Why is cyber security such an important topic for ACER and energy regulators?
Cyber incidents and attacks can disrupt energy related essential services e.g. causing electricity blackouts or causing damages to existing infrastructure. A reliable energy system is the backbone of the economy. Energy supply powers industry and is essential to our daily lives (home, work, movement and entertainment).
The harmful effects of cyber incidents and attacks can be widespread on individuals, organisations and communities. A cyberattack or a cyberincident in one country can affect the EU energy digitalised system in more than a single geographical area, also causing cascade effects.
Cybersecurity is so critical in energy that Europe's legislators have adopted a sector-specific approach to reinforce cyber security in electricity which applies in addition to the general cyber laws.
See ACER's Cybersecurity Glossary.
Cyber threats in energy are very real and cyber incidents increase in frequency and in their impact. In Ukraine, 225,000 people lost power in a cyberattack in 2015 on the electricity grid infrastructure. For electricity systems, the threat of cyberattack is substantial and growing.
With heightened cyber threats, increasingly digitalised critical energy infrastructure is vulnerable to attacks. The very interconnectedness of assets across the energy system, if not cyber secure, makes them vulnerable to threats.
How does ACER contribute to cybersecurity?
ACER contributes to strengthening the cybersecurity of Europe's energy system in three main ways:
1. Advising on EU legislation and rules
ACER and national regulators provide expert advice on EU legislation and cyber rules relating to the energy sector.
In 2021, at the request of the European Commission, ACER is developing Framework Guidelines (under the Electricity Regulation) which will help shape a legally binding EU-wide Cybersecurity Network Code for Cross-Border Electricity.
ACER and regulators are actively engaged in European Commission Expert Groups.
2. Sharing information among energy regulators and capacity building
Since 2015, ACER and the national energy regulators cooperate and share information in a dedicated cybersecurity task force co-chaired by ACER and CEER:
Such collaboration covers issues such cybersecurity preparedness, response, recovery planning, and regulatory approaches to drive prudent risk reduction effort
Outputs include shared resources, reports and recommendations
This task force (and CEER training courses) help ongoing capacity building with the aim to prevent, detect, respond, and recover from cyberattacks
Prepare and distribute factsheets, reports and papers with the aim to explain and explorer complex and emerging cybersecurity topic of interest for the energy community, as well as to provide the position of regulators in respect to the adoption of such principles and technologies
3. ACER's leading cyber experts contribute to EU and international collaboration
ACER's cyber specialists are leading global cyber security experts who fosters best practices globally:
ACER and energy regulators engage with fellow international experts (e.g. NERC, EPRI and NARUC in the US) to share expertise and experience on issues such as standards, strategy and the prudency of investment
ACER engages with network operators and the EU Institutions and Agencies (e.g. ENISA, DG ENER and the Joint Research Centre), participating in the Commission's expert groups in developing European-wide cyber approaches
ACER engages with the standardisation community with the purpose to use already existing standards, where those exist, or to strive future standardisation efforts that may be needed for the efficient implementation of the Regulation
Is there a European approach to cyber security?
The EU works on various fronts to promote the efficient implementation of cyber resilience in all sectors of EU human life. Europe has a cybersecurity strategy and cross-sectoral cyber security legislation (the 2016 NIS Directive and the 2019 Cybersecurity Act and a (2020) proposal to revise the original NIS Directive). The Cybersecurity Act standardises the certification of cybersecurity products at the European Union level and in the energy sector, and strengthens ENISA (the EU's agency that deals with cybersecurity).
Europe's 2019 energy laws complement Europe's horizontal cybersecurity legislation by reinforcing cybersecurity in electricity sector-specific legislation. In 2019, the European Commission also adopted a Recommendation on cybersecurity in the energy sector.
Both the recast (2019) Electricity Directive and Electricity Regulation have cybersecurity measures. For example, the Electricity Directive deals with issues related to smart meters and cybersecurity. The Electricity Regulation provides for binding EU-wide rules in electricity– called a Cybersecurity Network Code. The Electricity Regulation also provides for a cybersecurity role for the new EU entity for Distribution System Operators (EU DSO entity).
Europe's general cyber laws (the NIS Directive on security of network and information systems) also apply and energy is identified a “critical" sector. Under the NIS Directive, “operators of essential services" includes those operators identified by the Member States as energy critical infrastructures. Hence most of the Energy Operators (in particular many electricity suppliers, many Distribution System Operators (DSOs) and all Transmission System Operators (TSOs)) are subject to its cyber security and notification requirements and are required to assess cyber risks as well as to respect minimum standards that aim to mitigate risks, together with other obligations.
What will the new Cybersecurity Network Code cover?
These new sector-specific rules for cybersecurity covering issues such as:
establishing methodologies and governance for electricity cross-border risk assessment
define a set of common minimum cybersecurity requirements and standards applicable to all actors for the electricity markets
further development and orchestration of cybersecurity information collection and dissemination among all electricity community actors
and reporting obligations