As energy systems become more digital, distributed and data-driven, trust in the device itself—rather than in the traditional network perimeter—is emerging as a cornerstone of resilient grid operations.

In this episode of Energy Transition Talks, CGI’s Andrea Grad speaks with Prof. Dr. Christian Zenger, CEO and co-founder of PHYSEC, about how cyber-physical trust, secure device identity and zero-trust architectures can safeguard the modern grid, from substations to smart meters and distributed energy resources (DERs).

Why cyber-physical trust now defines grid resilience

The energy sector faces increasingly sophisticated and targeted cyber threats. Ransomware that spreads from IT into OT environments, supply-chain manipulation through compromised software updates and direct physical tampering of devices in the field illustrate how digital attacks can quickly escalate into operational consequences.

“In OT, trust begins with the device, not the perimeter.” — Prof. Dr. Christian Zenger

Building this trust requires hardware-anchored identities, verifiable device state and end-to-end secure communication to strengthen confidence in data, commands and control signals across all grid layers.

The evolution from air-gapped systems to zero-trust

Utilities today operate a blend of three architectural generations:

  1. Fully air-gapped legacy systems: Still widespread due to older operating systems that cannot be modernized without risk.
  2. Purdue-model segmented networks: Clear separation of levels (from field devices to business IT), strict communication paths and traditional perimeter assumptions.
  3. Modern industrial IoT: Devices can communicate across layers, e.g., jumping from Level 0 to Level 5, unlocking analytics, automation and digital efficiencies.

“Modern IoT collapses traditional network boundaries. Zero trust is what restores structure in this new reality.” — Prof. Dr. Christian Zenger

Zero-trust principles—continuous verification, robust authentication, micro-segmentation and encrypted communication—provide this structure for secure modernization.

Turning regulation into practical implementation

New EU regulations are reshaping how operators and manufacturers approach cyber-physical security:

  • NIS2 expands obligations for essential operators.
  • The Cyber Resilience Act (CRA) sets mandatory security requirements for connected products.
  • The Critical Entities Resilience (CER) Directive strengthens cyber-physical risk management.

Zenger notes that the CRA also helps resolve a long-standing vendor-operator “Prisoner’s Dilemma” by requiring vendors to supply baseline security evidence that operators can reuse, reducing duplicated effort and avoiding costly parallel assessments.

“Fixing security after deployment can cost 100 to 200 times more than integrating it by design.” — Prof. Dr. Christian Zenger

Securing smart metering and DER assets at scale

With the rapid growth of smart meters, sensors and DER interfaces at the grid edge, scalable and harmonized device trust frameworks become essential. Priority capabilities include cryptographic device identities, secure onboarding, signed firmware, SBOM visibility and converged OT/IT logging. These measures support both resilience and operational efficiency.

Strengthening the business case for cybersecurity

With NIS2 fines reaching up to €15 million or 2.5% of global turnover, cybersecurity is now a strategic business priority. Beyond compliance, Zenger highlights that security delivers operational benefits: zero-trust improves troubleshooting, single sign-on reduces operator overhead and SIEM data can support predictive maintenance.

Collaboration as a catalyst for secure innovation

Achieving resilient digitalization requires an ecosystem approach. Device manufacturers, integrators like CGI and academic institutions each play crucial roles in validating solutions and ensuring continuous improvement. Zenger emphasizes the value of strong academic partners who provide neutral, research-driven perspectives and help bridge the gap between operators and vendors.

Looking ahead: Regulation that enables innovation

By 2030, innovation-aligned regulation and stronger cyber-physical trust foundations will enable secure prosumer models, dynamic tariffs and bidirectional energy flows. Yet achieving this future hinges on moving beyond perimeter assumptions toward verifiable device identity, zero-trust architectures and evidence-driven assurance across the supply chain.

Utilities that make these capabilities intrinsic—not add-ons—will reduce operational and compliance risk while shaping the technical standards and architectures the rest of the sector will follow, positioning themselves to lead the next chapter of the energy transition.

Listen to other podcasts in this series to learn more about the energy transition

Read the transcript

Introduction: Air gaps, zero-trust and cybersecurity in energy 4.0

Andrea Grad:

Hello and a warm welcome to everyone who tuned in for today's podcast. My name is Andrea Grad. I'm a lead consultant at CGI and based in Düsseldorf, Germany. In today's podcast, we will discuss the topic from air gap to zero trust security architectures from the energy world 4.0.

But I'm not alone today. Our guest is Professor Dr. Christian Zenger, who is the co-founder of PHYSEC, which is a successful spin-off from Rr University Boch, specializing in OT and IoT security. Christian Zenger, it's so great to have you as a guest today. Please introduce yourself.

Christian Zenger:

Thank you very much. Happy to be here. I'm Christian Zenger. I'm a professor at the Ruhr University, which is one of the top universities for cybersecurity in Germany. I have more than 40 professor colleagues in this topic, which maybe is an impressive number and demonstrates how strong we are here. I got lucky nine years ago to found PHYSEC, together with my co-founder Heiko. Together, we developed a technology and a strong team specialized on OT and IoT security.

Cyber threat landscape in the energy and utilities sector

Andrea Grad:

Wonderful, thank you very much. Well, with that, I think you bridged the gap to the topic, and I would suggest we start right away with the first question. Looking at today's threat landscape in the energy and utility sector, what do you see as the most common risks for energy suppliers?

Christian Zenger:

First, what's interesting is that the energy sector is attacked very specifically; there are attack vectors which are tailored to the energy sector. In this sector we have a very close collaboration between the IT infrastructure and the OT infrastructure. This means that there are different attack vectors. Nber one is still ransomware against the IT, but also ransomware which swapped from IT to OT, but also ransomware which attacks OT directly.

We have supply chain attacks through software updates and they update the ecosystem by themselves, and we have also sabotage of skaters system from remote access operations as well as closed access operations, so where attackers go physically to the device and attack them. Both attacks usually aim a physical threat.

Why IoT security is critical for modern infrastructure

Andrea Grad:

Well, speaking of the physical threats, it bridges the point to the IoT devices. At CGI we often see that utilities are challenged by the growing complexity of those, from smart meters to grid edge sensors. In that context, Christian, what role does IoT security play, especially when it comes to critical infrastructures?

Christian Zenger:

Let’s say there are three generations. Generation one is all the assets are air gapped, especially due to very old operating systems, and they maybe should keep air gapped. Second is the classical Purdue model where you have different levels and different tasks operating on these levels, like level zero are the sensors, actors, control level, etc., up to the business level. And the all the levels are segmented. You cannot just communicate from one level to another. There are strict rules very clearly defined. And the third generation is the industrial IoT, where you can jump from one level to another, like from level zero to level five, just with a smart IoT technology. This makes everything cheaper, faster, and very interesting and, business-wise, something people like because they get digitalization chances. However, doing these concepts like zero trust are getting fundamentally important because you cannot go through these different levels without having a very proper end-to-end encryption. Therefore, it is important to look at the requirements for modern security by integrating IoT.

Regulator pressures: Navigating NIS2, the Cyber Resilience Act and the Data Act

Andrea Grad:

That really resonates. I think that your value preposition is very important. We see that a lot of utilities have a common interest in IoT AI for predictive maintenance, but that is always paired with questions about regulatory compliances. It's just a reminder that innovation and governance really go hand in hand. Now if we're looking at EU regulations with NIS2, the Cyber Resilience Act and the Data Act, what are the biggest compliance challenges for energy providers? And especially: how do you think collaboration between players like CGI and PHYSEC help reduce the cost of compliance?

Christian Zenger:

The most important thing is regulation, like the NIST II, but also the regulation, the CER, Cyber Entity Resilience Act, which manage the physical security. My recommendation is to look at both at the same time and develop a converged approach where the cyber and the cyber physical attack vectors are handled together. Number one. Number two is the Cyber Resilience Act, which is the first one providing a minimum-security standard for the vendors. This is really something you as an operator should use because the knowledge the Cyber Resilience Act is actually requiring, you can think about what kind of docents which the vendors are now you know working on could actually help you with your own compliance strategy. This is something economically interesting, because you don't need to do your $100k risk analysis if the vendor already did a huge part of it. From my perspective, this interaction between NIST2 and Cyber Resilience Act is also solving a classical “Prisoner dilemma” between the vendor and the operator. If we look at a very old study from IBM from 1983, it says that the relative costs of fixing problems like adding IT security afterwards cost 100 to 200 times the cost compared to if you do it by design in the product. And this is a huge economical thing. I think this regulation, which solves this Prisoner dilemma and helps operators to get more than the product description, is something very useful. And, I think at PHYSEC, we developed an important piece of the puzzle of technology to do this in a very smart way. And together with CGI, we can provide a holistic approach to this entire topic.

Cybersecurity ROI: Mapping fines, risks and cyber spend

Andrea Grad:

That makes a lot of sense. I think that is a great synergy we've created between PHYSEC and CGI. I want to come back to the point where you mentioned cost savings earlier, with fines for up to 15 million euros or the equivalent of 2.5% of the global turnover on the table. How do you think organizations can map these risks against current cyber spend to make the business case?

Christian Zenger:

I think this is one of the most interesting questions to answer. The standard answer is you need business case argentation for your cybersecurity investments, which are not just risk-based quantization, but also provide the potential fees you need to pay if you don't do it in a proper way. So, what you will do is a risk analysis where you say, the attack scenarios lead to problems with the production, with the contracts, with the responding, or building, fixing the systems, and making a list of the biggest risks and costs and how much you invest. This is let's say the standard answer to this. But there are also security solutions that provide functional advantages. For example, the zero-trust architecture helps you troubleshoot. It's easier to fix problems if you have a zero-trust architecture. Or single sign-on security features reduce the login effort you have. A third example is security information event management, like a SIEM system, which can also be used for predictive maintenance because you are getting a lot of locked files in a converged approach from the physical information. And, this is something we are offering together with CGI. And these are functional advantages you're getting with security.

Shared evidence repositories: Reducing audit burden and compliance costs

Andrea Grad:

That sounds great. And do you think that shared evidence repositories between device makers, integrators, and DSOs might also help reduce audit duplication and compliance costs?

Christian Zenger:

Yeah, absolutely. Risk analysis is one of my favorite topics here because it's a lot of work to do this; and sharing them, of course, in a pseudonymized way, not offering and publishing your internal IP addresses. Providing this kind of audit reports, risk analysis, etc. will have a huge impact for reducing cost and improving efficiency. And as I said earlier, I also think that this will be something like a byproduct by the vendors. In the future, when you buy a product, you will get some information about the security of this product from the vendor anyway. But internally, the vendor is forced to develop more documentation, again, risk analysis. So, this is something I think the vendors will sell together with the products in the future. Additionally, I also believe that in institutions like in Germany, the BSI will also provide some knowledge bases like this.

Advice for utilities leaders: Partnering for innovation and security

Andrea Grad:

Thank you for those insights, Christian. Now we've spent a lot of time discussing the current situation, but if we were to jump into action, if you were to put yourself in the shoes of the decision-makers in the energy and utilities sector, what piece of advice would you give them if they were considering new digital initiatives?

Christian Zenger:

In the role of a professor, I would recommend to look for a very strong academic partner, like chair professor at the university, because as I said earlier, we are strong here in Germany and of course also in other European countries. Ask them for help, see how they can bridge the gap between the vendors and the operators from a very neutral position. They will not just offer you the standard, old products, but also the new innovative and modern approaches. I think this is my number one advice.

Outlook 2030: Security, innovation and regulatory evolution

Andrea Grad:

That's the advice. Well, that sounds like there are a lot of different things to take into perspective. Now, if you were to say we've done all the research, we've talked to the academics, and we know everything that we need to know—if you wanted to look into the future, into 2030, knowing that you don't have a crystal ball, but what do you think? Where does the trends lead us?

Christian Zenger:

I think currently our regulation is not really accelerating innovation. So, in a dystopic book, I would say maybe a lot of things we are working on today are still our topics in five years, and it seems to be not unrealistic. However, a positive scenario will be that this kind of regulation will be changed in the way that innovation gets accelerated, and you are able to use technologies which are 21st century, but without any compromise of security. You know, they are as secure as the current solutions, and with this, we will get the entire thing. Yeah, we will get price dynamic tariffs, being able to use battery also to charge back to the to the grid, and all the different ideas we have. But from my perspective, the key point is having a regulation which makes innovation possible.

Closing remarks: Strengthening the future of secure energy infrastructure

Andrea Grad:

Absolutely. Well, I thank you for your valuable insights for today, Christian. It sounds like there's still there are a lot of pieces that are already in place to make sure that we have a safe and secure cyber infrastructure. And there's still other things that we need to work on, but unfortunately for today, we've reached the end of the episode. Thank you, Christian, for joining us and sharing your valuable insights. And, of course, a big thank you to everyone who tuned in today. We hope you enjoyed the conversation. Id you'd like to know more about how CGI and PHYSEC are shaping the future of secure energy infrastructures, visit our websites or connect with us on LinkedIn. We look forward to having you with us again next time. Thanks.