Kristian Ruby of EURELECTRIC discusses the need to make cybersecurity a part of the European energy sector’s DNA
As cyber threats are getting increasingly sophisticated, cybersecurity is high on the European energy sector’s agenda. Finding itself in the midst of a digital revolution, the energy companies are looking to preserve the availability and integrity of their networks and infrastructure. In order to avoid loss of data, blackouts and invasion of privacy, as well as protect their integrity, companies – and especially network operators – have to better understand the number of facets of the cybersecurity landscape. As society’s dependence on digital technologies and digital infrastructure continues to grow, the energy sector must strengthen its cybersecurity strategy, define specific requirements to put that into practice and develop new competencies.
Cybersecurity in the mainstream
Evidence shows that cyber threats and their impacts are increasing worldwide, and with the growing interdependency between systems and telecom networks, vulnerability can be exploited by criminals. An example would be the incident that happened in Ukraine in December 2015, when at least eight energy distribution companies were attacked. The incident resulted in power failures that affected 225,000 customers; although the attack was not technically sophisticated, it took months of planning. This shows how knowledgeable hackers are becoming in regards to network operational systems. However, Ukraine is not an isolated case. Turkey and Israel have also experienced similar cyber-attacks in the past two years.
For the energy sector, a blackout can result in direct and indirect impacts. Business shutdowns, food spoilage, damage to electronic data and equipment, the inability to operate life-support systems in hospitals and the loss of functionality of critical infrastructures such as wastewater treatment plants are just a few examples of what could happen in case of a cyber-attack. Given the reliance of modern economies on cyber infrastructures, ensuring their security has become the main priority of governments and companies as this may have implications for the protection of economies and businesses alike.
EU-level frameworks to counter cyber threats
Currently, the European Commission is preparing a strategy on cybersecurity for the entire energy sector to reinforce and complement the implementation of a directive on the security of network and information systems (NIS) at the energy sector level. This action also intends to foster synergies between the Energy Union and the Digital Single Market (DSM) agenda.
Andrus Ansip, the vice-president for the DSM, said this year that cybersecurity is of major importance. He specified that Europe’s digital economy will only bring benefits to its citizens if they can be sure of its security. Meanwhile, Carlos Moedas, the commissioner for research, science and innovation, added that citizens need confidence in the DSM and the opportunities offered by digital technologies for better services and innovation. Citizens need to feel confident that their privacy is protected when they do business online, to enable growth and new business, and at the same time ensure that fundamental rights and values are protected.
In this sense, the European Commission has mandated the Energy Expert Cyber Security Platform (EECSP) to address the challenges in the energy sector and propose a strategic framework to overcome the threats and the areas of risk management.
Moreover, in July 2016, the European Commission and the European Cyber Security Organisation (ECSO) signed the first European public private partnership on cybersecurity. By 2020, it is expected to generate €1.8bn in investments. This partnership will not only improve the capacity and ability to fight cyber-attacks, but will also make Europe’s cybersecurity sector more competitive against a growing digital economy.
With the release of the clean energy package at the end of 2016, the European Commission took another strong stance in advocating the smartening of European grids and homes. However, as grids get smarter and customers become more connected, the network also becomes more vulnerable and security requirements more challenging.
What more could we do?
With cybersecurity policy at a turning point, the EU and member states should first strive to achieve a cybersecurity culture. This can be realised only with the support of European and national authorities, and by making cybersecurity a top priority at the highest level of management, facilitating its inclusion in the company’s strategy and enabling proper investment to allow sufficient resources and awareness at all levels. Companies should also become aware that cybersecurity is not only a technical matter but also an operational and organisational one. In other words, it is not enough for a company to protect its infrastructure, but it should develop processes and train employees with a cybersecurity-oriented mindset.
In order to protect customers and have a better and faster response to cyber-attacks, all companies – network operators in particular – should have a defined process about how to act. Intrusion detection systems and processes are the cornerstone of cybersecurity when it comes to network operators. Such processes should consist of cybersecurity incident prevention and protection, incident mitigation and response, recovery and ex post incident investigation and improvement.
To achieve cybersecurity across the electrical grid throughout Europe, network operators should have a well-structured cybersecurity strategy based on risk assessment schemes, including breach detection and response capability, to minimise the damage. Moreover, compliant companies should also naturally raise awareness, particularly among middle- and top-level management.
As regulated entities that deal with critical infrastructures, distribution system operators (DSOs) are also encouraged to develop competencies connected with cybersecurity in their core business and adopt advanced technologies and mature procedures in order to give a suitable response to any incoming threats.
Finally, information sharing is key to tackling cyber-attacks. All the documentation and reports generated at the end of a cyber-attack should be aggregated and used not only for legal purposes but also for training and information sharing with other relevant European partners and stakeholders, such as local national cybersecurity centres (NCSC), the National/Governmental Computer Emergency Response Teams (CERT), the European Union Agency for Network and Information Security (ENISA), energy regulators, and data protection authorities, etc. All this combined enables organisations to prevent and be better prepared for future incidents. Generally, national and international flows of information and best practice among energy firms play a key role in cybersecurity.
This article will appear in Pan European Networks: Smart Cities 1, which will be published in May 2017.