Critical infrastructure and cybersecurity

Critical infrastructure and cybersecurity

Traditional energy technologies are becoming progressively more connected to modern, digital technologies and networks. This increasing digitalisation makes the energy system smarter and enables consumers to better benefit from innovative energy services. At the same time, digitalisation creates significant risks as an increased exposure to cyberattacks and cybersecurity incidents potentially jeopardises the security of energy supply and the privacy of consumer data.

Cybersecurity and challenges related to it are evolving at a rapid pace, which is why the European Commission has taken a series of measures to tackle it. Key among these is the establishment of a comprehensive legislative framework. The framework builds on the EU Cybersecurity strategy (JOIN (2013)01 final) and the Directive on Security of Network and Information Systems (the NIS Directive) (EU) 2016/1148 and has been reinforced by the Cybersecurity Package (JOIN (2017) 450 final) from September 2017, which also includes the Cybersecurity Act. 

Cybersecurity in the energy sector

Although there is a comprehensive overall legal framework for cybersecurity, the energy sector presents certain particularities that require particular attention:

  • Real-time requirements - some energy systems need to react so fast that standard security measures such as authentication of a command or verification of a digital signature can simply not be introduced due to the delay these measures impose.
  • Cascading effects - electricity grids and gas pipelines are strongly interconnected across Europe and well beyond the EU. An outage in one country might trigger blackouts or shortages of supply in other areas and countries.
  • Combined legacy systems with new technologies - many elements of the energy system were designed and built well before cybersecurity considerations came into play. This legacy now needs to interact with the most recent state-of-the-art equipment for automation and control, such as smart meters or connected appliances, and devices from the Internet of Things without being exposed to cyber-threats.

Tackling cybersecurity challenges

In April 2019, the European Commission adopted sector-specific guidance (recommendation C(2019)240 final and staff working document SWD(2019)1240 final)  to implement horizontal cybersecurity rules. This guidance aims to increase awareness and preparedness in the energy sector.

The Clean energy for all Europeans package can moreover help transform Europe’s energy systems while also maintaining a high level of security, not least in terms of reinforcing cybersecurity of the digital transformation in the energy sector. The regulation on risk preparedness will mandate Member States to include measures on cybersecurity in their national risk assessment plans whereas the new electricty requlation requires the Commission to develop a network code on cybersecurity in the electricy sector, which Expert Group 2 of the Smart Grids Task Force  was mandated to investigate further in 2017. Outside the scope of the package, the regulation on gas security of supply also includes provisions to consider cybersecurity as part of Member States' national risk assessments.

Since cooperation and trust among stakeholders and among Member States is key when it comes to cybersecurity, due to the potential cascading and cross-border effects, the Commission is working to raise awareness and to promote broad discussions in the energy sector. To that end, in June 2018 the Commission initiated a dedicated work stream on energy under the NIS Cooperation Group, which was established in the NIS Directive and which aims to exchange best practices between Member States on identification, mitigation and management of cyber risks. Additionally, the Commission has organised  a roundtable meeting on cybersecurity in energy in Rome in March 2017 and a high-level event on cybersecurity in the energy sector in Brussels in October 2018.

The Commission also works with the European Energy–Information Sharing Analysis Centre (EE-ISAC), which helps utilities improve the cybersecurity and resilience of their grid by enabling trust-based data and information for sharing.