CYBER SECURITY ASSESSMENT OF NIGERIA’S ELECTRIC POWER INFRASTRUCTURE
Keywords:
Cyber security, Energy Infrastructure, Energy Policy, Cyber threats, NigeriaAbstract
The evolution of the Nigerian electric power system from a traditional centralized grid to an integrated cyber-physical system inevitably makes cyber-attacks inevitable. It is imperative to analyse these cyber-security concerns of Nigeria’s electric power system as an input to critical energy infrastructure policy development. The study relied on primary and secondary sources of information including policy documents such as the Energy Sector Reform Act (2005), the Nigerian National Cybersecurity Policy draft document (2015), the World Bank project appraisal document on Nigeria’s electricity transmission project, as well as journal articles on Nigeria’s electric power system, and cyber-threats to critical energy infrastructure in the world. In addition, a technology foresight analysis framework comprising content analysis and strategic foresight was also used. The study ascertained that the national power infrastructure were old and obsolete technologies known as legacy equipment, and the new cyber-physical system included digital metering devices, and automated power flow control systems amongst others. The national power infrastructure indicated higher susceptibility to cyber-attacks upon and by the electric power system compared to cyber-attacks through the electric power system, and was susceptible to cyber-attacks by classification and methods such as phishing, malware and data breaches amongst others. These cyber-threats were considered possible across the generation, transmission and distribution systems. A robust, effectual, and formal cyber-security system revolving around three critical resources – People, Processes, and Technology/Systems, were postulated for the national electric power system, entailing the development of an Incident Response Plan comprising documented instructions detailing four critical components or strategies, namely, preparation; detection and analysis; containment, eradication and recovery; and post–incident activity.