to these abrupt changes. The more complex and interconnected the systems are becoming, the more their core functions will be performed by digital solutions that is able to balance the differing loads within seconds (GeSi, 2008). Some of these mechanisms, such as On-Load- Tap-Changers (OLTC) are already in place, together with a host of other digital solutions like remote cut-off switches, smart meters, SCADA control systems and a host of other digital solutions (Ibid). As the machines and industries running and supplying the energy systems are growing more and more digitalized, these cyber-physical systems become vulnerable to failures and faults in the digital components.

The requirements put on the system by the intermittent renewables is mirrored in a set of measures to improve the efficiency of the energy systems. Driven by similar considerations as the push for renewables the use of digital solutions to improve the efficient use of energy has been promoted as a solution with large potential benefits (See: European Commission 2006 and 2010). Driven in part by notions of digital utopianism, in part by political concerns, and in part by restructuring of the industry, digital solutions have been implemented in many ways and forms in the energy system (IEA, 2017). These processes have complemented and added to the use of digital solutions to allow for more widespread adoption of renewable energy 50 sources, furthering the adaptation of digital solutions (Slayton, 2013). One of the ways in which this work is by allowing for a more even consumption of energy. The use of energy tends to fluctuate widely within a single day, as more people use energy at the same times of day as the population at large makes dinner, goes to work, and follow the daily rhythms of the day. These daily peaks and valleys of consumption is made more pressing in line with seasonal variations, as the winter demands larger energy use for heating in the extreme northern and southern parts of the globe, and warmer periods does the same for societies straddling the equator. As a result, the energy system, and in particular the electrical grid, has to build in excess capacities to manage the fluctuations in supply and demand (Ibid). Through the collection and analyzing of data energy companies could optimize the production and consumption of energy, preventing wasted energy and improving efficiency (IEA, 2017). One of the digital solutions that have been proposed are the so-called “smart meters”, or Advanced Metering Systems, which are attempting to deal with these fluctuations by providing for instance more accurate information on energy usage (See: European Commission 2006 and 2010).). As a part of a large number of demand-side responses the smart meters and similar solution is intended to shift energy consumption from hours of high demand to hours of oversupply (Ibid). These types of digital efficiency gains allow for a lower usage of energy, providing additional benefits on top of the abovementioned implementation of renewables in the systems.

This increased dependence on digital solutions ties into already ongoing process of general digitization in the name of efficiency and economical gain. To cut costs and improve the economic efficiency of companies more industrial functions are being connected to the internet and made automated. By controlling the industrial machinery through digital tools, the digitalization of industries allowed for greater centralization and coordination. The logics of economics of scale, in conjunction with increased complexity in industrial systems, lead to a widespread implementation of digital solutions in the energy industries (Slayton, 2013). These cyber-physical systems, whether through programmable logic controllers, SCADA- systems or remote-connectivity options, has meant a proliferation of internet connectivity already in the energy systems. As these connections have primarily taken place in the areas that were already considered «critical», and the impacts have so far been relatively mild, the impact on security-management has been relatively modest, yet growing. As the energy systems become more and more digitized, however, increased scrutiny is being placed on the issue of cyber security (Ibid). 51

4.2 A brief history of cyber security

Cyber security and the prospect of digital technologies being utilized by criminals, states and other entities has been a pressing issue ever since the Internet tied the world together in the early 90’s. The earliest stages of cyberattacks started as far back in the 80’s, before the commercialization and rapid spread of the Internet made the issue a mainstream concern (Healey, 2013). The earliest attacks, like the Cuckoo’s Egg and the Morris Worm, highlighted the vulnerabilities in the digital technologies and the possibility to manipulate the processes to steal and disrupt information (Ibid). Yet, in the early stages the main attacks and malwares were targeted at the information itself, taking the form primarily of espionage and computer viruses, not more largescale disruption and sabotage (Klimburg, 2017).

The continued spread of digital technologies made the use of cyberweapons in conflict, and as a means of exerting influence, more relevant. The late-2000’s saw several notable events in cyberspace come to the fore. Some, like Buckshot Yankee and Titan Rain, were still mainly in the mold of information campaigns and the theft of sensitive information, though the scale and sophistication of the attacks were now growing (Healey, 2013). Others, however, highlighted the possibility of utilizing digital tools as a means of harming societies and states: the campaigns against Estonian state services in 2007 saw relatively simple digital tools being leveraged against a sovereign state to some effect. Through denial of service-attacks (DDoS), spam, website defacements and attacks on the digital infrastructure of Domain Name Servers. While the attacks ranged from small nuisances to takedown of governmental services, the overall effect was mild in total. As such the attack has earned notoriety as a first-case of political pressure exerted through cyberspace more than anything else, particularly as the incident is widely considered to be linked to a political feud between Estonia and Russia at the time (Schmidt, in Healey:174-192, 2013). The political and destructive use of cyberspace against an adversary was then highlighted again in the Russia-Georgian war, when patriotic elements at the encouragement of the Russian state used cyberattacks to disrupt the ability of the Georgian state to fight back. The attacks, primarily targeting government-institutions and the communication infrastructure, had a disruptive effect, and weakened the ability of the Georgian state to fight back efficiently (Hagen, in Healey:193-204, 2013).

At the end of the 2000’s the argument for the utility of cyberweapons in international conflict, and as a means of targeting and harming societies at large, was starting to get empirical cases to validate its claims. Yet the ability to go beyond the digital domain and inflict physical damage had not been demonstrated beyond hypothetical test-cases like the Aurora Generator Test (CNN, 2007). Some cases of physical sabotage, like the explosion of a Soviet Gas pipeline in Chelyabinsk, had been claimed but not verified (Telegraph C, 2004). This changed at the onset of a new decade, as details surrounding the American-led “Olympic Games” cyber campaign. The malware dubbed “Stuxnet” targeting Iranian nuclear enrichment facilities in Natanz was widely regarded as a gamechanger, opening the door for cyberweapons as a means of inflicting physical damage in industrial systems. The malware, described as a “quantum leap” in the sophistication of digital weapons, was able to infiltrate, map out, perform surveillance, initiate the attack, and cover up the evidence of its infiltration autonomously. Furthermore, the attack had jumped over an “air-gapped” system, meaning a system that is not connected to the Internet, by spreading through vendors and USB-sticks. Targeting the Programmable Logic Controllers (PLC) of the industrial equipment the malware could send highly specific commands to the equipment in the industrial facility, causing the nuclear turbines to spin at a frequency that was known to cause malfunction. The complexity and sophistication of the attack, as well as its successful targeting of industrial functions, meant that the prospects of cyberweapons causing physical damage had definitely moved from the realm of the hypothesized to the realm of observed reality (Morton, in Healey:212- 232, 2013)

Using cyberweapons to target industrial systems, in particular those underpinning vital systems or critical infrastructure, has been a mainstay of cybersecurity debates in the media since at least 1995 (Klimburg:3, 2017). Since the Stuxnet-attack became known in the wider public several attacks and malwares targeting critical infrastructure and industries has been discovered however. Both the Havex/Dragonfly and Black Energy 2 campaigns were targeted at gathering information and mapping out the industrial systems, while the Ukrainian electricity system was hacked and disrupted in 2015 leading to small-scale blackouts (Dragos A, 2017). While only the latter attack lead to any actual disruption or damage, the attacks has been interpreted by some as a harbinger of things to come (Zetter A, 2016). Finally, in 2014 unknown hackers attacked a German steel mill, resulting in “massive” damage (Zetter, 2015). In late 2016 Ukrainian power grids were hacked once again, an event that is discussed in 53 greater details further down, while the “Trisis” malware was discovered in the security systems of an unknown Middle Eastern chemical plant in 2017 (Dragos B, 2017).

In total the use of cyberweapons against critical infrastructure has a limited history of recent use. This has not stopped a wider debate on the potential implications of cyberattacks against critical infrastructure, and the energy system in particular is frequently mentioned as a possible target (Simon-Levis, 2017). The digitalization of the energy system, as described above, is furthering the idea that energy systems are particularly vulnerable to cyberattacks. Yet, the way in which cyberattacks are conceptualized and protected against is not necessarily the same as other security events. The way in which the threat is understood and dealt with has larger societal implications, in the following segment we will examine the way in which the problems and solutions have been understood and made into practice in the energy systems. The debate will start with an examination of how certain security events are problematized and solutions are proposed, before moving onto how a digital security event was problematized. It will then move on into a wider debate on how vital systems are secured, the threats they are protected from and how novel digital solutions promote certain problematizations and solutions at the expense of others. I will examine how cyberattacks are being problematized as a “catastrophic event”, which cannot be dealt with through practices or redundancy and reliability, but where the solutions take the form of precautionary measures, preemptive security practices like (passive) surveillance, and a larger move towards resilience as a tool to deal with unforeseen, unpredictable, and disastrous events.

5. Analysis:

The following segment will be an analysis of different events, concerns and security problematization relevant for the energy sector. First, I will present two recent security- incidents affecting the energy system: the Baumgarten gas hub-explosion and the Industroyer- attack on the Ukrainian power sector. One of the events will represent a “normal” security incident in the energy sector, while the other represents a cyber-security event. How these events were understood and talked about will be presented through a reading of a selection of texts and papers. As these two events are not necessarily representative of the wider debate they will then be complemented with a wider reading of security concerns pertaining to the two issues, which will be based on a reading of a broader set of sources. The aim of this section is to present the empiric material of the thesis, and present the main differences in how these security events are understood. To present the argument in the most readable form each event will consist of two parts: one will present the empiric material for the case, the main findings and representations that were present in the texts and how problems were understood, and solutions proposed. Subsequently I will discuss the empiric material to discern which security logics and epistemic understandings dominated the texts, and the assumptions they rest their understandings on.

5.1 An Austrian Gas Explosion

The first case examined here is an analysis of how an explosion in the energy system became understood as a security problem, and the solutions that were proposed to deal with it. The analysis is intended to present the main understandings and narratives surrounding the event, which will subsequently be discussed. The event is the explosion at the Baumgarten gas hub in Austria in December 2017, which, killing one and injuring 18, led to shortages in gas supply in Italy and other European states, as well as more widespread shortages in the European gas market (Telegraph A, 2017). The explosion was widely covered in European and international outlets, as well as being the subject of analysis in the aftermath. The following segment is based on a reading of 57 different articles, reports, and analysis3. Basing the initial search on 10 different media outlets the analysis has included all articles covering

3 The main outlets were: Guardian, BBC, Bloomberg, Reuters, Interfax, Aftenposten, Energypost.eu, Verdens Gang, NRK, The Economist. For the media outlets all articles covering the event was included. In addition, publications by Oxford Energy Institute, GasConnect Austria, and the EU Commission were consulted and analyzed. 55 the event in those outlets, as well as the texts, reports and analysis referenced to and mentioned in those articles.

Almost all the texts and analysis shared the same main understanding of the event as an accident, and one that was exacerbated by a set of naturally occurring and unavoidable phenomena. While the degree to which the event was “unpreventable” varied slightly, the main position taken was broadly similar. This reasoning, and the way it was made worse by other unpreventable events like severe weather, is exemplified by the following statement A blast about 9 a.m. at the Baumgarten compressor station killed at least one person and injured at least 21 people, interrupting flows at one of the main points where Russian natural gas enters Europe. That followed two days of snow in London and cooler-than-normal temperatures spread from the Alps to Scandinavia, which is raising demand for heating fuels. (Bloomberg A, 2017) While the precise cause of the explosion was unknown (and pending investigation still is), the dominant narrative of the event was not one of failures, ignorance, and insufficient practices. The incident was described and understood as a “technical problem”, with only Russian media outlets countering the narrative by describing the incident as the result of “Safety violations” (Interfax, 2017). While the dominant narrative was thus centered on the event as an accident, what the accident was thought to represent was also a noteworthy element: The way in which naturally occurring phenomena and perceived randomness became perceived as a feature of both the system and the world at large promoted an overarching understanding wherein these types of events will at some point occur. The main takeaway here is not that the precise event could not have been avoided, it is that avoiding all of these events are not feasible. These risks were considered to be a factual part of the energy systems, they will always to some extent be there: “Pipelines are always vulnerable; what we’re dealing with here is explosive substances” (Bloomberg A, 2017). As the occurrence was presented as “unavoidable” - in that preventing extreme weather conditions, accidents and human errors are doomed to fail at some point in the future - the planning and preparation for the events become about preparing for the consequences. Statements like the on above exemplifies how these concerns with uncertain and unforeseeable events were made to be an unfortunate aspect of the energy system. Planning for these types of events, understood as “an unfortunate series of events [that] led to a tragic accident» (GasConnect Austria, 2018) thus had to take this reality into account. While the investigation is still pending (ibid), and any conclusive remarks on what caused the event cannot be stated, the dominant narrative in the texts portrayed these types of events as unpreventable. While the event was deemed low- 56 probability and “the craziest week in European Gas” (Bloomberg D, 2017), the inability to prevent the total body of low-probability events was regarded as a problem that had to be dealt with.

The dominant narrative thus framed the actual event as part of a larger set of events: the manifestation of the inherent risks in the energy system that cannot be avoided in total. The texts and analysis rested their understanding of the unstable and unpredictable low-probability events on a further understanding on the problem of managing these types of uncertainties. The proposed security solutions and risk management technologies proposed in the texts centered on managing the unpredictable occurrences through redundancies, diversifying, strategic storages, and other measures of reliability. This understanding that the system was unpredictable, yet manageable through known impacts was evident in the majority of texts, and can be represented by the analysis of the event performed by the Oxford Energy Institute based on EU suggestions for supply security: The European Union Agency for the Cooperation of Energy Regulators (ACER), recommends in its Gas Target Model 5 that EU member States should: 1) have at least three distinct origin sources (defined as gas -producing countries or countries hosting a liquid hub from where gas is purchased); 2) 2 have a market concentration, as measured by the Herfindahl-Hirschman Index (HHI)6, lower than 2,000; 3) have the capacity to meet yearly demand without their largest upstream supplier, which equates to a Residual Supply Index (RSI) greater than 110% of demand.7 So why has Italy, which complies with 1) and 3) and should therefore have the capacity to meet yearly demand without its largest upstream supplier, faced two gas alerts in less than a year? The obvious answer is: Italy’s market-concentration is too high with an HHI higher than 2,000. (Oxford Energy, 2018) The three abovementioned “solutions” are not intended to prevent accidents from happening, rather they are taking the vantage point that accidents will occur, for instance the solution “having three distinct origin sources” which both implies that any one of them can fail at any given time, and that the solution to this problem is the diversification of the energy sources. While not all texts promoted solutions, those who did followed in the broad logic of managing disruptions as they occur in line with the paragraph above.

This did not just reference existing measures and existing plans, but became a call to action for new security measures. The inability of the Italian state to secure additional import routes, mentioned in several texts, became a security failure because the event is made to be 57 unpreventable and a feature of the system. This created the political room to propose solutions such as the creation of additional import routes, as the quote below illustrates: Carlo Calenda, the Italian industry minister, said the country must grapple with a serious energy supply problem and underlined the need to develop the Trans Adriatic Pipeline (TAP). The project is designed to give Italy a new supply route but has been delayed by protests. (Guardian A, 2017) Italy was not alone, however, in being singled out as a state lacking on the necessary excess capacities and storages. Take the following assessment of the UK system for managing incidents, which was prominent in the UK outlets covering the event: “Britain lacks the gas storage sites and web of interconnections that make most continental European markets better able to cope with disruption.” (Bloomberg A, 2017). The texts thereby understood the main security failure as a lack of diversification and sources, and the states and political entities that did not secure these excess capacities were to blame. This was not only true for the functioning of the system, but also the sources and imports of the energy system, making incidents were technical equipment fails an occasion to highlight all other potential failures, be they political or technical. A limited number of experts and texts took the event as a starting point to discuss and mention other security issues that were framed as concerning. This minority used the technical failure at an Austrian plant as an occasion to examine all vulnerabilities in the system, with calls like “Politicians across Europe called for diversification of the region’s current reliance on Russian gas” (Bloomberg B, 2017). Partly this was introduced as a related concern in its own right, partly as an added potential benefit of diversifying.

5.1.2 Understanding Baumgarten

In the texts analyzed the clear main narrative portrayed the events as a “technical failure”, with only a few Russian sources promoting the idea that the incident was due to a “safety violation”. At first glance the difference in words chosen is not significant, yet the slight altered words imply two different understandings. Utilizing the terms “safety violations” aims at explaining the event as something avoidable, which again implies that the event could and should be prevented. The understanding of the event as a “safety violation” thereby places the incident more within the framework of ignorance/secrecy, where the events occurrence could have been prevented through better and more thorough security. Technical failures on the other hand, implies a sense of randomness and unavoidability that cannot necessarily be prevented. While one technical failure can be prevented, through the creation of a new device 58 or the improvement of existing devices, the larger group of events “technical failures” imply that something will at some point go wrong. This larger classification of events highlights an unpredictability and unpreventability that challenges traditional modes of “security”, and must therefore be managed through other means.4

The dominant narrative in the Baumgarten incident thereby became centered not on prevention, but on the management of unpredictable risks. The failure did not come by due to ignorance, willed action or incompetence, rather it was an expression of the inherent risks and unpredictability in the energy system. As the event was understood to be “unpreventable” in a large sense, the failure to plan for the failure of the system becomes the main issue. The ability to “know”, measure, and predict how a security failure of certain parts of the system would play out dictates that security practices aiming at dealing with that shortfall be prioritized. Both the problematization and the solution is co-constituted through the ability to map the consequences, allowing for a certain logic and understanding to frame the main narrative. Even more than mapped the consequences can be measured and calculated down to precise numbers and percentages. The dependence on a system, power plant or location can take the form of a measurable and easily understandable amount of gas, and the security practices becomes primarily about ensuring redundancy and the ready replacement if the system were to fail. The precision and level of detail provides easily applicable solutions to a problem that cannot be prevented. Even more the lack of prevention does not become particularly troubling as long the sufficient amount of spare capacity is available.

This solution in turn reinforces the perception of the vital energy systems as inherently vulnerable and unstable. This logic of risks and unpredictable security events reproduce and re-manifest itself for every security event: the failure of the system makes the solutions understandable and practical, while the solutions reinforce the perception of vital systems under constant threat of failing. These accidents, extreme weather events and low-probability acts of novelty must happen and are largely unavoidable. The mitigating responses are not prevention but redundancy in the system, by ensuring continued operation in the event of a large supply disruption. The identification of lack storage and interconnected systems of supplying energy only becomes relevant through a particular understanding of the security

4 While the dissonance in understanding the event is not the main point here, it seems reasonable to assume it can be traced to the geopolitical tensions between Russia and the EU manifesting itself in among others gas politics. See for instance Godzimirski & Nowak or Siddi in Szulecki (ed.) 2018 for more. 59 problems, and the way in which they work. The storage of gas, and the ability to switch suppliers, is given by this particular understanding of the security problems in the energy system as risks, and a set of risks where the occurrence is unknown, but the impact is known and manageable. Events like the Baumgarten explosion thereby reinforces the dominant understanding of the risks and challenges in the energy system.

This understanding of the problems and security issues as a certain form of risks were also observed to be a rationale for proposing new solutions that would mitigate the risks and inherent security problems as they were understood and presented. The understanding of the event as unpreventable made possible certain new mitigating solutions to the problem: if events like this cannot be avoided, and the consequences are grave, then the mitigating actions become limited to a set of actions deemed reasonable. Understanding the event in this manner allows for stressing the importance and relevance of existing measures of crisis prevention. The event becomes not a wake-up call and a force for change: rather it reinforces the dominant narrative of energy systems as inherently vulnerable. The explosion thereby brought to the fore only a limited set of problematizations in the texts: the lack of diverse supplies for the Italian gas market, which in turn makes the possible solutions highly limited.

The main narrative identified in the texts thereby conceived of the Baumgarten incident not as a singular failure, but as a manifestation of the inherent uncertainty in complex systems. The only other real problematization, the Russian version of the event as a “safety failure” and thereby more inherently preventable, did not catch on more broadly. The fact that the event occurred at the same time as other pressing factors (weather, other smaller accidents that did not receive the same amount of coverage) made the event part of a larger understanding of “uncertainty and risk”. The proposed security practices were, however, measurable and quantifiable, leading to a dominant understanding of the security practices as centered on redundancy, reliability and resilient systems. The failure to secure additional supplies, storages and diversified imports became a security failure, while the actual event did not. As such the narrative furthered an understanding of the energy system as complex and unpredictable. As an event the failure of a gas-processing hubs highlights a limited understanding and problematization of the inherent risks and vulnerabilities. The dependence on a single point becomes problematic, and the event can be reinterpreted to apply to other facilities and systems. The security practice thus becomes tied to reflection on historical events which becomes reimagined to other instances and parts of the system. 60

5.2 Hacking the Ukrainian Grid

The first case presented a traditional technical failure in the energy system, and the problematization and security practices that were dominant in the texts and analysis in its aftermath. The second case is taken from the world of cybersecurity: in 2016 the Ukrainian power grid was struck by sophisticated malware attributed to the Russian hacker group “Electrum”. The attack, leading to blackouts lasting roughly an hour at midnight the 17th of December, was done through an automated malware that shut down a transmission substation close to Kiev. The operation, utilizing one of the few recognized cases of malware5 aimed at destroying industrial systems and critical infrastructures, was primarily analyzed by security firms ESET and Dragos, providing independent reports that highlighted and underlined the same main findings of the incident. While the event was mentioned in all the outlets examined for this event, they relied primarily on those two reports to form the basis for how the event was understood. Furthermore, the main analysis and debates surrounding the event mainly took place in “niche” outlets focusing exclusively on cyber security. Consequently, these outlets were included to a larger extent than in the previous case. This analysis is thereby primarily based on those two reports and the way in which the event was understood and portrayed. However, the narrative and dominant understanding of the event is corroborated by a reading of all the other outlets and sources, numbering in total 47 reports, articles, presentations, and analysis.6

The first noteworthy feature of the Industroyer malware is its leveraging of the legitimate industrial protocols7 to implement the attack. By using the correct “language” to communicate the vulnerability becomes undetectable in that it is a side-effect of the larger architecture and build-up of the ICT-environment. Andrew Clarke, of security firm One Identity, said: “This is as scary as it sounds. First, it’s very difficult to detect because it uses known and allowable code yet in nefarious modes. (Guardian D, 2017)

5 Malware, or malicious software, is a computer program inserted into digital systems to force operations that the owner of the system does not intend. In this case the malware, dubbed “Industroyer” or “Crash Override” by the different security companies, were used to remotely shut down power plants without the owner of the plant being able to intervene 6 The main outlets were: Aftenposten, VG, Telegraph, Reuters, Guardian, BBC, and The Economist. As well as “niche” outlets Securityaffairs, Darkreading, SchneierOnSecurity, KrebsOnSecurity, SecurityWeek, and Wired. Statements, lectures and publications by the UK and Norwegian governments were consulted as well. 7 Protocols are agreed-upon standards of communication that allows different digital devices to communicate with each other. The TCP/IP protocol, for instance, is the founding protocol of the Internet allowing different computers to communicate (Klimburg: 35, 2017). 61

The operation was thus understood in the texts not solely as an isolated event, but as a blueprint and a method that can be repurposed to other scenarios, contexts, and systems. The event therefore becomes understood not a single occurrence but a mode of operating. Secondly the abovementioned focus on the “difficulty in detecting” as a consequence of the leveraging of legitimate protocols makes the possibility of “preventing” such an occurrence difficult. This lends credence to the understanding of cyber security as risks, as the way in which events like Industroyer occur is something that one must expect to deal with. This understanding of the digital domain can be discerned from the following statement from one of the two initial reports on the incident. CRASHOVERRIDE is not unique to any particular vendor or configuration and instead leverages knowledge of grid operations and network communications to cause impact; in that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia. (Dragos A, 2017) The key here is the understanding of the malware not as a single event or tool, but as a methodology for developing tools and understanding threats. The implications are not limited to the systems that operates in the same way, rather the universe of consequences is delineated to all instances where the same methods and mode of operation could work. The incident becomes understood as an occurrence of risk and uncertainty: it “is not an aspect of technical vulnerability and exploitation. It cannot just be patched or architected away” (Dragos A, 2017). Additional functionalities make the conceptualization of the insecurity as “risks” even more appropriate “Like Stuxnet, attackers could program elements of Crash Override to run without any feedback from operators, even on a network that’s disconnected from the internet—what Lee describes as a "logic bomb" functionality, meaning it could be programmed to automatically detonate at a preset time.” (Simon-Levis, 2017) The statement above references so-called “logical bombs”, or commands that are preprogrammed to take place at given times. While the focus on “logic bombs” and technical details were not present in most depictions of the event, the overall emphasis on hypothesized development in some form were present. The combination of preprogrammed failures and novel modes of compromise makes the system simultaneously compromised and not. As one can never with 100% certainty state that a system has not been compromised with a logical bomb being triggered at a specific time, preparing for the eventual impact of such an occurrence becomes at a minimum a valid option.

The unpredictable nature of the event was underlined in an observed understanding of cybersecurity as progressing, indicating a form of security that does not only have to deal with the security challenges of today but the theorized development of increasingly advanced methods and tools. This line of thinking can be discerned from the following statement by one 62 of the researchers at security firm ESET, the company that first detected and reported the malware: “Each and every year the attack was more sophisticated than the previous year, I am dreading what will be the next big thing we submit at VB 2018” (Robert Lipovsky presentation at Virus Bulletin Conference 2017). The statement highlights an understanding of the security field as developing and improving: the task of security must consider the continued development of increasingly advanced weapons that are able to cause more harm. This further underlines the understanding of security as a dynamic practice, and the difficulty in securing systems in full.

The difficulties in providing digital security was evident in the texts debating possibly solutions to the event: One evident manifestation of this line of thinking can be traced in the long-standing insistence on “Defence in Depth” (Security Week, 2017) and “Human defenders leveraging an active defense such as hunting and responding internally to the industrial control system (ICS) networks” (Dragos A, 2017). Taken together with measures like “Robust backups of engineering files such as project logic, IED configuration files, and ICS application installers should be offline and tested. This will help reduce the impact of the wiper functionality.” (Ibid). In total these types of measures indicate an understanding of the digital systems as configured to deal with subversion and security failings: this follows in line with the perceived failures put on “perimeter” modes of defense in cybersecurity (Ibid). The move away from “perimeters” aimed at preventing intrusion, and towards systems were intrusions could do less harm was marked in most of the mitigating solutions promoted in the texts analyzed.

Yet despite this reconfiguration towards managing intrusions, the security of the larger energy system from digital attacks is not hinging solely on the ability of digital systems to manage and deal with incidents. Mirroring the way in which redundancies and spare capacities in the gas system ensures that the function of the system remains intact even when large and critical components fail. This line of reasoning and understanding of security can be traced by for instance the following statement in one of the two reports on the Industroyer case: The grid is a well-designed system, and while damage can be done, it is vital to understand that in nations around the world the electric community has designed the system to be reliable and safe which has a natural byproduct of increased security. In the United States as an example, reliability is reinforced with regular training and events such as the North American grid’s GridEx where grid operators train for events from hurricanes, to terrorist incidents, to cyber-attacks and how they will respond to such outages. There is constantly a balance that must be understood when referring to grid operations: yes, the systems are vulnerable and more must be done to understand complex and multi- stage attacks, but the grid is also in a great defensible position because of the work of so many over the years. (Dragos A, 2017) 63

Thus, the mitigating actions could take place both at the digital level and at the broader systemic level. The similarities between Industroyer as a security event and other modes of failure allowed for security practices aimed at dealing with other threats to mitigate the impacts of Industroyer as well.

5.2.1 The makings of a cyber threat

Any security concern and danger can be understood and made into security practice in several different ways, so also for cyber security concerns. The way in which it is understood and made to relate to the system that is sought protected again dictates the way in which security can be provided. In assessing how cyberweapons like this affects how security is understood and sought achieved we need to assess the question what is this an example of? The malware in itself has certain effects that influence how security is done, yet by itself the broader impact on security practices works within a limited space. The malware leads to certain responses, as providers of digital security try to adapt to the particular malware, adding the identifying components to the list of signifiers antivirus-programs are on the lookout for. Yet in a broader sense the main point is not the actual malware itself, but how it is thought to be reconfigured and reused in other settings. Put more broadly: which scenarios, imagined impacts and consequences does this event allow us to imagine? How will the lessons taken from one event, happening once and in a particular setting, be made into general rules of protection and security? What we understand of events impact and consequences will again determine how security practices will change and be modified to consider the more general lessons inherent in a singular event.

A defining feature identified in the empiric material was the surprise and concern with the pace in which digital tools and weapons were developed and improved. Expanding on this notion of novelty and dynamic developments, how this dynamism comes to be understood deserves examination as a feature on its own. The existence of an advanced tool today that did not exist yesterday can be understood and influence practices in two ways. Either the development and increasing sophistication can be considered as a singular event, something that occurred at one point in time and moved the field forward. Such an interpretation would make the increasing sophistication interesting, and something that must be managed, yet it would be a “closed” event that has to be dealt with at a single point in time. Managing the security implications would therefore be centered around the actual developments that had 64 taken place. A competing narrative is one where the development becomes reconfigured not as a singular event, but as a defining feature of the way in which the digital domain works. In this second understanding of the malware the point is not so much that new tools were developed, and vulnerabilities identified, rather the continuing development and identification of malware and vulnerabilities becomes the way in which cyber security operates and works. Of these two narratives the second, and the focus on the event as a harbinger of things to come, was the clearly dominant understanding of what had transpired. This makes the security concerns centered not solely on what has transpired so far, but imaginations and speculations extrapolated into the future. This introduces another form of uncertainty, founded not on the random occurrence of accidents and weather phenomena, but on an inability to know the cyber weapons and capabilities that would exist in the future. If the occurrence of digital incidents cannot be prevented in full, they become conceptualized as a class of events that could fit into the epistemic regime of novelty/surprise. As the existence of “zero days”, undisclosed vulnerabilities and modes of attack that is unknown is non-zero (and is considered likely to stay that way), protecting the systems must consider the fact that they might at some point be compromised and fail. If the cause of insecurity lies with uncertainty and potential novelty the epistemic regime of “resilience” becomes the framing concept for how security is understood, at least in part. As a framework for security practices this introduces similarities, as the security practices must deal with potentially unpreventable events, yet also contradictions as the main source of insecurity stems from an agent and not mere chance.

Other concerns underlined the understanding of cyber security as unpredictable and unpreventable. Noticeable in this context is the concern with “logical bombs”, or infiltrations that have already taken place. If the presence of a logical bomb or similar functionalities in the systems can never be completely ruled out, then the solution to the problem it poses necessarily must deal with the consequences. While the existence of such a weapon is highly improbable, the fact that it is never completely false makes protecting vital systems from cyber-attacks at least partially about dealing with the consequences of an event. In a wider understanding this hints towards the difficulties in “preventing” digital incidents from occurring, instead taking as a vantage point protection after the fact. If the infiltration and subversion of digital systems cannot be ruled out, then prevention as a form of security cannot be sufficient. The security practices then manifest itself as practices of reliability and resilience at different stages. 65

An additional point is worth noting here: the malware Industroyer as an object creates the space for the imagining of similar malwares. While similar modes of attacking the power grid could have been hypothesized the Industroyer as a an object creates an observation of this theorized function “in the real world”. In this the malware acts as an agent spurring the reimagination of the incident into other systems, other states, and with other consequences. Before Industroyer these imaginings were taking place on another basis, and with another logic. It might have been a concern someone was thinking about, but after Industroyer it is a verified fact (given that the technical specifications were accurate). Through its impact on the system Industroyer suddenly becomes “real”, and in its wake, one imagines the existence of other objects like it. The creation of something once means that it can be done again. In this understanding of Industroyer it becomes crucial precisely because it starts the imaginations and speculations noted above, and through those speculations becomes practice and knowledge.

As the realization that digital systems can always be compromised the focus of security has moved from preventing these types of occurrence altogether to managing them as they occur. As such the digital systems comes with their own mode of reliability and resilience at the level of the digital systems: they cannot be designed to never be fully compromised so they have to take into account at least some form of managing the incidents as they occur. A reactive form of security that is preoccupied with managing and coping, not strictly preventing. This resilience is in turn dependent on our knowledge on how digital systems fail and become compromised. This resulted in a set of proposed practices aimed at tackling intrusions and minimizing the chance that a successful intrusion would result in widespread damage. The texts and analysis highlighted this aspect of security, and it was a defining theme in much of the analysis in the aftermath of the Industroyer malware8. As the mode of attack was novel and hard to prevent the wider question beckons: how to deal with not just this specific attack and other attacks like it, but the wider existence of novel attacks as a form of risk. Preventing only the known ways in which digital systems can fail would be sufficient if new tools and vulnerabilities were not constantly discovered and developed, yet the understanding of Industroyer in a larger sense reveals that this is not the case: the “unknowability” of future digital security events makes resilience not only about the known

8 And a previous attack on Ukrainian power plants in 2015 – the one described in the opening paragraph - that was frequently referenced in the texts but not widely debated here 66 way in which digital systems fail, but knowledge on how they fail within the larger context of the energy system. Thus, resilience became not only about the ability of the digital system to deal with intrusion and compromise, but the larger cyber-physical systems ability to deal with the failings of the digital system. This understanding of resilience rests on assumptions of the broader energy systems ability to tackle and deal with failings of individual components.

In the texts on Industroyer this was understood to be problematic, but not a disaster, as the types of failures induced by the malware fit into a frame of larger contingency planning. This is a key point in the proposed understanding of how cyber-attacks against power plants could play out: the problem of security is framed as less severe because the failings fall within a category of “failures” that have already been though about, planned and simulated. The ability to “know” how a cyber-attack could cause the system to fail ensures that the damage would be contained within the existing understanding and framework of resiliency. The practices of simulating, holding exercises and planning for disasters is done both for cyber-attacks specifically, but also through the wider preparations for various contingencies which becomes transferable to the work on digital security as well. The wider understanding of the cyber events fits within the understanding on unknowable risks, yet the comprehensive work done on planning for unpreventable disasters makes the effects of the occurrence of an unknown cyber-attack manageable through its known impacts. The Industroyer malware then operates as yet another “normal” risk in the framework of uncertainty, resiliency, redundancy and contingency planning that characterize the work on securing vital systems.

5.3 The reliable and resilient power grid

The above cases describe two security events that affected the energy system, one related to cybersecurity and the other not. While there were some notable differences in the understandings of the two security events, drawing any wider conclusions on the basis of two cases is a thin basis for any argument. To complement the understandings and implications of two cases I have chosen to examine the broader discourse on two types of security concerns. One relating to the broader concerns of the power grid, and one relating to the rise of smart grids and novel digital components. Unlike the two abovementioned cases these debates are not constrained to any particular event, but aims at tracking the broader concerns and mitigating actions towards the energy system. The first case is an examination of security 67 concerns relating to the energy grid, and is based upon a reading of 171 media articles, reports, strategies, and policy papers.9

A first example on how the security concerns surrounding the power grid is formulated can be taken from the debates surrounding the British energy system. Due to a phasing out of storage sites and shutting down of power plants concerns surrounding the ability of the system to withstand shocks have been raised over the last few years (see: BBC, 2014, Guardian C, 2015, Telegraph D, E, F). In part the problem was understood as the phasing out of coal plants, creating thin margins of excess capacity that made the issue of dealing with small-scale disruptions and surges in demand difficult (see for instance: Telegraph D, 2014). The security concern, as formulated in the texts, was a concern with an inability to withstand additional shocks caused by unpredictable events. The calls went out for a host of mitigating suggestions, some taken the form of increased reliability, prevention, and attempts at minimizing the risk that something would go wrong. These practices took the form of interconnectors, improved safety, storages, securing power plants and similar suggestions. Yet, partly the observed calls for security actions centered not on the prevention of shortages, but the management of them. An illustration of this point is the quote below taken from one article on the topic: National Grid issued the original request by sending a “notification of inadequate system margin” (NISM), a warning that there was not enough power in reserve to keep the lights on in the event of an unforeseen emergency. (Guardian C, 2015) In the above statement the UK National Grid is sending a warning to power-intensive industries as part of a set of demand-side responses to power shortages. These responses include an agreement for said industries to halt production during periods of strain on the energy system in exchange for lower prices during the rest of the year. As a way of securing energy, it is interesting as it is centered on managing unpredictable events that go beyond the regular spare capacity in the system. The systems are not only constructed to manage shortfalls in production, but constructed so as to have mechanisms in place to deal with “unforeseen emergencies”, i.e. risks, that overwhelm the ordinary excess capacity. In the texts these concerns tied into anxiety surrounding climate change and the risk that unpredictable weather phenomena would be more persistent in the future, thus making the need for these types of mitigating actions more pressing. This latter point, and the overall concern with

9 The main media outlets were BBC, Aftenposten, The Telegraph, The Guardian, Reuters, VG, NRK, and Politico.eu. The strategies and policy papers were sampled from the Norwegian government, the UK government, and the European Commission, in addition some reports and analysis from entities like the IEA and IREA were consulted 68 unpredictable and unpreventable risks to the energy system were also present in the Norwegian sources, such as statements by the Norwegian Directorate for Civil Protection (see: NRK, 2018)

So far, the texts, statements, and papers on the security concerns in the power grid has mirrored the debates surrounding the Baumgarten incident. Yet in the texts another strand of thinking and logic was identified as well. While the most prominent concerns related to dangers that could be dealt with within the system itself, another strand of thinking dealt with the risks that went beyond the scope of the energy system. Throughout the observed period the risks towards the electricity grid was understood in two terms: on the one hand the naturally occurring risks that could be handled and managed without the disruption of functions, as the above paragraph illustrates. On the other hand, a second group of risks were perceived as so damaging that the system could not be protected at all. In this case the proposed security actions took the form not of preventing the energy system from collapsing, but managing its sudden failure and creating the ability to restore functions. The risks and the contingency measures can therefore be understood to operate at two levels. The primary of these levels dealt with the risks that cannot be prevented, but managed within the energy system. Yet some events, classified as “Black Sky Hazards”, could not be managed within the system, and the mitigating efforts therefore became the question of managing the collapse of the energy system (EIS council, A, B, 2018) The risks towards a largescale national blackout was in 2018 included as one of the top security challenges facing the UK in the National Security Capability Review (Cabinet Office, 2018). The perceived challenges from a prolonged blackout has been described as taking the country back to the stone age through the collapse of water, fuel, banking, transport, and communications, leaving British cities uninhabitable within days (Telegraph B, 2018).

While only raised in a small minority of the texts, the concern was real and called for security actions and contingency planning taking place not at the level of the energy system, but at the societal level. As the risks were conceived to exceed the ability of the energy system to absorb and cope with them, the management of its effects had to be taken not through the continuing functioning of the system, but in the ability of societies to manage without the system. The focus of resiliency shifts from the system and up, and the contingent measures follows, resilience therefore takes places at the national (or regional) level: 69

“Resilience embeds the control of risks, and readiness for and recovery from emergencies and disruption into everything we do. National resilience involves the effective coordination of capabilities and approaches across tiers of government and the wider public and private sector.” (Cabinet Office, 2018). In its worst manifestations the collapse of the energy system became illustrated as a complete and sudden shortfall. The risk management then became contingent on the ability to cope without the essential services provided by said system. Referencing ideas about protecting against these “catastrophes” the texts promoted ideas like the one below: “Increasingly, this issue is being addressed by expanding the use of tabletop exercises to both simulate hazards and allow key stakeholders to explore the impact of such hazards, while considering the benefits and projected needs for resilience measures. The EPRO Black Sky Hazard Event Simulation Project represents a new example of such exercises, helping utilities, government agencies and other stakeholders evaluate the needs and benefits of specific resilience investments for Black Sky Hazards.” (EIS Council, A) Thus, the promoted security practices differed, as they did not rely on measurable losses and calculations of excess capacities, but on simulations, exercises, and imagined consequences. An example of how this might occur can be discerned in the following graphic taken from the Telegraph (2018)

Source: Telegraph B, 2018

While this is intended to illustrate the cataclysmic impacts of a long-lasting power outage, it is interesting also for its ability to map and identify how a power outage will play out. By simulating and creating scenarios for what will go wrong we are able to prepare for those failures. While these types of simulations and scenarios might not appear particularly comforting, they at least allow for some kind of preparation by highlighting the areas the will fail and the way in which they do so. The events that could trigger such a blackout are conceived as either extreme weather events or concerted and complex attacks. A point of note is the way in which cyber-attacks is included in the infographic, which will be discussed in greater detail later on.

As a case of how the failure of energy systems can play out I chose to look at the Australian blackout of 2016. While this is not strictly European, it represented the largest comparable blackout during the period, and did receive widespread attention in European media outlets. The blackout, attributed to a 50-year weather event that knocked out the electrical system of Southern Australia. The event, and in particular the simultaneous occurrence of many large and small failures, was considered impossible or improbable to prepare for: Dylan McConnell from the Melbourne Energy Institute says the market operator can’t prepare for very rare events like this. “They’re black swan events,” he says. “If they did plan for this, then there still might be something else that could happen, like an earthquake. A system capable of dealing with this would be very expensive.” (Guardian F, 2016)

Clearly the event was understood not as something that should or could have been predicted or prevented in terms of it happening when and where it did, yet at the same time the fact that it might happen had resulted in a set of contingency plans and measures to be activated if something like it did happen. This mirrors the logic of the Baumgarten incident wherein the event happening cannot be predicted or understood, but the consequences and impacts place it within a larger context of similar events that while unpredictable can be mapped in their impact.

Since the National Electricity Market was first established, it’s had procedures for how to turn a system on from a complete “system black” but it has never done it before. That plan was put into action quickly and as of 11:42am this morning, about 80,000 South Australians were still without power. Aemo and the network operators were moving to progressively and safely restore power everywhere. Below is a map of which areas were experiencing blackouts at 11am.McConnell says doing that is no simp le matter, and the fact Aemo started to get power generation back into the network within hours was a great feat. (Guardian F, 2016) 71

The success in the handling of the event rested not on the prevention of the storm, the resilience of the system or the existence of spare capabilities. Rather the management was the result of the preparations for a larger set of risks that, while unpredictable and unknowable on one dimension (occurrence) were inherently knowable and mappable on another dimension (impact). Hence the ability to restore power and return the energy system within hours becomes a story not of failure, but of the success of contingency planning. Of the ability to imagine how a disaster may play out so as to deal with it as it occurs.

5.3.2 Managing uncertainty in the system and society

The practices and concerns for the energy grid observed in the texts were mostly connected to a set of unpredictable and uncertain phenomena. To a large extent these concerns mirrored the logic present in the Baumgarten case, and called for similar practices. The dangers, mostly perceived of as weather phenomena and technical failures, were not thought of to be preventable to a large extent. This way of understanding, and planning for, unpredictable events was not only evident in the managements of the European gas grids. The understanding that risks were inherent to the energy system, and that they needed to be incorporated into the thinking and configuration of the system, were evident in a wide range of texts and publications on the issue. In this context preparing for a spectrum of known and predicted risks appeared to be common practice. While there are degrees of preventability, the major security practices were centred not on prevention but on management. The practices of management were a host of different practices that could help mitigate the impacts of an event. The system itself was secured through a set of practices aimed at managing the known impacts of the unpreventable risks. These impacts could be made known through calculating and measuring the effects if x number of plants went down, allowing for the creation of excess capacities and redundancies in the system. Most of the security actions took this form of managing unpredictability through an ability to measure how the impact would play out, taking the form of reliability and systemic resilience.

A second strand of thinking dealt not with the concerns and dangers that could be quantified in this manner, but those that exceeded the ability of the system to manage them. These “black sky hazards” were visualized as overcoming the existing security measures through the sheer unpredictability and violence of their nature. These risks, fitting into the framework of “vital systems security”, are the low-probability events that exceed the ability to plan for and 72 manage them. While no case of this occurring was present in the texts, the closest example occurring in Australia showed some of the same logics and strands of thinking in the way it was written about and understood. These catastrophic risks are, by their nature, exceeding the ability to plan for and manage within the system, and the security practices thereby becomes dependent on simulations, exercises and imaginings, which allow for the sudden removal of the energy system to be mapped, visualized and simulated. This is not the same as saying that these imaginings are always accurate, neither is it the point. Whether or not the resiliency measures are relevant or not will only become evident as the event unfolds, up until that point we are dealing with hypothesis and desktop simulations. These can be more or less accurate, but they can never be true representations of reality. As simplifications they are a way of imagining the concerns of the present taking place in the future, which in turn makes the future accessible today (Stevens: 17, 2016). Their function might be considered dual: they are a way of preparing for something that might happen, yet they might be just as important in that they allow us to manage the uncertainties of depending on vital systems. The ability to understand and comprehend risks and the effects they might have is a way of preparing for the unpreparable, and thereby making it endurable.

5.4 Smart meters and the radical uncertainty of IoT

The final case is based upon an examination of the wider discourse on the issue of smart grids and smart meters in the energy system. Smart Meters, or Advanced Metering Systems, are described above as an instrument allowing for the flexible consumption (and production) of electricity. By allowing for this flexibility the meters are intended to improve both the efficiency of the energy system, and the ability to incorporate variable sources of renewable energy. In both the US and Europe Smart Meters have been widely implemented, with a EU target of 80% Smart Meter coverage by 2020 a widely cited figure (European Commission, A,B, 2018). The actual attacks and cyber security incidents impacting smart meters have been so limited and rare that this section will not examine one particular case or security incident. Rather it will draw on a wide set of writings and articles on the issue, examining some common threads in how they are examined as a security problem. The following segment is based upon a reading and analysis of 112 articles, reports, strategies, and other documents from 20 various sources and media outlets.10

10 The Media outlets covered are BBC, The Guardian, Politico.eu, Reuters, The Economist, Aftenposten, Bloomberg and NRK. In addition, several niche publications were covered, including Wired, Darkreading, Security Affairs, Computer Weekly, KrebsOnSecurity, SchneierOnSecurity, IEA and reports, 73

In the varying articles and publications assessed on smart meters and their security a prime concern was the role of cyber security in the meters. All the articles dealing with the security issues of smart meters touched upon the topics of hacking, digital fraud, crime or sabotage in some way or another. Furthermore, there appeared to be two strands of concerns for the implementation of smart meters: the protection of data and its potential misuse in surveillance or criminal activity, and the issue of leveraging the smart meters to cause widespread harm in the wider power grids. Regarding the issue of data protection and surveillance it is not the main focus of this thesis, but it is worthwhile to note that the digitalization of energy systems is not only potentially changing the security concerns, but also conflating those concerns with other considerations in the digital realm. As the energy systems becomes dependent on customized information and transmitting potentially sensitive data the conflict between the two considerations might become prevalent in this area as well.

Regarding security of the smart meters the concerns fell among two main axes: a general concern for “cyber” and the possibilities of leveraging digital weapons against the energy system, or a concern with lacking emphasis on security practices in the creation and maintenance of the smart meters. The discourse was framed around the conditions allowing for insecurity to take place, focusing on the meters themselves and the perception that they were possibly insecure. This lets parts of the texts and discussion to center around vulnerabilities that had been discovered, allowing for focus to be placed on manufacturers and utility providers: Security experts Javier Vazquez Vidal and Alberto Garcia Illera said in an interview on Monday that so - called smart meters installed by a Spanish utility to meet government energy efficiency goals lack basic safeguards to thwart hackers. (Reuters F, 2014) The precise vulnerability discovered could be traced back to “flawed code” (Reuters F, 2014) were the vulnerability was the responsibility of the company providing the smart meters. This highlighted a concern with lacking security standards, and an inability to implement known mitigating measures that implied a sense of fault and responsibility. This is further illustrated by a second case, wherein criminals hacked the smart meters as a means of committing fraud. But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate blogposts and analysis from security firms Kaspersky, Symantec and FireEye. Finally, government reports, strategies, statements and meetings were analyzed, stemming from the United Kingdom, Norway and the European Commission. 74

level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet. (KrebsOnSecurity, 2012) Here again the problem is not constituted as unpreventable or the manifestation of insecurity, rather the root cause of insecurity lied with the inability of the manufacturer and utility to ensure sufficient security practices. This is one important manifestation of cyber security, and to a large extent the major one, not the issue of unpredictable and unknowable risks but of failing to implement the known best-solutions, either due to economic concerns or ignorance. As such the security problem becomes one of lacking oversight and regulation, not the management of uncontrollable risks: “This is a well-known and common issue, one that we’ve warning people about for three years now” (KrebsOnSecurity, 2012)

While most of the texts placed cyber incidents within this framework of manageable incidents, occurring to a large extent due to negligence or the low priority of securing digital systems, this is not the only strand of thinking relating to smart meters. A large segment of the proposed vulnerabilities was not discovered, but hypothesized and expected vulnerabilities in the future. As the vulnerabilities discussed had not yet been discovered the underlying assumption seemed to be that they were there, that the discovery was a matter of time. The underlying logic of the discourse seems oriented towards a discourse of risk, in that the vulnerabilities and security issues are present yet unknowable, creating a condition of uncertainty: if potentially catastrophic vulnerabilities are present, and they eventually will be discovered, the pressing question becomes who will discover the vulnerability, what will it be used for and how can one protect oneself against the vulnerability when discovered. The vulnerabilities in the smart meters were largely framed as a question of unknowable risks in the present, potentially evolving into situations of crisis and catastrophe in the future. This strand of thinking, and the concern with uncertain and unpreventable risks, were more widely present in the discourse surrounding smart meters than in any of the other cases.

The rationale for this concern was illustrated in different ways, as different emphasis was placed on the exact reason for this uncertainty. One major concern, referenced frequently as creating new and novel risk to the system, is the understanding of increased connectivity and digitalization as posing a security risk in and of itself (Onyeji et.al, 2014). Take the following paragraph taken from security firm Kaspersky: “Think of network security as a labyrinth: the more exits and entrances the labyrinth has, the easier it is to escape. Similarly, the more devices there are connected to a network, the more opportunities an 75

attacker has to compromise that network. Simply put: every device represents a possible path into the network and, by extension, onto its machines” (Kaspersky, 2013). This statement rests on the reality that as digitalization picks up speed the number of devices that are connected, interconnected, and managed by digital devices is increasing. Furthermore, the statement claims that the way in which these devices are connecting and talking to each other all constitute a potential gap in security that needs to be fixed. The increasing complexity of the energy systems, and the increased usage of digital solutions, is therefore considered a multiplier in terms of threats and risks to the system (Foreman et.al, 2015). As the complexities of the system grows beyond a simple computer and towards a network of integrated and dependent devices the question of security become an “almost intractable problem” (DarkReading A, 2015). In this understanding the perceived insecurity of the Internet, and the impossible task of knowing every weakness, combines with an expansion of the “things” and functions that are connected to the Internet to create an understanding of risk that is growing, or as it is stated by one cybersecurity firm: “Interestingly, the more sophisticated and developed that technology and the Internet become, the more they put us, and our world, in jeopardy.” (Kaspersky, 2014).

This notion of the dynamic and evolving nature of cyber security was also evident in publications from official sources, such as the following statement on smart meters from the UK GCHQ: During the design of the system, GCHQ and DECC assumed that vulnerabilities would be found in the various components during the life of the system. This is a reasonable assumption because not everyone who is building things for the Smart Metering System are cyber security experts, and building a system devoid of any vulnerabilities is very hard to do (to the point of probably being impossible). (GCHQ, 2016) The basis for the security is not only securing the systems and devices from current threats and vulnerabilities, but also realizing that new vulnerabilities has to be expected during the lifespan of the device (Bracco, 2017). Going even further the statement implies that avoiding such vulnerabilities all together may go beyond the difficult towards the probably impossible. This expectation that making something completely secure is “probably impossible” hints towards an idea of secure systems as unattainable, which again makes their manifestations unavoidable and introduces high levels of uncertainty.

This leads over to how the implications of the risks were perceived and understood. For smart meters the uncertainty regarding what the consequences of an attack could lead to appears 76 marked. The issues and consequences of successfully targeting and impacting the smart meters spanned a large set of imagined implications from explosions, house fires, network failures and terrorism to petty crime (Guardian H, 2015, KrebsOnSecurity, 2012, Kaspersky, 2018). The problem then, is not only one of inherent unpredictable vulnerabilities and risks, but increasingly complex and unpredictable ways in which they can fail. Or as phrased by the same firm “real criminals would be limited only by their imagination and programming skills” (Kaspersky, 2018). The possible risks and dangers associated quickly becomes unfathomable and immeasurable, taking on aspects like Artificial Intelligence and the creation of a “world- sized” robot with impacts that at the most extreme might not even be imaginable (Schneier A, 2017)

Moving beyond these concerns a significant segment did not flesh out the potential consequences beyond warning of “catastrophe” (Brenner, 2013, Hebert, 2013, Clarke & Knake, 2010). As an example of how the dynamics of uncertainty and catastrophes shape and influence the perceptions on cyber security in the energy system the so-called “Horus Scenario” is an interesting starting point. The Horus Scenario involves a discovered vulnerability in the inverters used to transform static current to alternating currents for solar panels. By leveraging the vulnerability, it has been hypothesized that an attacker could cause a blackout affecting large parts of Europe for extended periods of time (Security Affairs, 2017). While the vulnerability is interesting in its own right, and the work on fixing and mitigating its impacts is as well, it points to a wider understanding of the way in which energy systems can be struck by cyber-attacks. Similarly, to the Industroyer-event the vulnerability takes on added value when understood as a feature of digital systems more broadly: the fact that a critical vulnerability is discovered that might cause widespread blackouts is not as profound as the understanding that critical vulnerabilities will be discovered that might cause the same amount of damage. Unlike the attacks that hit and affect already “hardened” parts of the energy system the Horus Scenario involves new functionalities and issues that are conceived to be harder to fix and prevent. It is significant precisely because it becomes understood not as a single event, but as a characteristic of the risks and dangers associated with increased internet connectivity and the Internet of Things (ibid).

How then, dose the practices of security deal with the radical uncertainty and “catastrophic” prophecies of increasing digital connectivity? To a large extent the security measures proposed only become relevant after an event has taken place. One manifestation of this 77 responsive form of managing security risks can be seen in the emphasis placed on having systems ready to implement and learn from security incidents. Partly this can be seen in statements like “Who's responsible when a smart city crashes?” (DarkReading A, 2015). While the statement is not limited solely to the energy system, it is indicative for a wider strand of thinking on the security of vital systems. In its formulation of the problem the question is not if a smart system will be compromised, but how to deal with it when it does. As the solution is to divide responsibility when the smart city crashes an underlying assumption is that the smart city at some point will crash. It is not therefore about preventing the incident but managing it.

Another key mechanism is to “make known” the vulnerabilities and risks in the system, and make sure the knowledge is transferred and made available to all relevant partners. One way in which this was done was through the creation of avenues for “information sharing, [but also for] cross-function vulnerability assessment and incident response planning” (DarkReading B, 2015). In this practice of security, the focus is on making sure all relevant actors have the needed information to deal with the known vulnerabilities. Another way in which this logic works is through the rapid “translation” of risks into known vulnerabilities, by ensuring that the breach suffered by one digital system is made known throughout the larger industry. This is primarily done through the establishment of designated groups like CERT’s or CIRT’s11. These measures of mitigating responses are indicative of a particular understanding of the risks, the way they function and the appropriate ways in which we can deal with them. One defining feature is the way in which the establishment of CERT’s, basically a dedicated group of security professionals continuously working at securing the functions and security of ICT devise, is indicative of a dynamic and changing security environment (Yusta et.al., 2011). The role of the CERT is not only to prevent security events from taking place, through sharing information, and acting as a resource for users of ICT- devices, they are also a “first responder” in the event of a crisis (DarkReading B, 2015).

Moreover, there was a widespread call for better standards, more regulations on who can supply the smart meters and vague assertions of “improving security” (See for instance: Moulinos, 2017). The focal point of security then is on the devices themselves, reducing the risks that they might be compromised by improving the embedded security. This is visualized

11 CERT: Computer Emergency Response Team, CIRT: Computer Incident Response Team 78 in a variety of manners: by developing more secure protocols, regulating the responsibility given a failure, encouraging better design solutions, and even involving the end-user in the maintenance and security of the devices. The proposed solutions neither promised “fixes” for the presence of vulnerabilities nor did they propose ways to cope with the systems failing. The main approach was one of “raising the bar” wherein “The ultimate goal of cybersecurity is not to make the smart grid impregnable, but to make it costlier, and therefore less attractive, to attack” (Reuters, 2011).

The vantage point of any security practice becomes the realization that total prevention is an unrealistic assumption. An additional statement from the GCHQ is indicative of this line of thinking In addition, setting the security bar very high for each component would make the system unaffordable, so we've gone for commercial good practice. If this means there will be issues found during the life of the Smart Metering System, how do we make the system tolerant to attack? (GCHQ, 2016) The key phrase here is the perceived need to make the system “tolerant” to attack. As the problem is configured as being about risks, and the uncertain events, the solution to this particular problematization becomes about “tolerance” and the ability of the system to deal with disruptions. This is then through numerous measures, such as validating messages at several stages, limiting the ability of an attack to spread, and other measures intended to deal with the intrusion of a malignant actor (Ibid, Yan et.al, 2012). As such the security measures are intended to deal with the consequences of a disruption within the digital system.

While the vulnerabilities are part of the dynamic development and cannot be known beforehand, the way in which they work and the functions within the digital system they will leverage, is intended to be mapped and planned for. At the same time this process is considered difficult and revealing surprising results. As stated by the GCHQ: As the system design progressed, several weird constraints and edge cases came out of the woodwork. This is often true in real world security systems; the idealised, academic security model very rarely survives contact with reality. (GCHQ, 2016) While the mapping, simulation, and testing of the system designs lead to a number of fringe cases that are included, the statement also opens up the question of to what extent all such fringe cases are mappable beforehand. This uncertainty regarding the effects and impacts of interacting smart components is present in a number of other articles and statements as well.

The abovementioned practices were mainly targeted at managing the digital intrusions as they occurred. The proposed practices took form and acted at different levels and places within the digital systems, from the creation of “security in the system” where the hypothesized digital vulnerabilities of the future could not be leveraged into widespread damage in the system at large, to the larger practice of societal resilience and the preparation for catastrophes (See for instance: Muhlberger, 2017). At the most extreme cyber-attacks were problematized as “black sky hazards” or “black swans”: the events that could neither be prevented nor managed, resulting in the widespread destruction of whole societies. In this line of thinking cyber- attacks have potentially “catastrophic” impacts, in line with an understanding of the issue as “more dangerous to the stability of democracies and economies than guns and tanks” (Juncker, State of the union 13.03.17). This understanding promoted practices like large-scale exercises wherein cyber-attacks is the cause of large-scale disruptions that take down the energy systems, which took place in 2014 and 2016 (ENISA, 2017). The notion that cyber- attacks on the energy systems cannot be prevented, yet has to be dealt with, has been taken to its most extreme in calls for systems that can run completely without digital systems. These types of digital redundancies, or systems that can function without any digital components at all, becomes an extreme form of resilience where the inability to trust a digital system becomes so profound as to necessitate a completely separate functionality. Mentioned as both a positive component in the attacks on the Ukrainian power grid in 2015 (Zetter, lecture at NUPI, 2016) and as a proposed legislative proposal in the US12 to mandate digital redundancies (Boyd, 2018). Taken to this length the uncertainty and risks associated with the digital systems necessitates the creation of separate systems and functions, and a mode of resilience that expands beyond the digital system to an energy system that functions without the digital components.

Finally, the combination of potential catastrophic consequences and uncertain and unknowable dangers creates another set of practices. The inability to prevent and deter intruders was fueling a set of practices aimed primarily at scanning, analyzing, and detecting intrusions in the networks, either by human defenders or by Artificial Intelligence using the concepts of machine learning to root out suspicious activities in corporate networks (see for instance: Rosenberg, 2017, Darktrace 2018). This type of scanning for anomalies in the networks adds additional depth to the defense, by continuously looking for out-of-place flows

12 While not part of a “European” discourse the proposal is mentioned in several texts as a way in which such thinking could manifest in policy proposals 80 of data. These preemptive practices were also being built into the systems themselves, as is the case for the UK smart meter program (GCHQ, 25.03.16). These practices of security can furthermore be used to justify not only scanning and detection at the individual power plant or network, but the erection of digital borders and defenses to protect vital systems against digital attacks (Lysne 2: 29, 2016). These final practices aim at securing states through the control of digital flows, being a particularly contested practice in the Norwegian outlets (see for instance: Hjort, 2017, Søreide, 2017, Løkke, 2018).

A related set of practices sought not to scan and control the digital systems, but extend the control through regulations and standards. The concern with supply-chains and digital equipment being bought from foreign companies, and then inserted into the vital energy systems, pushed for the management and regulation of those companies as well (European Commission, 2016, 2018, Hiller et.al, 2013). This concern was mentioned in several texts and statements, such as the following: “Suppliers of information technologies to the EU energy system must be bound to clear obligations to provide their products and services at a well- defined, high level of cyber security.” (Lechner, 2017). A final security practice worth mentioning and debating is the practice of heightening the perceived risk in times of uncertainty. Thus, in the wake of the Skripal-poisoning on March 4th, 2018 the tension between Russia and the UK rose notably, leading to claims that “the risk of a serious cyberattack on the UK has gone up substantially” (Independent, 2018). In particular the concern was tied to an attack on critical infrastructure that could potentially “directly affect lives” (Ibid). This mode of preparing for the occurrence of an attack has a parallel in the practices of heightened risk for terrorist attacks, where the perceived higher risk becomes an argument for practices like increased presence of armed police (NRK, 2017)

5.4.2 Understanding the smart grid

The smart meters were understood in a variety of manners in the texts analyzed. Primarily the different understanding can be subdivided into two main camps. The first of these two problematizations saw the security issues of the smart meters as centered on the discovery of vulnerabilities and the subsequent mitigation of these vulnerabilities. In this understanding the main problem was an inability to discover and make known the vulnerabilities, and a lack of focus on security issues in updating the devices. This final point was the most prominent, as 81 there was a noted exasperation with the inability to deal with known security flaws and vulnerabilities. This mode of operation, encompassing a large portion thus fits within the framework of ignorance/secrecy, where the ability to uncover a knowable threat makes the security work centered on this unveiling of a hidden truth. While these security concerns were not always known, they were at the very least knowable, and the work on securing the systems could take as a vantage point that the vulnerabilities could possibly be discovered. The prominent position of this way of understanding the problem is noteworthy, and might best be described by a sense that cyber security is not getting the attention the issue deserves. This introduces a set of security practices not only centered on resilience and prevention, but to a large extent focused on prevention and protection.

Yet the texts also expressed concerns for a set of “unpreventable” and “uncertain” dangers that were not known or knowable (Anderson et.al., 2010). These concerns took as a vantage point the dynamic nature of cyber security (as noted in the Industroyer case), and extrapolated the developments and concerns into the future. Taking the development of adversaries and methodologies so far, coupled with the inability to know what adversaries are capable of and thus how one might be harmed, allows for imaginings of not only ones owns capabilities but those of a more advanced actor. Taking it one step further the (alleged) dynamism and evolving nature of cyberspace makes security not only about today, but about the events and capabilities that might come to pass ten years from now. The impact of time and evolving practices allows for security and dangers to expand into a vast space of imagined and simulated scenarios that does not have to relate to the “real” world of what has actually happened, instead it can base its arguments and understandings on a premise that the world of tomorrow will be more advanced than today. This understanding departs from the universe of the security events that has happened and instead takes as a vantage point all possible imagined scenarios and implications. As the prospect of securing devices detaches from observable events and moves towards dealing with everything that could be conceived to happen the limits of possible scenarios expands. The effect of time and speculation in the future makes security practices more encompassing and complex than they otherwise would be, arguably an overlooked feature of cybersecurity because time is arguably an overlooked concept in Security Studies (Stevens: 12-13, 2016)

In sum this understanding meant that a large amount of the security practices and problematizations dealt with the impact of uncertainty and unpreventability. These were 82 further fueled with the expressed concerns that increased connectivity equals complexity, which again introduces a host of new and unknown vulnerabilities. As the problems then becomes intractable prevention as a source of security becomes unsustainable. The question becomes not if something will occur, but when. The failings of the digital systems move from the realm of the avoidable and towards the realm of the unavoidable, at some point something will happen. As argued by Tim Stevens (2016), this is a prominent mode of thinking on cybersecurity, by not addressing what and how something will happen, merely that something terrible will occur, proponents of cyber security as unavoidable can cause concern without ever having to verify their claims (Stevens: 108, 2016).

This logic and understanding of “unpreventability” called for security practices centered on managing security events instead of preventing them. This understanding was seen to be the dominant understanding in the Industroyer case, were the main mitigating practices centered on dealing with the effects through the creation of resilient systems. While the digitalization of power plants, electrical grids and other energy-related industrial systems is interesting on its own, a lot of the changes that are taking place are fitted within a larger framework of a vital system that operates and functions in similar fashion as it has always done. As the statements surrounding Industroyer makes clear: the practices of simulating, predicating, and imagining ways in which the different parts of the grids may fail allows for cyber security to become “yet another” risk in the larger risk-security nexus. As long as cyber security impacts the grid in known ways, by making systems fail in predictable manners, the practices of redundancy and robust systems can serve the same function as they otherwise would. While it cannot be known how, when and if they will strike, the impacts can be predicted creating avenues for certain security-practices to take form. These practices fall under the understanding of known impacts but unknown occurrences, as the systems could be created resilient so as to manage an intrusion.

This logic appeared to be contingent on the system failing in “predictable” ways, yet some of the concerns noted in the texts were oriented on novel functionalities that challenged this assumption. This was based on an understanding that the energy systems are not only implementing digital solutions, but changing the buildup and functionalities as well. This creates another and novel challenge: the possibility of unknown cyber vulnerabilities operating within a larger system that operates in new and novel ways. While some outcomes and potential consequences are investigated in more detail than others - like the possibility of 83 widespread blackouts - a large segment of the risks are not talked about in concrete form, the uncertainty is not limited to if and when something will happen, but on what the actual outcome might be, and whether it is catastrophic, terrible or merely a nuisance.

This understanding and problematization of the smart meters created a radical new uncertainty wherein the knowability of the impacts were questioned. Partially then, cybersecurity in smart meters were partly problematized as “catastrophic risks”, referencing not concrete vulnerabilities that could be patched and prevented but predictions that new and novel modes of attack would be available in the future. At its most extreme the unknown nature of digital vulnerabilities was imagined in the mold of catastrophic events, often dubbed “cybergeddon” scenarios. These disasters lend themselves to borrowing imaginations like that of Die Hard 4 and other “disaster movies” (Stevens: 102-109, 2016). By referencing the type of catastrophic disasters that take down entire societies by the click of a button, as the result of interconnected and ill-secured devices taken over by the hand of an evil genius, the basic premise is that the implications of digitalization are unknown and unbound in their impact (Ibid). These types of disasters hints towards a future where the vulnerabilities that are exploited are unknown and impossible to prepare for and the impact and consequences of the disasters defy the ability to prepare for and manage them.

An example on how such a disaster could play out was noted in the “Horus” scenario, where solar panels became a critical flaw that could take down grids. In the wider understanding of the system the fact that a vulnerability like this has been identified, and is theorized to take down the grid, becomes a framing object for the concerns for the grid. In the same way Industroyer expands the scope of potential events, the Horus scenario does too. The instance it comes into being, it becomes a blueprint for how other objects like it can come into being. It therefore creates the space to imagine other objects like it, cast in the similar mold, only non- identified and hypothesized. As a “thing” it therefore shapes the box within which the social reinterpretation of security concerns can take place, which again promotes certain understandings and logics at the expense of others.

This logic was noted in a pronounced concern with “black sky hazards” that could cause catastrophic damage if they occurred. The practices involved in preparing for these “catastrophic risks” were the simulations, exercises, and imagined consequences described above. These imagined disasters were to some extent mentioned when debating certain other 84 risks as well, such as extreme weather or terrorism (Krepinevich, 2011, Stegen et.al, 2012). Thus, the introduction of these risks was not necessarily new, yet they were more prominent when talking about digital vulnerabilities than when talking about weather phenomena and technical failures. Another set of practices proposed to deal with these concerns were calls for preemptive security practices like scanning of networks, the verification of providers to digital systems and “digital borders”. These practices borrowed the logic from antiterror operations in that it subsumed and vetted all behavior in an attempt to root out potentially dangerous ones.

6. Discussion

This thesis is meant as an examination into a simple question with potentially large consequences: how is the digitalization of energy systems impacting the way we think about and perceive their security? While simple in its purest form, it is a question that can quickly morph into a sprawling examination of a wide variety of differing issues. I therefore chose to further limit the question into an examination on the role of uncertainty in the problematization and management of security concerns. Uncertainty and lack of knowledge, real and perceived, helps shape and frame how security concerns are understood and dealt with. As the energy system becomes digital, and therefore deals with the concerns and logics of cyberspace, the way in which cyber security promotes certain ideas of uncertainty translates to the energy system as well. In the texts and events examined here the primary security concern was on the occurrence of unpredictable and partly unpreventable events. Whether due to weather phenomena, novel weapons, technical failures or simply “perfect storms”, the base assumption was that at some point something might go wrong. Yet, the fact that something might go wrong, and one should prepare for the fact that it might, is a shallow examination of how the security concerns was made understood. While there were clear similarities in the way “normal” failures and cyber security events were understood, large divergences were also apparent.

The theoretical framework presented earlier highlighted four different epistemic regimes, which were subsequently described and analyzed. One dealt with the issue of ignorance/secrecy and the inability to access what should be “known”, another dealt with uncertain and unpredictable events that were manageable by the knowledge on how the impacts would play out, a third dealt with “catastrophes”, those events that were considered both unknowable both in their occurrence and their impact. Finally, a differentiation was made between those security events that was framed as accidents and those that involved a willed incident or an actor.

Of these four epistemic regimes all were evident to some extent in the debates on the non- digital events. The willed incidents were, however, centered more around states and political rivalry, and in particular the relationship with the Russian federation (Siddi, 2017). This should probably be understood more as a form of traditional security and is thus beyond the 86 scope of this thesis. The risk of terrorism and coordinated attackswere mentioned, but did not feature prominently as a concern, as such an assumption could be that these risks were not “accepted” to a large extent (Beck: 13, 2007). The same can be said of the concerns belonging under the epistemic regime of ignorance/secrecy. While there were some incidents were the competency and ability to prevent incidents were called into question, the Russian narrative surrounding the Baumgarten explosion being one noteworthy example, the overall depiction of the security-work in the energy sector was not centered on an inability to prevent failures from happening.

What was prominent, however, was a host of security-incidents interpreted as manifestations of unpredictable and uncertain risks. These risks, and the strains they put on the systems, was interpreted as more or less “unavoidable”. Weather events, accidents and technological failures were all regarded as prominent features of the system. As such, the main focus of security was not on prevention but on management. These practices took the form as various modes of resilience. Some argued for increasing the reliability of the system, through redundancies, spare capacities, demand-side responses and other practices aiming at keeping the system going while parts of the system would fail. For the large part this involved a set of practices aimed at improving the reliability of the systems, or preventing these strains from leading to widespread and more consequential failures. Basing themselves on limited knowledge these practices took as a vantage point that the dangers facing the energy system were unpredictable, but that they were measurable and understandable in their impacts. This did not necessarily translate into a quantification of the danger in question, where a failure of system X translates into Y watts of electricity lost. What was evident however was that the uncertainty operated within a confined space of impacts that were considered realistic, framing the security practices to levels of redundancy that were considered adequate. A different strand of thinking on the security issues dealt not with these practices of system- resilience, but the wider societal resilience towards large-scale failures of the energy system. These concerns manifested in practices based not on measured and knowable impacts, but on simulations and imagined consequences. The classification of these events as “black swans”, “black sky hazards” or “catastrophic risks” led to a distinct set of practices which will be elaborated on further on.

How then were the cyber security events interpreted differently? The practices of cyber security were basing itself on all four of the logics of security examined, yet some 87 understandings featured more prominently than others. Possibly the largest number of events were understood as operating within the epistemic regime of ignorance/secrecy: dealing with known and existing vulnerabilities which had been mapped and where knowledge about their mitigation existed. In the statement on smart meter vulnerabilities in Spain the practice became one of updating and preventing that a known vulnerability was exploited. Related to this was the transformation of uncertainty and unknown vulnerabilities into knowledge, through the reconfiguration of risks as vulnerabilities. This practice entails the discovery and mapping of vulnerabilities, along with monitoring and analyzing the networks, to unveil new threats and vulnerabilities. While the existence of zero days and actors with advanced capabilities makes the complete eradication of risk impossible, the security practices of sharing information and uncovering threats aims at limiting the risks through making them “known”. This dynamic practice of continuously uncovering and reacting to developments rests on the creation of functioning networks of actors and institutions that can disseminate and share the information to all relevant stakeholders. The creation of such networks allows for security incidents to be moved from the epistemic regime of novelty and surprise and towards one of ignorance and secrecy. Therefore cyber security events were reconfigured and moved from one epistemic regime to another as they became mapped and understood. The security practice therefore becomes contingent upon the wider network: what might be an identified and patched vulnerability in one setting may still exist as a risk in others.

Secondly the existence of cyber-events within the larger energy system shone a light on practices of reliability and redundancy. The Industroyer-case showed how cyber threats could be placed within the larger context of a hardened system, and the development of the Smart Meter system in the UK accepted the identification of vulnerabilities as a defining feature of the digital world. In both cases the call was for energy systems, industrial systems and digital components that could be compromised without that compromise resulting in disastrous effects. Yet, these practices or reliability, redundancy, and systemic resilience were less pronounced and explicit than in the energy system. The understanding of digital systems as inherently vulnerable only transferred into systems that could deal with security failures to a small extent, and in the case of Industroyer this was a by-product of other security concerns. At the most extreme these practices went beyond the individual components and hinted towards a complete digital redundancy. In this understanding of digital vulnerabilities creating secure and reliable systems were unobtainable, and the only satisfying solution was the promotion of total independence from digital tools. As the digital systems could not be made 88 reliable, the larger energy system had to be made resilient to a complete failure of the digital components.

This understanding of cyber security as “unmanageable” borders on a third logic governing the cyber security-approach. In this epistemic regime of novelty/surprise and “unfathomable uncertainty” cyber security events were configured as “Black Swans”, or unpredictable events that could possibly take down entire energy systems and cause widespread outages. Based on the practices of imagining events into the future these practices took as a vantage point that cyber security is evolving. Take the lessons of Industroyer and the development of new tools: It is notable that the event is understood not only in its own right, but as a harbinger of things to come. The development and growth in use of cyber weapons was taken as a defining feature of the digital domain. This allowed for Industroyer to be examined not as a singular event, but as a step in the path towards more destructive, more dangerous, and more effective hypothesized weapons. This allows for a projection into the future of weapons not yet created, methodologies not yet utilized and capacities that does not exist. The problematization thus incorporated not only the world as it is today, but any plausible description of the world ten years from now. The argument for a dynamic and ever-changing domain makes the security of digital components uncertain. Protection does not only have to be against “the best”, but the most advanced actors taken into a future of continued growth and development. Their perceived capabilities and effectiveness are only limited by how our plausible imaginings play out, whether they are true or not is not as important for security practices for whether they are believed. As such, the digital domain can never be “safe”, it is constantly moving, necessitating growing expenditures in development, research, and active defenses.

These concerns are multiplied when the imaginings take in not only the changes in the digital domain, but the changes in what it is used for. The move towards smart meters, smart grids, and more broadly the Internet of Things, couples the uncertainty of what will happen with uncertainty regarding how it will happen. The impacts and consequences are limited only by our “imagination”, and the security implications of growing interconnectedness cannot be measured and understood. These twin developments, of both new functions and new threats, created impressions and understandings of the digital world as radically uncertain and unpredictable. This uncertainty was then translated and applied to the understanding of the larger industrial and societal systems it underpinned, like the energy system. Taking this evolution for granted the evolving nature of the cyberspace gets extrapolated into the future 89 and imagined as radical uncertainties both in terms of the tools and methods that will be used and the way in which the events will play out. This allowed for a classification of cyber- attacks alongside earthquakes and solar storms as events that cannot be prevented or managed. These events escape the boundaries of measurement and system reliability that made events like Baumgarten and energy shortfalls nuisances and not catastrophes. The digital components become yet another “catastrophic risk” towards critical infrastructures and vital systems, implying and lifting certain practices at the expense of others.

To manage these hypothesized and imagine scenarios the inclusion of cyber security concerns pushed the management of the energy system towards practices of societal resilience and the management of catastrophes. Through the establishment of CERT’s tasked with managing incidents after they occur, the most frequent call to action was on establishing mechanisms of coping. These tools and practices takes as a vantage point that “something will happen”, and creates tools and systems able to deal with the impact of the incidents. As the impacts could not be known, or managed within the energy system as was the case in the non-digital cases, the practices dealt with reestablishing the digital components after they failed. Secondly the reorientation towards preparation in simulations and exercises examined how a world without energy would look, and started preparing for how it would look. These exercises and re- enactments allowed for imagination and what-ifs to replace the role of measurement and empirics.13

Finally, and building in part on the understanding of “cyber threats” as being unpreventable and unmanageable a fourth logic and set of practices called for preemptive and precautionary measures. The logic and approach towards cyber security showed similarities to the management of terrorism, in that the events were conceived of as both highly challenging to prevent and resulting in unacceptable and unmanageable loss and impact. The main practices and calls were centered on practices like scanning networks, both at the border of states and within companies, and creating digital ecosystems through vetting suppliers that deliver components to critical infrastructure. Yet, growing interest in ideas like Artificial Intelligence, “hackbacks” and filing charges and prosecuting hackers could imply a move towards other practices as well (Nojeim et.al, 2017). These practices did not intend to manage security incidents, or create reliable systems that could cope with breaches, but on a precautionary

13 See for instance Anderson (2010) for more on exercises and preparing for disasters 90 examination of digital packets. As the incidents could not be managed the practices took the form in a doubling down on prevention, through preemptive tactics and practices of surveillance and scanning.

Thus, the move towards digitalization and the implementation of digital devices shifts the understanding of the security practices slowly and slightly towards managing the radical unknown. The idea that digital security can never be completely achieved, that the evolving nature will introduce new and novel threats and the concept that “only the imagination” limits the ability to do harm produces image of a radically uncertain future. The interconnectedness and the understanding of increased connectivity as a security problem in its own right points towards an understanding where ever-more digitalization means ever-more devices and connectivity, in turn leading to greater uncertainty and anxiety as to the potential ramifications of a security event. The rise of cyber security in energy systems was therefore seen as strengthening the concerns for “catastrophic risks” that could not be prevented. These concerns were again seen mirrored in call for practices that dealt with managing incidents, total digital redundancy and other practices that in sum entailed a move towards “societal resilience” as an overarching concept of dealing with security concerns. Furthermore, the concern with disasters was (partly) responsible for fueling practices like scanning networks and erecting digital borders. Finally, the ability to map and patch vulnerabilities raised the issue of practices for managing known vulnerabilities, as well as the “uncovering” of vulnerabilities and threats through a deeper examination of the digital systems. While present, the practices were less centered on measures of “reliability” and “systemic resilience” were less pronounced.

Placing these findings within the quadrant depicted in the earlier parts of this thesis the cyber security concerns entails a move towards the lower right quadrant of “unfathomable uncertainty”, as well as the top left quadrant of “known vulnerabilities” or ignorance/secrecy. Placing the many concerns and problematizations in the lower right quadrant reflects the more pronounced uncertainty in how the security events would play out, and the increased reliance on imagined scenarios and simulations that replace measurable impacts with speculation and practices of societal resilience. The top left quadrant highlights the extent to which cyber security events continues to be understood as a consequence of ignorance, lacking practices and an inability to prevent known dangers. 91

Impact/ Known Unknown Occurrence Known Digital vulnerabilities Digital vulnerabilities that have been mapped that have been mapped (with known impacts) (with unknown impacts)

Unknown Baumgarten, shortages, “Black Swan Events”, supply failures, cyber Extreme weather, failures in “hardened” sophisticated cyber- systems, uncertain attacks, Internet of disturbances Things,

Moving to how the problematizations is reflected in the security practices a finding appears to be an increased focus both on the “known” vulnerabilities, and the practice of translating unknowable risks into known vulnerabilities that can be patched and fixed. It also introduced a larger set of practices at the lower right quadrant as security practices centered on managing unknown impacts took the form of both preemptive measures like scanning and surveillance, as well as resilience-practices at a societal level. These practices took the form not of hardening and the creation of reliable systems, but exercises and simulations that sought to dealt with a hypothesized sudden collapse of the energy system.

Impact/ Known Unknown Occurrence Known Patching, preventing, Patching, preventing, updating systems updating systems

Unknown Storage facilities, Societal resilience, redundancy, extra contingency planning, suppliers, excess scanning and surveilling capacities, demand-side networks 92

responses, hardened systems

In sum then, digitalization of energy systems makes certain understandings and problematizations more frequent, prominent, and accepted. No reading of the empirical material could make the argument that cyber security is never about creating reliable and resilient systems. Simultaneously arguing that the concern with catastrophic risks stems from digitalization is without foundation in the texts examined here. What can be argued, however, is that the increasing use of digital tools in the energy system is making certain understandings and logics more accepted. This move, or shift in emphasis, is in no way a revolution or a sudden move. Thinking about the digitalization as marking a clear break in security practices therefore makes little sense. The change from one set of components to another does not alter the perceptions overnight, rather the change reinforces and pushes along certain understandings and problematizations. The change comes slowly, as the digital system is understood in one particular way it gives rise to a broader understanding of how the energy system works, how it can be harmed and how that harm can be prevented. As the impact of cyber security and digital technologies develop in general, those lessons and understandings filter down to our understanding of the energy system. Every event and every case become an opportunity to reevaluate what we think we know about the security of critical infrastructure, providing possible new lessons or reinforcing what we already know.

A question to be asked is whether the rise of cyber security furthers the concerns of “catastrophic risks” or whether this framework helps make cyber security understandable. After all the concern and preoccupation with risks preceded (mostly) the concerns with the dangers of cyberspace. To say that digitalization introduces risks to the energy system would be a woeful simplification, but to argue that digitalization furthers and deepens the concern with risks and resilience allows us to address the nuances in this shift. As risks was a concern and a cognitive tool before the cybersecurity of energy systems became a major issue, it is tempting to argue that the following problematizations was to a large extent given by the frameworks and tools at hand. The digital world and the security concerns associated with it has many faces, cybercrime is per example a large and global challenge costing billions of dollars each year (New Statesman, 2018). In another time dominated by other concerns it is not given that cyber security would be understood as it is today. Whether cyber security helps 93 entrench resilience and the concern for catastrophic risks, or whether the existence of these conceptualizations provides useful boxes to place cyber security in is not evident. An important question stemming from this is whether the association of these risks with material components could help entrench the view that catastrophic risks are prevalent in our modern societies. Catastrophic risks have to be accepted in order to shape social life, and their acceptance is what fuels the practices and solutions in managing them (Beck: 13, 2007). The notion that these risks emanate not from our understanding and reading of the world, but is given by the material components themselves might make the idea of catastrophic risks harder to dispel. After all: earthquakes have always happened, and while the impacts on modern societies are understood differently they are fundamentally the same phenomenon. The digital world, however, is a novel addition to the socio-material fabric. As the addition of the digital world might be a permanent feature going forward, what we understand it to be, and the properties and features we give it, will have large and lasting impacts on the world. Whether or not our understanding of material factors and technologies are in fact more “solid”, and unlikely to be challenged, is open for debate.

This is of particular interest in light of the preemptive practices and the epistemic logic of extreme precaution. As the “war on terror” and the security practices attached to this understanding of security has dominated the western discourse over the latter decades, it is not beyond reason to expect that this framework has in turn influenced how cyber security is conceptualized and understood. While this question will remain largely unanswered, a possible hypothesis would be that they are both true: That cyber security is both influenced by, as well as entrenching and deepening, the dominant strands of thought in our time seems a reasonable assumption in lieu of a more thorough examination of the issue. The introduction of these types of logics and practices are also noteworthy in their designation of cyber-attacks as “purely random”. The conflation of issues like terrorism and cyber-attacks with natural occurring phenomena like extreme weather furthers an argument of socio-political events as working under the same logic and rationale as “completely random” events like earthquakes. Yet, these types of events are not the same. The ability of human society to control and manage weather-events is highly limited (setting aside the arguments of climate change), socially occurring phenomena does not necessarily have to be looked at in the same way. The designation of cyber-attacks (and terrorism) as unpreventable sets aside the reality that both must be done by someone for a reason. Highlighting the inevitability of the events masks certain practices and ways of dealing with the security concerns preferred over others. By 94 making the occurrence inevitable the solution to the problematization becomes about resilience, while practices of societal resilience might make the designation of unpreventable occurrences more acceptable (Bourbeau, 2013). The problem and the solution co-produce one another and blots out other modes of dealing with the security concerns. As the designation of cyberattacks as “black sky hazards” is accepted societies must prepare for their occurrence. Simultaneously the existing practices and logics of resilience creates a framework for managing digital incidents. What is left behind is other solutions, other problematizations and other lenses with which to view the problem, which appear “solved”.

What are the larger implications of this shift? That our critical systems, those we regard as underpinning our very existence, is at any time at the risk of failing due to the manipulation of data and information flows we do not intuitively understand. One evident change is the need to control and manage what goes on online. The practices of “preemptive” security have been briefly mentioned here, but the desire to manage and surveil digital packets grows as the perceived consequences of cyber-attacks grow. As argued by Stevens (2016) the proponents of “cybergeddon”, the experts and officials warning of the cataclysmic impacts of an advanced and coordinated cyber campaign, can never actually be wrong. By warning about the catastrophic event occurring sometime in the future the burden of proof disappears, at some point a vital system might fail due to a cyber-attack, but the unwillingness to point to how and when it will happen ensures that the problematizations of cybersecurity never needs to be anything more than credible to have an effect. The threat of the catastrophe, and the inability to measure and understand the way in which systems fail promotes certain mitigating efforts at the expense of others. The attempts at redundant and reliable systems becomes challenged by the unknown impacts of cyber security events. At the same time the systems and measures added to ensure reliable operations becomes targets of operations themselves (Dragos B, 2017). As the practices of guaranteeing continued functions comes under scrutiny the push moves to systems that are able to function without the digital components. This radical digital redundancy promotes the creation of systems with a dual mode of operation: both as digital systems and as manual. The costs of these redundancies are not examined in detail here, but it is evident that the training of personnel, daily maintenance and creation of a fully separate system is not free. This adds to the costs involved in securing systems, preemptive measures that involve human operators and the constant attempts at keeping up with the dynamic system. 95

7. Conclusion

This thesis has examined the implications of digitalization on security-thinking and energy systems. It has considered how material changes impacts practices and problematizations through a reading of a diverse set of texts related to expert discourses on the topic. It has tried to examine a simple question with a simple premise: if the energy system is becoming digital, and the digital world and its security is conceived of as different compared to other types of security, how do we square these realities? At its core cyber security is about the construction of a new space/domain/network that arguably influence and impacts most, if not all, of our social interactions. If this digital world has distinct features and properties, the systems that comes into contact with it has to address and incorporate the logics and understandings inherent in these features. How then, does a system incorporate a set of materials, things, and artefacts with certain understandings and logics attached to them?

Main Findings

In the examination of changing understandings, we have seen how cyber security causes varying and very different practices, working under different logics and notions of the security problems posed by digitalization. The large majority of attacks and incident should be prevented, or so is the dominating narrative among experts. The insufficient security practices are a question of lacking time, dedication, and resources to the topic of cyber security. We should, in short, do better. Yet another strand of thought raises the concern not of the mundane practices of prevention that should be in place but of the potentially catastrophic risks introduced by cyber security. These risks are made into existence through the known vulnerabilities mentioned, and the radical uncertainty of tools, weapons and vulnerabilities not yet known, operating in manners not yet understood and possibly even affecting functions not yet created. These concerns place cyber security within the framework of catastrophic risks: low-probability events that cannot be prevented, predicted, or dealt with within the system. Cyber security becomes understood as a risk that can manifest itself at any time, striking at power grids and completely removing the power and “lifeblood” from societies.

The digitalization of energy systems therefore creates new types of catastrophic risks, under the assumption that x years from now the digital threats and dangers will be more complex and sophisticated than they are today. Even more, while storms, earthquakes and extreme 96 weather events might not occur regularly we do have a basic understanding of the risk. Storms are categorized as “50-year storms”, indicating that we can to some extent know the risk of them occurring. Cyber security on the other hand escapes those categorizations, it is conceived to be ever-present and possibly happening at any time. Taken to the extreme the concerns with “cyberterrorism” can be made into reality the minute an actor with the intent to cause widespread harm gets the capabilities. Both of those components “exists”, the only thing missing is for them to be added together. This shift in how we perceive risks, through the implementation of components, devices, and artifacts that we do not trust, creates fertile ground for what has been dubbed the “resilient subject” forced to live dangerously (Evans, Reid). At any time, we might be asked to persevere through the disappearance of vital systems, resulting in “disasters” and “catastrophes”.

To manage these hypothetical and imagined risks calls for action centered on two main axes: preemptive practices of scanning and controlling digital networks, and societal resilience wherein catastrophes are imagined and prepared for through exercises and contingency plans. These latter practices took the form of mapping out how the sudden disappearance of power would play out, looking at the consequences and the effects of those consequences. The former of these practices call for the subjugation of the digital world under national control in the name of security. The control and regulation of digital manufacturers, packets of data, and the scanning of behavior online becomes rationalized (at least in part) by the concerns for the catastrophic risks. As such the digitalization of the energy systems becomes an argument not only for the protection of the energy systems from digital vulnerabilities, but the regulation of the digital world in the name of the energy systems criticality.

Avenues for further research

Digitalization and the impact it has on critical infrastructure thinking, the energy systems, and societies is a gargantuan topic, and this thesis has barely scratched the surface of some of the implications inherent in this change. Further areas of study abound, and this section will only briefly mention some of them. The analysis of how a digital event comes to be reimagined and used as an argument for a broad set of concerns and practices proved to be a highly useful endeavor, a more thorough tracking of how one digital event comes to be understood and interpreted would therefore be an interesting topic. Industroyer, examined here, would be an ideal case for a more thorough reading, possibly giving more emphasis on different cultural interpretations. Other recent events could also be highly useful, in 2017 alone NotPetya, 97

Trisis, and WannaCry are all examples of disruptive events that had significant impact on how digital security is understood, and are relevant for the energy system as well.

Secondly the changes in the energy system is not following the same tracks globally. The rollout of Smart Meters in the European Union is being done differently by the member states, creating systems with different functionalities, vulnerabilities and logics attached to them. A more nuanced examination of the interplay between objects and this process of understanding the systems could yield interesting findings as well. A research program centered on these issues could afford more space to the role of socially constructed concerns in creating these devices as well. The creation of new objects and functions is after all done because of something, how digital devices are used to answer certain political questions, and in turn poses new ones, is an interesting topic.

Furthermore, all the topics mentioned here would benefit from being examined by an expanded methodological approach. While I would defend my choice of relying on texts and discourse analysis, examining this question with a more fine-tuned filter and looking at how the security concerns were being “made” at different stages would be of great interest. The road from a more digital energy system to societal resilience is a long one, examining it again, with fewer shortcuts, could potentially be revealing of the role of different experts.

Broader implications

A question worth mentioning is why cyber security becomes understood in the way it does. There is, after all, nothing given about the way we understand and make sense of the digital world. The classification and understanding of cyber security as risk stems not only from problematizations and conceptualizations, but practices and actions that shape what the digital domain is and how it works. Unlike phenomena like storms and earthquakes the Internet is a wholly man-made creation, taking its features and peculiarities as given limits our ability to understand what else it could possibly be. The uncertainties and risks associated with cyberspace are there because we make them so, and the perceived existence of advanced digital weapons is the result of certain practices that create these types of situations.

A frequently mentioned example is the habit of collecting vulnerabilities instead of disclosing them, a common practice among intelligence agencies. This practice, often dubbed “zero-day hoarding” because it involves the collection of unknown vulnerabilities in order to use them at 98 a later date, has been criticized by a number of cyber security experts (Schneier B, 2016, Schneier C, 2014, Klimburg 2017). One of the primary concerns is that these “cyber arsenals” can themselves be the targets of hacks and subsequently stolen. This concern has already played out at least once with serious consequences: In 2013 or 2014 the mysterious group calling themselves “The Shadow Brokers” stole a cache of digital weapons and vulnerabilities by the American intelligence agency NSA. After a few years the group started publishing those vulnerabilities online, as well as publishing information on where the weapons came from (Shane, et.al., 2017). In one of those caches of digital weapons were the vulnerability given the name “EternalBlue”, which was made public in April 2017. A few months later a weaponized version of the exploit, probably made by North Korea, led to the worldwide ransomware-attack “WannaCry” that among other targets infected the UK National Health Service (Schneier D, 2017). As these tools were released into the wider public domain they become common knowledge and protecting against them becomes a question of prevention. Up until the point they are released however, the ability to defend against these tools were non-existent. They existed, yet for the larger body of cybersecurity practitioners they were in the form of risks: the unknown vulnerabilities and tools that are thought to exist but that is not “knowable” and thus unavoidable.

While the direct impacts of practices like these have been challenged, as the probability that the tools will be stolen are quite low (Ablon, Bogart, 2017), the mode of dealing with vulnerabilities helps creating the impression of cyber as risks, of the existence of digital weapons that are unknown and the inability to defend. This is not a given feature of the digital domain, rather it is argued to be the consequence of an inability to approach the issue of cyber security in a comprehensive manner (Klimburg, 2017). The understanding and problematization of cyber security as risk is both the result of a way of problematizing the issue and the result of very tangible choices in approaching cyberspace. Thus, the way in which cyber security becomes about risk is not only a result of the material logics of cyberspace, it is also to a large extent dependent on the way in which we deal with the security elements of cyberspace.

Digitalization is therefore not destined to introduce an increased concern with catastrophic risks and preemptive security. The move towards resilience and planning for security incidents might be the primary mode of thinking on this process, but it is not given and unable to change. Secondly resilience is not a uniform concept, it can mean different things. The 99 effort to make the smart meter in the UK secure by design is one example of practices that push another understanding of resilience, making the “systemic resilience” of redundancy and reliability more prominent, and the concern with catastrophic risks smaller. Enabling and promoting certain types of resilience can make the security practices inherent in digitalization more like the ones used to deal with gas shortages and snow storms, as witnessed in the discourse on other dangers to the energy system.

Furthermore, the focus of energy systems, critical infrastructures, and their importance for modern societies makes certain priorities of security more prominent than others. The issue of cyber security becomes a question of “national security”, prioritizing the goals and objectives of the state and the society over that of the individual. The conflation of cyber security with critical infrastructure, and the problematizations of uncertain and disastrous consequences might make practices of surveillance and monitoring more understandable and edible. Related to this is the question of what digital solutions provide in terms of positive benefits. In the background section the increased dependence of digital systems in a renewable system is highlighted. As the world and Europe aims at fighting one global risk, climate change, it opens itself up to the concerns of another, cyber security. This interplay between two large global concerns could lead to the concerns of one happening at the expense at the other. The failure of a shift to renewable energy systems due to the fear of the vital systems being hit by a sophisticated cyber-attack would be a sorry development.

But more broadly, is the promotion of resilience and unpreventability a problem in its own right? If cyber-attacks can be managed and dealt with as they occur, it is easy to describe this a positive development. Yet, resilience obfuscates certain understandings of a problem while promoting others. There is a famous parable by David Foster Wallace of a young fish meeting an older fish. As the older fish asks how the water is today the younger fish is dumbfounded. Spending his entire life submerged in water the young fish has not acknowledged it as a phenomenon. The point with this parable is how constant exposure to a certain reality makes us blind to what that reality is actually made up of. If a system is resilient, able to deal with and absorb security incidents, the cause for harm becomes more easily accepted as a state of fact (Bourbeau, 2013). Promoting resilience at the expense of other ways of looking at the problem is a form of resignation, a designation of something beyond human control which we only can manage through its impacts (Ibid). The acceptance of digitalization as leading to risks and uncertainties creates a strong push for one particular understanding of the problem 100 with its associated solutions and mitigating practices. As those practices become commonplace we stop questioning whether the way of looking at the problem actually makes sense.

101

Bibliography

Ablon, Lillian & Timothy Bogart (2017), ‘Zero Days, Thousands of Nights’, RAND Corporation. https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1 751.pdf

Anderson, Ben (2010), ‘Security and the future: Anticipating the event of terror’, Geoforum, 41: 227-235

Anderson, Ross & Shailendra Fuloria (2010), ‘Who controls the off switch?’, IEEE Conference Publication: https://www.cl.cam.ac.uk/~rja14/Papers/meters-offswitch.pdf, Accessed 03.05.2018

Amoore, Lousie & Marieke de Goede (2008), ‘Transactions after 9/11: The Banal Face of the Preemptive Strike’, Transaction of the Institute of British Geographers, 33 (2): 173-185

Aradau, Claudia & Rens Van Munster (2007), ’Governing Terrorism Through Risk: Taking Precautions, (un)Knowing the Future’, European Journal of International Relations, 13 (1): 89-115

Aradau, Claudia, Luis Lobo-Guerrero & Rens Van Munster (2008), ‘Security, Technologies of Risk, and the Political: Guest Editors’ Introduction’. Security Dialogue – Special Issue on Security, Technologies of Risk, And the Political, 39 (2-3): 147-154

Aradau, Claudia (2010), ‘Security That Matters: Critical Infrastructure and Objects of Protection’, Security Dialogue, 41 (5): 491-514

Aradau, Claudia (2014), ‘The promise of security: resilience, surprise and epistemic politics’, Resilience: International Policies, Practices and Discourses, Taylor & Francis

Archer, Emerald M. (2014), ‘Crossing the Rubicon: Understanding Cyber Terrorism in the European Context’. The European Legacy, 19 (5): 606-621

Balzacq, Thierry, Tugba Basaran, Didier Bigo, Emmanuel-Pierre Guittet & Christian Olsson (2010), “Security Practices”, International Studies Encyclopedia Online, accessed at https://www.researchgate.net/publication/272498410_Security_practices 26.04.2018

BBC (2014), ‘National Grid to pay firms to use less power’, 23.09.2014. http://www.bbc.com/news/business-29324760, Accessed 18.03.2018

Beck, Ulrich (1992), Risk Society: Towards a New Modernity. London, SAGE Publications

Beck, Ulrich (2007), World at Risk, Cambridge, Polity Press

Bigo, Didier (2007), ‘Security and Immigration: Toward a Critique of the Governmentality of Unease’, Alternatives – Special Issue, 27: 63-92

102

Bloomberg A (2017), ‘Crack and Explosion Show Risks of Europe’s Aging Energy Networks’, 12.12.2017. https://www.bloomberg.com/news/articles/2017-12-12/crack-and- explosion-show-risks-of-europe-s-aging-energy-networks, Accessed 17.03.2018

Bloomberg B (2017), ‘Gazprom Says Austria Blast Is No Reason to Pick on Russia’, 28.12.2017. https://www.bloomberg.com/news/articles/2017-12-28/gazprom-says-austria-gas- blast-isn-t-a-reason-to-pick-on-russia, Accessed 17.03.2018

Bloomberg C (2017), ‘Austrian Explosion Rattles Europe’s Gas Market’, 12.12.2017. https://www.bloomberg.com/news/articles/2017-12-12/u-k-gas-surges-after-explosion-in- austria-tightens-supply, Accessed 28.03.2018

Bloomberg D (2017) ‘It’s As If the Craziest Week in European Gas Never Happened’, Bloomberg, 14.12.2017. https://www.bloomberg.com/news/articles/2017-12-14/craziest- week-in-gas-markets-we-re-now-flat-on-last-week, Accessed 17.03.2018

Bourbeau, Philippe (2013), ‘Resiliencism: premises and promises in securitisation research’. Resilience – International Policies, Practices and Discourses, 1 (1): 3-17

Boyd, Aaron (2018), ‘Senators Want Dumber Tech For Energy Grid Cybersecurity’, 09.03.2018. http://www.nextgov.com/cybersecurity/2018/03/senators-want-dumber-tech- energy-grid-cybersecurity/146555/, Accessed 29.03.2018

Bracco, Stefano (2017), ‘Setting the scene: Ten shades of Cyber security for Energy”, Presentation in Florence, 24.03.2017

Branch, Jordan (2018), ‘Spatial Metaphors and the Territorialization of Cybsercurity’, Paper presented at ISA Annual Convention, April 2018. Referenced with the Authors permission

Bratberg, Øivind (2017), Tekstanalyse for samfunnsvitere. Oslo, Cappelen Damm Akademisk

Brenner, Joel F. (2013), ‘Eyes wide shut: The growing threat of cyber attacks on industrial control systems’, in Bulletin of the Atomic scientists, 69(5): 15-20

Bryman, Alan (2016), Social Research Methods, Oxford, Oxford University Press

Buzan Barry & Lene Hansen (2009), The Evolution of International Security Studies, Cambridge, Cambridge University Press

Cabinet Office (2018), ’National Security Capability Review’, March 2018. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/ file/696305/6.4391_CO_National_Security_Review_web.pdf, Accessed 22.03.2018

Christensen, Kjærgaard Kristoffer & Tobias Liebetrau (2017) ‘Security Meets Cyberspace: The Politics of Cyber Security’, Draft, Accessed at http://dpsa.dk/papers/Security%20Meets%20Cyberspace%20- %20The%20Politics%20of%20Cyber%20Security%20DRAFT.pdf

Ciută, Felix (2010), ‘Conceptual Notes on Energy Security: Total or Banal Security?’, in Security & Dialogue, 41 (2): 123-144 103

Clarke, Richard A. & Robert Knake (2010), Cyber War: The Next Threat to National Security and What to Do About It, Harper Collins

Cleden, Daniel (2009), Managing Project Uncertainty, Farnham, Gower

CNN (2007), ‘Sources: Staged cyber attack reveals vulnerability in power grid’, 26.09.2007. http://edition.cnn.com/2007/US/09/26/power.at.risk/, Accessed 24.03.2018

Collier, Stephen J. & Andrew Lakoff (2008), ‘The Vulnerability of Vital Systems: How ‘Critical Infrastructure’ Became a Security Problem’, in Securing ‘The Homeland’: Critical Infrastructure, Risk and (in)security, Political Perspectives, 3 (1)

Collier, Stephen J. & Andrew Lakoff (2015), ‘Vital Systems Security: Reflexive Biopolitics and the Government of Emergency’, Theory, Culture & Society, 32 (2): 19-51

Corry, Olaf (2012), ‘Securitisation and ‘Riskification’: Second-order Security and the Politics of Climate Change, Millennium: Journal of International Studies, 40 (2): 235-258

Crosston, Matthew (2014) ‘Phreak the Speak: The Flawed Communications within Cyber Intelligentsia’, in Kremer, Jan-Frederik & Benedikt Muller (ed) Cyberspace and International Relations – Theory, Prospects and Challenges. New York, Springer Heidelberg

DarkReading A (2015), ‘Smart Cities’, IoTs Key Challenges: Security, Lack of Standards’, 17.06.2015. https://www.darkreading.com/endpoint/smart-cities-iots-key-challenges-security- lack-of-standards/d/d-id/1320904, Accessed 11.03.2018

DarkReading B (2015), ‘Smart Cities’ 4 Biggest Security Challenges’, 07.01.2015. https://www.darkreading.com/vulnerabilities---threats/smart-cities-4-biggest-security- challenges/d/d-id/1321121, Accessed 12.03.2018

DarkReading C (2017), ‘First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage’, 12.06.2017. https://www.darkreading.com/threat-intelligence/first-malware- designed-solely-for-electric-grids-caused-2016-ukraine-outage/d/d-id/1329114, Accessed 22.03.2018

Darktrace (2018), ‘The Enterprise Immune System’, Darktrace Homepage, https://www.darktrace.com/technology/#enterprise-immune-system, Accessed 01.05.2018

De Goede, Marieke (2008), ‘The Politics of Preemption and the War on Terror in Europe, European Journal of International Relations, 14 (1): 161-185

Dragos A (2017), ‘CRASHOVERRIDE – Analysis of the Threat to Electric Grid Operations’, 13.06.2017. https://dragos.com/blog/crashoverride/CrashOverride-01.pdf, Accessed 14.03.2018

Dragos B (2017), ‘TRISIS Malware – Analysis of Safety System Targeted Malware’, 13.12.2017. https://dragos.com/blog/trisis/TRISIS-01.pdf, Accessed 21.03.2018

104

Dunn, Kevin C. & Iver Neumann (2015), Undertaking Discourse Analysis for Social Research, United States, University of Michigan Press

Dunn Cavelty, Myriam (2008), Cyber-Security and Threat Politics – US efforts to secure the information age. New York, Routledge

Economist A (2014), ‘Grid Unlocked’, 17.10.2014. https://www.economist.com/news/business/21625885-american-utilities-mimic-tech-industry- make-systems-more-resilient-grid-unlocked, Accessed 12.03.2018

EIS Council A (2018), ‘Black Sky Hazards’. https://www.eiscouncil.org/BlackSky.aspx, Accessed 25.03.2018

EIS Council B (2018), ‘Cyber Terrorism’. https://www.eiscouncil.org/BlackSky_Details.aspx?itemId=21, Accessed 25.03.2018

ENISA (European Union Agency for Network and Information Security) (2017). Cyber Europe 2016: After Action Report. https://www.enisa.europa.eu/publications/ce2016-after- action-report, Accessed 20.03.2018

ESET A (2017), ‘WIN32/Industroyer – A new threat for industrial control systems’, 12.06.2017. https://www.welivesecurity.com/wp- content/uploads/2017/06/Win32_Industroyer.pdf, Accessed 11.03.2018

ESET B (2017), ‘Industroyer: Biggest malware threat to critical infrastructure since Stuxnet’, 12.06.2017. https://www.eset.com/int/industroyer/, Accessed 12.03.2018

EU Smart Grid Task Force Meeting (2018), 08.02.2018. https://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-and-meters/smart- grids-task-force, Accessed 22.03.2018

European Commission (2006), Green Paper – A European Strategy for Sustainable, Competitive and Secure Energy, 08.03.2006. http://europa.eu/documents/comm/green_papers/pdf/com2006_105_en.pdf, Accessed 25.03.2018

European Commission (2010), Energy 2020 – A strategy for competitive, sustainable and secure energy, 10.11.2010. http://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:52010DC0639&from=EN, Accessed 25.03.2018

European Commission A (2014), European Energy Security Strategy, 28.05.2014. http://eur- lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52014DC0330&qid=1407855611566, Accessed 25.03.2018

European Commission B (2014), In-depth study of European Energy Security, 02.07.2014. https://ec.europa.eu/energy/sites/ener/files/documents/20140528_energy_security_study.pdf, Accessed 25.03.2018

105

European Commission (2016), Directive 2016/1148 – NIS Directive, 06.07.2016. http://eur- lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN, Accessed 25.03.2018

European Commission A (2018), Smart Grid Task Force. https://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-and-meters/smart- grids-task-force, Accessed 25.03.2018

European Commission B (2018), Smart Grids and Meters. https://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-and-meters, Accessed 25.03.2018

Eurostat (2018), “Which kind of energy do we consume in the EU and how much does it cost?”. http://ec.europa.eu/eurostat/cache/infographs/energy/bloc-3.html, Accessed 01.04.2018

Evans, Brad & Julian Reid (2013), ‘Dangerously exposed: the life and death of the resilient subject’, Resilience: International Policies, Practices and Discourses, Taylor & Francis

Foreman, Chris & Dheeraj Gurugbelli (2015), ‘Identifying the Cyber Attack Surface of the Advanced Metering Infrastructure’, in The Electricity Journal, 28(1): 1040-6190

Michel Foucault (1984), ‘What is Enlightenment?’, in Rabinow ed. The Foucault Reader, New York, Pantheon Books, pp. 32-50

Michel Foucault (1994), Dits et Ecrits, Translated at www.michel-foucault.com, Accessed 01.03.2018

Friis, Karsten & Erik Reichborn-Kjennerud (2018), ‘Theorizing Cybersecurity: Risk, Practice and Material Logics’, Working Paper, referenced with permission of authors

GasConnect Austria (2018), Incident Baumgarten. https://www.gasconnect.at/en/incident- baumgarten/, Accessed 01.05.2018

GCHQ (2016), ‘The smart security behind the GB Smart Metering System’, 25.04.2016. https://www.ncsc.gov.uk/articles/smart-security-behind-gb-smart-metering-system, Accessed 22.03.2018.

Global E-sustainability Initiative (GeSi) (2008), ‘Smart 2020 – Enabling the low-carbon economy in the information age’, June 2008. http://gesi.org/report/detail/smart-2020- enabling-the-low-carbon-economy-in-the-information-age, Accessed 20.03.2018

Global E-sustainability Initiative (GeSi) (2015), ‘SMARTer 2030 – ICT Solutions for 21st Century Challenges’, 2015. http://smarter2030.gesi.org/downloads/Full_report.pdf, Accessed 20.03.2018

Greenberg, Andy A (2017), ‘”Crash Override”: The Malware That Took Down A Power Grid’, The Wired, 06.12.17. https://www.wired.com/story/crash-override-malware/, Accessed 13.03.2018

106

Greenberg, Andy B (2017), ‘How an entire nation became Russia’s test lab for cyberwar’, 20.06.2017. https://www.wired.com/story/russian-hackers-attack-ukraine/, Accessed 11.03.2018.

Guardian A (2018), ‘Brexit risks energy shortages and bigger bills, peers warn’, 29.01.2018. https://www.theguardian.com/business/2018/jan/29/brexit-risks-energy-shortages-and-bigger- bills-peers-warn, Accessed 12.03.2018

Guardian B (2017), ‘Italy declares state of emergency after deadly gas explosion in Austria’, 12.12.2017. https://www.theguardian.com/world/2017/dec/12/italy-declares-state-emergency- gas-explosion-austria, Accessed 15.03.2018

Guardian C (2015), ‘National Grid makes urgent call for companies to reduce electricity usage’, 04.11.2015. https://www.theguardian.com/business/2015/nov/04/national-grid-issues- urgent-call-for-extra-power, Accessed 17.03.2018

Guardian D (2017), ‘”Industroyer” virus could bring down power networks, researchers warn’, 13.06.2017. https://www.theguardian.com/technology/2017/jun/13/industroyer- malware-virus-bring-down-power-networks-infrastructure-wannacry-ransomware-nhs, Accessed 12.03.2018.

Guardian E (2016), ‘Winter electricity blackouts risk recedes, says National Grid’, 14.10.2016. https://www.theguardian.com/environment/2016/oct/14/winter-electricity- blackouts-risk-recedes-says-national-grid, Accessed 24.03.2018

Guardian F (2016), ‘South Australia’s blackout explained (and no, renewables aren’t to blame)’, 29.09.2016. https://www.theguardian.com/australia-news/2016/sep/29/south- australia-blackout-explained-renewables-not-to-blame, Accessed 24.03.2018

Guardian G (2017), ‘’Industroyer’ virus could bring down power networks, researchers warn’, 13.06.2017. https://www.theguardian.com/technology/2017/jun/13/industroyer-malware- virus-bring-down-power-networks-infrastructure-wannacry-ransomware-nhs, Accessed 22.03.2018

Guardian H (2015), ‘Smart thermostat left me with no hot water and put my home at risk of fire’, 08.08.2015. https://www.theguardian.com/money/2015/aug/08/smart-thermostat- boilers-eco-device, Accessed 28.03.2018

Hansen, Lene (2006), Security as Practice – Discourse Analysis and the Bosnian War, London and New York, Routledge

Hansen, Lene & Helen Nissenbaum (2009), ‘Digital Disaster, Cyber Security, and the Copenhagen School’, in International Studies Quarterly, 53(4): 1155-1175

Healey, Jason ed. (2013), A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, A CCSA (Cyber Conflict Studies Association) Publication, in Partnership with the Atlantic Council

Hebert, Curt (2013), ‘The Most Critical of Economic Needs (Risks): A Quick Look at Cybersecurity and the Electric Grid’, in The Electricity Journal, 26(5): 1040-6190

107

Hiller, S. Janine & Roberta S. Russel (2013), ‘The challenge and imperative of private sector cybersecurity: An international comparison’, in Computer Law & Security Review, 29: 236- 245

Hjort, Jens Johan (2017), ‘Forslaget til digitalt grenseforsvar bør forkastes, mener Advokatforening’, Aftenposten, 22.11.2017. https://www.aftenposten.no/meninger/debatt/i/vmWdBm/Forslaget-til-digitalt-grenseforsvar- bor-forkastes_-mener-Advokatforeningen--Jens-Johan-Hjort, Accessed 12.03.2018

International Energy Agency (IEA) (2017), Digitalization & Energy. https://www.iea.org/publications/freepublications/publication/DigitalizationandEnergy3.pdf, Accessed 01.04.2018

Independent (2018), ‘If Russia launches a cyber attack on the UK, this is what we can do’, 16.03.2018. https://www.independent.co.uk/voices/russia-cyber-war-nerve-agent-may- defense-warfare-a8307391.html, Accessed 28.03.2018

Interfax (2017), ‘Gazprom says safety violations during repairs to blame for Austrian gas hub explosion’, 14.12.2017. http://www.interfax.com/newsinf.asp?id=797711

Jackson, Patrick Thaddeus (2011), The conduct of Inquiry in International Relations, London and New York, Routledge

Jackson, Richard (2015), ‘The epistemological crisis of counterterrorism’, Critical Studies on Terrorism, 8 (1): 33-54.

Jasanoff, Sheila (2004), States of Knowledge – The co-production of science and social order. London and New York, Routledge

Johansson, Bengt (2013), ‘Security aspects of future renewable energy systems – A short overview’, Energy, 61 (1): 598-605.

Juncker, Jean-Claude (2017), ‘State of the Union Address 2017’, 13.09.2017. http://europa.eu/rapid/press-release_SPEECH-17-3165_en.htm, Accessed 20.03.2018

Kaspersky A (2018), ‘A robot’s ransom’, 26.03.2018. https://www.kaspersky.com/blog/hacking-robots-sas2018/21755/, Accessed 17.03.2018

Kaspersky B (2014), ‘The Dangers of a Smart Future’, 24.11.2014. https://www.kaspersky.com/blog/cyberfuture-unfavorable-forecast/6846/, Accessed 17.03.2018

Kaspersky C (2013), ‘Securing the Internet of Things’, 21.06.2013. https://www.kaspersky.com/blog/securing-the-internet-of-things/2136/, Accessed 16.03.2018

Kello, Lucas (2017), The Virtual Weapon and International Order, New Haven and London, Yale University Press

Kessler, Oliver & Cristopher Daase (2008), ‘From Insecurity to Uncertainty: Risk and the Paradox of Security Politics’, Alternatives, Global, Local, Political, 33 (2): 211-232 108

Klimburg, Alexander (2017), The Darkening Web – The War for Cyberspace, New York, Penguin Press

KrebsOnSecurity (2012), ‘FBI: Smart Meter Hacks Likely to Spread’, 12.04.2012. https://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/, Accessed 14.03.2018.

Kremer, Jan-Frederik & Benedikt Muller (2014), Cyberspace and International Relations – Theory, Prospects and Challenges. New York, Springer Heidelberg

Krepinevich, Andrew (2011), ‘Get ready for the Democratization of destruction’, in Foreign Policy, 188: 80-81

Latour, Bruno (2007), Reassembling the Social – An Introduction to Actor-Network-Theory. Oxford, Oxford University Press

Lechner, Stephan (2017), Comments at High level Roundtable on Main Challenges for Cyber Security in the Energy System, 24.03.2017. https://ec.europa.eu/energy/sites/ener/files/documents/detailed_minutes_rome_24.3_final.pdf, Accessed 25.03.2018

Lipovsky, Robert, ESET, at Virus Bulletin Conference (2017), ‘Last minute paper: Industroyer: biggest threat to industrial control systems since Stuxnet’, 05.10.2017. https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer- biggest-threat-industrial-control-systems-stuxnet, Accessed 20.03.2018

Lysne 2-utvalget, (2016), Digitalt grenseforsvar (DGF), 26.08.2016. https://www.regjeringen.no/contentassets/ca1f705dbebd48cb9a61889d4cfee6bf/digitalt- grenseforsvar-lysne-ii-utvalget.pdf, Accessed 15.03.2018

Løkke, Eirik (2018), ‘Trenger Norge et digitalt grenseforsvar?’, Minerva, 02.01.2018. https://www.minervanett.no/trenger-norge-digitalt-grenseforsvar/, Accessed 17.03.2018

Massumi, Brian (2015) ‘Q&A With Brian Massumi’, Duke University Press, 19.08.2015. https://dukeupress.wordpress.com/2015/08/19/qa-with-brian-massumi/. Accessed 01.04.2018

Merriam Webster, ‘Resilience’. https://www.merriam-webster.com/dictionary/resilience Accessed 01.04.2018

Moriarty, Patrick & Damon Honnery (2016), ‘Can renewable energy power the future?’, Energy Policy, 93: 3-7

Moulions, Konstantinos (2017), ‘Cyber Security threats in the energy sector – ENISA’, Presentation in Florence, 24.03.2017

Muhlberger, Rainer (2017), ‘Cyber Security in a developing energy market’, Presentation in Florence, 24.03.2017

109

Månsson, Andre (2016), ‘Energy and Security: Exploring Renewable and Efficient Energy Systems’, PHD, Lund University Publication, https://lup.lub.lu.se/search/publication/dcb7307b-2ecf-4503-b27b-5e143a4c05e9

New Statesman (2018), ‘Cyber crime now “generates $1.5tn per year”’, 20.04.2018. http://tech.newstatesman.com/security/cyber-crime-generates-1-5tn, Accessed 08.05.2018

Nie, Pu-Yan & Yong-cong Yang (2016), ‘Renewable energy strategies and energy security’, Jorunal of Renewable and Sustainable Energy, 8 (6)

Nojeim, Greg & David Snead (2017), ‘Letting cyberattack victims hack back is a very unwise idea’, 22.07.2017. https://www.wired.com/story/letting-cyberattack-victims-hack-back-is-a- very-unwise-idea/, Accessed 20.03.2018

NorSIS (2017), ‘”Industroyer” og angrepet mot det ukrainske kraftnettet i desember’, 15.06.2017. https://norsis.no/industroyer/, Accessed 19.03.2018

NRK A (2017), ‘Tar til orde for bevæpning etter terrorangrepene i Europa’, 19.08.2017. https://www.nrk.no/norge/tar-til-orde-for-bevaepning-etter-terrorangrepene-i-europa- 1.13649599, Accessed 25.03.2018

NRK B (2018), ‘ – En ekstraordinær situasjon’, 17.02.2018. https://www.nrk.no/sorlandet/_- en-ekstraordinaer-situasjon-1.13869529, Accessed 18.03.2018

Nye Jr, Joseph S. (2011), The Future of Power. New York, Public Affairs

Onyeji, Ijeoma, Morgan Bazilian & Chris Bonk (2014), ‘Cyber Security and Critical Energy Infrastructure’, in The Electricity Journal, 27(2): 1040-6190

O’Sullivan, Meghan, Indra Overland & David Sandalow (2017), ’The Geopolitics of Renewable Energy”, Working Paper published by Center on Global Energy Policy, Columbia University

The Oxford Institute for Energy Studies (2018), ‘Reflection on the Baumgarten Gas Explosion: Markets are Working’, January 2018. https://www.oxfordenergy.org/wpcms/wp- content/uploads/2018/01/Reflection-on-the-Baumgarten-Gas-Explosion-Comment.pdf, Accessed 27.03.2018

Pouliot, Vincent (2010), International Security in Practice – The Politics of NATO-Russia Diplomacy. Cambridge, Cambridge University Press

Proag, Virendra (2014), ‘The Concept of Vulnerability and Resilience”, Procedia Economics and Finance, 18: 369-176

Reuters A (2011), ‘How secure is the smart grid?’, 01.02.1011. https://www.reuters.com/article/idUS284528744820110201, Accessed 11.03.2018

Reuters B (2017), ‘Ukraine’s power outage was a cyber attack: Ukrenegro’, 18.01.2017. https://www.reuters.com/article/us-ukraine-cyber-attack-energy/ukraines-power-outage-was- a-cyber-attack-ukrenergo-idUSKBN1521BA, Accessed 11.03.2018. 110

Reuters C (2017), ‘Cyber firms warn of malware that could cause power outages’, 12.06.2017. https://www.reuters.com/article/us-cyber-attack-utilities/cyber-firms-warn-of- malware-that-could-cause-power-outages-idUSKBN1931EG, Accessed 20.03.2018

Reuters D (2014), ‘Popular electricity smart meters in Spain can be hacked, researchers say’, 07.10.2014. https://uk.reuters.com/article/us-cybersecurity-spain/popular-electricity-smart- meters-in-spain-can-be-hacked-researchers-say-idUKKCN0HW15E20141007, Accessed 12.03.2018

Rid, Thomas (2013) Cyber War Will Not Take Place. New York, Oxford University Press

Rid, Thomas & Ben Buchanan (2015) ‘Attributing Cyber Attacks’, Journal of Strategic Studies: 38(1-2): 4-37

Rosenberg, Scott (2017), ‘Firewalls don’t stop hackers. AI might’, 27.09.2017. https://www.wired.com/story/firewalls-dont-stop-hackers-ai-might/, Accessed 15.03.2018

Rychnovska, Dagmar, Maya Pasgaard & Trine Villumsen Berling (2017) “Science and security expertise: Authority, knowledge, subjectivity”, Geoforum, 84: 327-331

Schneier, Bruce A (2017), ‘Security and the Internet of Things’, 01.02.2017. https://www.schneier.com/blog/archives/2017/02/security_and_th.html, Accessed 20.03.2018

Schneier, Bruce B (2016), ’The NSA is Hoarding Vulnerabilities’, 26.08.2016. https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html, Accessed 21.03.2018

Schneier, Bruce C (2014), ‘Disclosing vs. Hoarding Vulnerabilities’, 22.05.2014. https://www.schneier.com/blog/archives/2014/05/disclosing_vs_h.html, Accessed 18.03.2018

Schneier, Bruce D (2017), ‘WannaCry and Vulnerabilities’, 02.06.2017. https://www.schneier.com/blog/archives/2017/06/wannacry_and_vu.html, Accessed 25.03.2018

Security Affairs (2017), ‘Flaws in solar panels potentially threatening European power grids’, 06.08.2017. https://securityaffairs.co/wordpress/61750/hacking/solar-panels-flaws.html, Accessed 18.03.2018

Security Week (2017), ‘Industry Reactions to “CrashOverride” Malware: Feedback Friday’, 16.06.2017. https://www.securityweek.com/industry-reactions-crashoverride-malware- feedback-friday, Accessed 21.03.2018

Shane, Scott, Nicole Perlroth & David E. Sanger (2017), ‘Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core’, in The New York Times, 12.11.2017. https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html, Accessed 15.03.2018

Siddi, Marco (2018), ‘Identities and Vulnerabilities: The Ukraine Crisis and the Securitisation of the EU-Russia Gas Trade’. Energy Security in Europe – Divergent Perceptions and Policy Challenges, Cham, Palgrave Macmillan

111

Simon-Levis, Alexandra (2017), ‘Crash Override malware is targeting power grids, but how dangerous is it?’, The Wired, 13.06.2017. http://www.wired.co.uk/article/what-is-crashoverride-malware-hackers, Accessed 20.03.2018

Singer, P.W. & Allan Friedman (2014), Cybersecurity and Cyberwar – What Everyone Needs to Know. New York, Oxford University Press

Slayton, Rebecca (2013), ‘Efficient, Secure, Green: Digital Utopianism and the Challenge of Making the Electrical Grid “Smart”. Information & Culture: A Journal of History, 48 (4): 448-478.

Sovacool, Benjamin K. & Ishani Muherjee (2011), ’Conceptualizing and measuring energy security: A synthesized approach’. Energy, 36: 5343-5355

Stegen, Karen Smith, Patrick Gilmartin & Janetta Carlucci (2012), ’Terrorists versus the Sun: Desertec in North Africa as a case study for assessing risks to energy infrastructure’, in Risk Management, 14(1): 3-26

Stevens, Tim (2016), Cyber Security and the Politics of Time, Cambridge, Cambridge University Press

Szulecki, Kacper (2018), ‘The Multiple Faces of Energy Security: An Introduction’. Energy Security in Europe – Divergent Perceptions and Policy Challenges, Cham, Palgrave Macmillan

Szulecki, Kacper & Julia Kuznir (2018), ‘Energy Security and Energy Transition: Securitisation in the Electricity Sector’. In Energy Security in Europe – Divergent Perceptions and Policy Challenges, Cham, Palgrave Macmillan

Søreide, Ine Eriksen (2017), ‘Vi trenger et digital grenseforsvar’, Verdens Gang, 09.10.2017. https://www.vg.no/nyheter/meninger/i/6ra4r/vi-trenger-et-digitalt-grenseforsvar, Accessed 12.03.2018

Taleb, Nicholas Nassim (2010), The Black Swan – The Impact of the Highly Improbable. London, Penguin Books

Techterms, ‘Redundancy’. https://techterms.com/definition/redundancy, Accessed 01.04.2018

Telegraph A (2017), ‘At least one killed and 18 injured in explosion at Austrian gas plant’, 12.12.2017. https://www.telegraph.co.uk/news/2017/12/12/least-one-killed-18-injured- explosion-austrian-gas-plant/, Accessed 27.03.2018.

Telegraph B (2018) ‘Four meals from anarchy: How Britain would collapse in just days if power supply is cut’, 17.03.2018. https://www.telegraph.co.uk/news/2018/03/17/britain-four- meals-away-anarchy-cyber-attack-takes-power-grid/, Accessed 25.03.2018.

Telegraph C, (2004), ‘CIA plot led to huge blast in Siberian gas pipeline’, 28.02.2004. https://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-plot-led-to- huge-blast-in-Siberian-gas-pipeline.html, Accessed 17.03.2018

112

Telegraph F (2014), ‘National Grid: Emergency measures to prevent winter blackouts’, 28.10.2014. https://www.telegraph.co.uk/finance/newsbysector/energy/11191775/National- Grid-Emergency-measures-to-prevent-winter-blackouts.html, Accessed 19.03.2018

Telegraph D (2016), ‘Electricity bills set to rise by £30 a year and power rationed amid shortage fears, report warns’, 19.12.2016. https://www.telegraph.co.uk/news/2016/12/19/electricity-bills-set-rise-30-year-power- rationed-amid-shortage/, Accessed 20.03.2018

Telegraph E (2016), ‘Sainsbury’s builds its own power plants amid energy shortage fears’, 05.05.2016. https://www.telegraph.co.uk/news/2016/05/04/sainsburys-builds-its-own-power- plants-amid-energy-shortage-fear/, Accessed 21.03.2018

Tripwire (2017), ‘Industroyer Malware Capable of Causing ‘Significant Harm’ to Electric Power Systems’, 13.06.2017. https://www.tripwire.com/state-of-security/ics- security/industroyer-malware-capable-causing-significant-harm-electric-power-systems/, Accessed 19.03.2018

Van Leeuwen, Theo (2008), Discourse and Practice – New Tools for Critical Discourse Analysis. New York, Oxford University Press

Wæver, Ole & Lene Hansen (2002), European Integration and National Identity – The Chellenge of the Nordic States. London and New York, Routledge

Yan, Ye, Yi Qian, Hamid Sharif & David Tipper (2012), ‘A Survey on Cyber Security for Smart Grid Communications’, in IEEE Communications Surveys & Tutorials, 14(4)

Yergin, Daniel (1991), The Prize – The epic quest for oil, money & power. New York, Simon & Schuster

Yusta, Jose M., Gabriel J. Correa & Roberto Lacal-Arantegui (2011), ‘Methodologies and applications for critical infrastructure protection: State-of-the-are’, in Energy Policy, 39: 6100-6119

Zetter, Kim (2015), ‘A cyberattack has caused confirmed physical damage for the second time ever’, The Wired, 01.18.2015. https://www.wired.com/2015/01/german-steel-mill-hack- destruction/, Accessed 21.03.2018.

Zetter, Kim (2016), ‘Inside the cunning, unprecedented hack of Ukraine’s power grid’, The Wired, 03.03.2016. https://www.wired.com/2016/03/inside-cunning-unprecedented-hack- ukraines-power-grid/, Accessed 25.03.2018

Zetter, Kim (2016), ‘The world’s first digital weapon: Stuxnet’, Lecture at Norwegian Institute of Foreign Affairs, 27.05.2016.