Energy

Critical infrastructure and cybersecurity

Traditional energy technologies are becoming progressively more connected to modern, digital technologies and networks. This increasing digitalisation makes the energy system smarter and enables consumers to better benefit from innovative energy services.

At the same time, digitalisation creates significant risks as an increased exposure to cyberattacks and cybersecurity incidents potentially jeopardises the security of energy supply and the privacy of consumer data.

Cybersecurity and challenges related to it are evolving at a rapid pace, which is why the European Commission has taken a series of measures to tackle it. Key among these is the establishment of a comprehensive legislative framework that builds on

Cybersecurity in the energy sector

The Special Eurobarometer 492, carried out in 2019, shows that 86% of EU citizens agree there should be more cooperation on cybersecurity in the field of energy between EU countries to ensure access to secure energy.

The far-reaching EU Security Union Strategy, presented in July 2020, aims to ensure European security in both the physical and the digital world in all parts of society. Acknowledging the need for sector specific initiatives, particularly in the energy sector, the strategy outlines an upcoming initiative to make critical energy infrastructure more resilient against physical, cyber and hybrid threats. This will ensure a level playing field for energy operators across borders.

Although there is a comprehensive overall legal framework for cybersecurity, the energy sector presents certain particularities that require particular attention:

Real-time requirements

Some energy systems need to react so fast that standard security measures, such as authentication of a command, or verification of a digital signature, can simply not be introduced due to the delay these measures impose.

Cascading effects 

Electricity grids and gas pipelines are strongly interconnected across Europe and well beyond the EU. An outage in one country might trigger blackouts or shortages of supply in other areas and countries.

Combined legacy systems with new technologies

Many elements of the energy system were designed and built well before cybersecurity considerations came into play. This legacy now needs to interact with the most recent state-of-the-art equipment for automation and control, such as smart meters or connected appliances, and devices from the 'Internet of Things' without being exposed to cyber-threats.

Tackling cybersecurity challenges

To increase awareness and preparedness in the energy sector, the Commission adopted sector-specific guidance in April 2019. This guidance, presented in a Recommendation and a staff working document, helps implement horizontal cybersecurity rules.

Moreover, the Clean energy for all Europeans package, adopted in 2019, will help transform Europe’s energy systems, while also maintaining a high level of security, not least in terms of reinforcing cybersecurity of the digital transformation in the energy sector.

Outside the scope of the package, the Regulation on gas security of supply ((EU) 2017/1938) also includes provisions to consider cybersecurity, as part of EU countries’ national risk assessments.

Network code on cybersecurity 

The Regulation on Risk Preparedness mandates EU countries to include measures on cybersecurity in their national risk assessment plans, whereas the Electricity Regulation requires the Commission to develop a network code on cybersecurity of cross-border electricity flows. In 2019, the Smart grids task force expert group 2 published recommendations on the implementation of the regulation. In addition, ACER is also requested to participate in the development and adoption process of the code set for 2022.

To carry out preparatory work on the network code, the Commission set up a drafting team of relevant stakeholders in February 2020. The work concluded with a technical report that put forward recommendations to the Commission and identifies areas that need to be addressed, such as

  • cross border cyber risk assessment and management
  • ISO/IEC 27001 certification or proof of equivalence
  • common functional and non-functional security controls and requirements
  • an assurance scheme and information sharing

This report, together with the Smart grids task force report, will help develop the network code and is published to ensure full transparency. For questions or feedback, you can contact the drafting team on nccs.feedback@entsoe.eu and ener-security@ec.europa.eu.

Since cooperation and trust among stakeholders and EU countries is key when it comes to cybersecurity, due to the potential cascading and cross-border effects, the Commission is working to raise awareness and to promote broad discussions in the energy sector. To that end, the Commission has set up specific work efforts on cybersecurity in the energy sector under the NIS Cooperation Group, which was established in the NIS Directive and which aims to exchange best practices between EU countries on identification, mitigation and management of cyber risks.

Meetings and events

The Commission has organised 3 big events on cybersecurity in energy

The Commission also works with the European Energy–Information Sharing Analysis Centre (EE-ISAC), which helps utilities improve the cybersecurity and resilience of their grid by enabling trust-based data and information for sharing.

Documents

Related links