Theft Alert: European Commission releases report on cybersecurity in the energy sector

European Commission releases report on cybersecurity in the energy sector

Digital technologies are playing an increasingly important role in energy infrastructure. A smarter energy system can control energy production, transmit information about consumption and monitor demand with better precision and faster response. However, as grid operations become increasingly more automated and are connected to the internet or other computer networks involving two-way communications, they also become more vulnerable to cyberattacks. This highlights the need for advanced measures to enhance cybersecurity for the transforming grid.

In Europe, power grids are closely interconnected across the continent. According to cybersecurity experts, “An interconnected system is just as robust as the weakest part of it.” The Ukraine power grid attack in 2015 demonstrated the potential impact of cyberattacks on the power subsector. Therefore, it is crucial to protect Europe’s energy infrastructure from possible security breaches and cyberattacks that could result in information theft, security issues and blackouts across several regions.

Given this background, in February 2017, the European Commission (EC) published a new report titled “Cyber Security in the Energy Sector – Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector”, also known as the EECSP report on cybersecurity. The EECSP report helps identify areas where there is a need for appropriate actions to improve cybersecurity and manage related risks for energy infrastructure. The report was prepared by the EC’s Energy Expert Cyber Security Platform (EECSP) group, which guides the commission on infrastructural issues, security of supply, smart grid technologies and nuclear energy.

The EECSP report also discusses the challenges and specific requirements for improving cybersecurity in four key areas: management of risks and threats, cyber defence, cyber resilience, and the capacity and competencies needed to take action. In the report, the EECSP expert group suggests that the EC should analyse potential threats to cybersecurity within the European Union (EU) region and find ways to combat them. The commission has also been asked to encourage the EU energy regions to cooperate and share information about cybersecurity risks. In addition, the EC should set up a cyber response framework for the energy sector, in order to be prepared for potential attacks, and take measures to improve the resilience of the energy infrastructure to withstand possible security breaches.

A look at the key findings from the report related to cybersecurity in Europe’s power sector.

Cybersecurity challenges facing EU’s power sector

The European power market is undergoing significant transformation. With the increasing shift towards renewable energy and digitalisation of technologies, the new market players are using applications with a high degree of integration between demand and supply. With these ongoing changes, cybersecurity has to keep pace with the increasingly sophisticated cyberthreats.  However, there are various challenges associated with cybersecurity in the power sector. Some of the key challenges are as follows:

  • Grid stability in a cross-border interconnected network: The power grid in Europe is strongly interconnected across the regions. Consequently, energy reliability at the European level depends on the trans-European connectivity. Failure in one power system has a cascading effect across other regions. This was observed in a major blackout in Europe in 2006, caused by a planned disconnection of a high voltage line. Interconnectivity in Europe is not just limited to EU member countries, as non-EU countries such as Norway and Switzerland are also connected to the European power network. Therefore, a major challenge for ensuring the cybersecurity of the interconnected grid arises from the “weakest link” problem, which results in the potential cascading impact across regions. In other words, network operators with low maturity in cybersecurity bear a higher risk of cascading blackout than operators with high maturity in cybersecurity.
  • Protection measures addressing current threats and risks: The investment cycles in the power sector usually follow the lifespan of primary equipment such as transformers and generators. This equipment has a relatively longer lifespan, ranging from 15 to 40 years, as compared to automation and control equipment, which has a lifespan of only up to 15 years. Therefore, to manage power systems more effectively and use the new and existing (ageing) infrastructure more efficiently, utilities are deploying information and communication technology (ICT) in the grid system. While the integration of ICT components is important to modernise the power sector and realise its benefits, the same-networked technologies add complexity and introduce new interdependencies and potential vulnerabilities. Further, threats and risks are evolving and the legacy systems and devices used in the network do not necessarily comply with up to-date operational and/or security standards. Besides, cybersecurity in a multi-vendor environment requires interoperability where components should rely on the same set of security standards depending upon the area of operation. This is a major challenge facing energy systems.
  • Managing cyberattacks within the EU: Cyberattacks are not limited to geographical borders. Several aspects are taken into consideration when handling cyberattacks within the EU. These include the capabilities to identify, detect, respond and recover from a cyberattack; whether the threat agents are state or non-state actors such as insiders, script-kiddies, experienced hackers, hacker groups, organised crime, activists or terrorists; crisis management capabilities; cyber response capabilities; cyberattack investigation capabilities and attribution of those attacks. With increasing threats, operators are expected to focus on the operational environment, protect the systems and detect potential attacks. For instance, the Ukraine power grid attack was undetected for a long period of time and only discovered after the strike by the attackers. Therefore, handling cyberattacks and managing them at all stages is a complex task involving a variety of stakeholders, and is one of the major challenges for ensuring cybersecurity in the power sector.
  • The design of the existing power grid is not capable of withstanding cyberattacks: The power sector across EU states has been designed to ensure greater reliability. It was never designed to withstand cyberattacks and as a result, it is not capable of anticipating such attacks and therefore cannot ensure the planned reliability in power supply in case of such events. Thus, the design basis of the power sector in Europe is another key challenge for maintaining cybersecurity.
  • Introduction of new technologies and services for interconnected systems: The EU member countries are witnessing the modernisation of power infrastructure aimed at increasing energy, operational efficiency and reliability. The sector has been witnessing digitisation driven by the growing use of renewable sources, storage, e-mobility, microgrids, distributed generation, etc. With the introduction of new, highly interconnected technologies and services such as the integration of internet of things in devices and cloud services with 24×7 operations, the complexity of the networks has been increasing. In this context, the challenge is rooted in the transition to digital utilities, which are becoming increasingly data driven and where big data analytics is expected to become a part of their primary processes.
  • Outsourcing of infrastructure and services: Power utilities across EU states are becoming increasingly dependent on data services (for instance cloud) and dedicated telecommunication networks to improve the operational efficiency of their systems. As a result, the highly reliable power sector is becoming dependent on other sectors. However, for the energy sector, it is important to have clearly defined levels of quality of service such as latency and real-time. This is important to support the availability and control of energy solutions. Therefore, outsourcing of infrastructure and services requires appropriate rules to manage the risks.
  • Integration of components used in grid infrastructure: Another important challenge is protection against corrupted components that might have backdoor capabilities. Such functions are extremely difficult to discover and might be challenging for the power sector. In addition, the integrity of components is not just limited to software-based systems but also applies to electronic hardware components. Along with the grid-related infrastructure, this challenge is based on the security components that protect the energy sector. The vulnerability of such components can directly expose the sector to cyber conflicts and attacks.

Apart from these challenges, cybersecuirty in Europe is facing other issues as well. One of the major challenges arises due to the high interdependence amongst market players, which is also reflected in the dynamic pricing of energy. In such a scenario, potential operational disruptions are caused directly by the distribution system operator or indirectly by the virtual power plant operator. Besides, there is a dearth of skilled labour for cybersecurity management. This is because there are no specialised programmes/courses on cybersecurity. Power grids across EU member countries have strong real-time requirements to ensure the security of supply. As a result, cybersecurity measures are not allowed to impact or delay grid operations. Therefore, there is an urgent need to have security controls and measures that can optimise the real-time and availability requirements of the power sector.

Strategic areas for improving cybersecurity within EU

The EECSP report points out the strategic areas of potential interventions that help address the above-discussed challenges. These are mentioned below:

  • European threat, risk landscape and treatment: The EECSP expert group has emphasised that the EU member countries should analyse the common threats and risk landscape. Their aim should be to understand and address the threats and risks associated with the power systems. The identified landscape should be updated regularly and should serve as a common base to safeguard the central grid along with the data protection rights of European citizens. In order to ensure a dynamic and well-integrated power system, the non-EU members should also be involved in the threat and risk landscape. The EU should focus on avoiding, mitigating, transferring and accepting threats and risks that are based on an actual and more global threat and risk landscape.
  • Identification of operators of essential services: This strategic move encourages the EU to identify operators of essential services in order to harmonise the process among member countries and to address the weakest link problem in an interconnected power grid.
  • Cyber response framework: In case of cyberattacks, there is a need to have a federal or regional approach. Moreover, coordinated actions must be taken across the member countries. This might involve agencies such as the North Atlantic Treaty Organisation (NATO) and Organisation for Security and Co-operation in Europe. However, as NATO member countries and EU member countries do not correspond, the EU is expected to consider countries not included in the NATO alliance but that are connected with the European grid. Therefore, a cyber response framework must include diplomatic means to reduce tensions, and there should be an efficient coordination and information exchange mechanism between the attacked parties.
  • Crisis management: The criticality of a well- functioning grid and its impact on society highlights the need to coordinate emergency plans and practices in cyber exercises. The major challenge for establishing crisis management techniques stems from the inefficacy of communication technologies, which cannot be used without energy.
  • European cybersecurity maturity framework: The interdependency of the grid requires harmonisation of respective systems across the EU. A well-equipped tool to define and develop the protection level of the power grid should be developed in accordance with international standards. The EECSP expert group has also highlighted that a mature framework would enable and promote the use of cyber insurance as a mechanism to cover potential damages caused by cyberattacks. Such a framework might result in a lower insurance cost. Besides, an appropriate cybersecurity maturity framework can address several challenges. For instance, by establishing a common baseline for cybersecurity, the weakest link problem, which is common in an integrated power system, can be avoided.
  • Supply chain integrity framework for components: To address the challenges associated with hidden functions and backdoor capabilities in the components of high voltage equipment, an EU supply chain integrity framework for components and suppliers is required. This is more relevant for components with associated high potential impact.
  • Capacity and competence build-up: To address the scarcity of skilled labour, there is a need to introduce capacity and competence building programmes. Such programmes can include the creation of partner networks, training and skill certification programmes, academic programmes, and promotion of specific grants and research programmes covering energy and cybersecurity as their core topic.
  • Best practices and information exchange: Evolving technologies in an interdependent energy market can benefit from the practice of information sharing. This practice can help avoid pitfalls by sharing experience. Further, the exchange of sensitive information on incidents such as cyberattacks can help operators protect their networks proactively. For instance, information sharing through the energy Information Sharing and Analysis Centre can support the overall objective of a resilient energy network by increasing the knowledge of the involved stakeholders.
  • Foster international collaboration: Cybersecurity is not limited to geographical borders and has an international bearing. Thus, the EU should pursue international collaboration and alliances in order to build a reliable and strong network of partners to help protect the European infrastructure. This is because the exchange of information with international organisations can help protect the energy sector.
  • Awareness campaign from top-level EU institutions: According to cybersecurity experts, there remains a lack of awareness regarding cybersecurity. However, effective management and cooperation within the EU requires a good understanding of what is at stake and why there is a need for collaborative efforts. EU member countries should thus understand the need for a joint effort on cybersecurity. Particularly, top-level EU institutions should take steps to protect and increase the resilience of the power grid. For instance, a structured and focused awareness campaign should be launched to emphasise and foster collaboration among member countries.

Conclusion and the way forward

The European power sector is undergoing significant transformation in terms of technology, infrastructure, market structure and cybersecurity. With increasing cyberthreats, grid assets are becoming increasingly vulnerable to disruptive or destructive attacks. In order to meet the current and future cybersecurity needs, the strategic priorities identified by the EECSP report suggest the preparedness and maturity of organisations rather than demanding specific cybersecurity functionalities. It recommends that the EC should encourage the establishment of a well-equipped framework that allows an efficient, holistic and effective approach to manage cybersecurity in the EU. Going forward, the EU’s energy transition to digital utilities will require more focus on the cybersecurity risks and competencies of the changing environment.