In our daily lives, we depend on the availability of energy. Without electricity, we cannot fill our cars with fuel, withdraw money, and use our credit cards or our mobile phones. The energy system is here to provide these basic services, and it is one of the most complex and largest infrastructures in Europe and the backbone of its economy.
This energy infrastructure has been undergoing very rapid changes in recent years in order to increase the share of renewable energy sources such as wind and sun, which are by nature more distributed and variable. Managing the networks to ensure a permanent match between consumption and production requires a continuously increasing degree of digitalisation. This increasing digitalisation has made the energy system smarter and now enables consumers to benefit more from innovative energy services. However, with an increasingly digitised energy system, and more and more home appliances connected to the grid, cybersecurity has become of paramount importance and a concern for all, with an increasing number of incidents in recent times
In cybersecurity, one size does not fit all. What might work in the internet will not be necessarily adequate in the energy sector. For example, there are energy components such as circuit breakers that need to react so fast that they have no time for standard security considerations, like authenticating a command or encrypting a connection. This makes the new digitised energy grid vulnerable to attacks.
In order to address these challenges, the Commission has adopted today a Recommendation that provides guidance on how to address the specific challenges of the energy sector on cybersecurity. It identifies the main actions required to preserve cybersecurity and be prepared to possible cyberattacks in the energy sector, taking into account the characteristics of the sector such as the real-time requirements, the risk of cascading effects, and the combination of legacy systems with new technologies.
In addition to the Recommendation, the Commission promotes information sharing at a higher-level via dedicated events, and fosters best practices among Member States, under a dedicated work stream on energy of the Cooperation Group established by the Network and Information Security Directive. This work stream brings together Member State Authorities from the cybersecurity and the energy side. Further, cooperation with the specialised entities such as the European Energy Information Sharing and Analysis Centre on cybersecurity (EE-ISAC) has also been enhanced.
The recently completed Clean Energy for All European Package also includes several measures that reinforce cybersecurity:
- The new regulation on electricity risk preparedness mandates Member States to develop national risk preparedness plans and coordinate their preparation at regional level, including measures to cope with cyber-attacks;
- The recast of the Electricity Regulation gives a mandate to the Commission to develop a network code on cyber security for the electricity sector in order to increase its resilience and protect the grid. Since 2017, a dedicated expert group is working to prepare the ground for such a network code.
Finally, the Gas Security of Supply Regulation (Regulation (EU) 2017/1938) requires Member States to consider cybersecurity as part of their common (regional) and national Risk Assessments and to develop measures to address cybersecurity risks.