The energy sector is having a tumultuous decade. During the COVID pandemic, the price of oil plummeted. In 2021, a ransomware attack forced one of the US’s most significant oil pipelines to cease operations for five days, causing a state of emergency in seventeen states. Putin’s war in Ukraine has disrupted natural gas supplies across Europe. And now, it seems, it is the electricity providers’ turn to suffer a blow.
On March 11th, 2024, the European Commission adopted new cybersecurity rules—the EU network code on cybersecurity for the electricity sector (C/2024/1383)—to “establish a recurrent process of cybersecurity risk assessments in the electricity sector.” If you’re a cybersecurity professional, this news is cause for celebration; if you’re an electricity provider, maybe not so much.
How We Got Here
Since 2019, the EU has significantly improved critical infrastructure cybersecurity. In 2019, the Commission adopted sector-specific guidance, presented in a Recommendation and a staff working document, to help energy providers adopt horizontal cybersecurity rules. In the same year, the Commission adopted the Clean Energy for All Europeans package, reinforcing the cybersecurity of digital transformation in the energy sector.
In 2020, the EU Commission set out its EU Security Union Strategy, which acknowledged the need for sector-specific initiatives in the energy sector and outlined an upcoming initiative to make critical energy infrastructure more resilient against physical, cyber, and hybrid threats.
As you can see, the EU network code on cybersecurity for the electricity sector continues the EU’s commitment to improving critical infrastructure cybersecurity. It comes amid an increasingly tense geopolitical environment in which cyberattacks are leveraged more often.
The Network Code
The new network code is the EU’s attempt to standardize cybersecurity risk assessments in the electricity sector. It establishes a governance model that aligns with the EU’s existing Network and Information Security Directive (NIS2) to systematically identify the “entities that perform digitalized processes with a critical or high impact in cross-border electricity flows, their cybersecurity risks, and then the necessary mitigating measures that are needed.”
It aims to:
- Establish rules concerning the governance of cybersecurity aspects of cross-border electricity flows to ensure the reliability of the electricity system and the close collaboration with existing governance structures for cybersecurity.
- Determine common criteria for performing cybersecurity risk assessments for the operational reliability of the electricity system about cross-border electricity flows.
- Promote a common electricity cybersecurity framework and, by that, foster a common minimum electricity cybersecurity level across the Union.
- Provide mechanisms in order to assess the application of the minimum and advanced cybersecurity controls on systems that can affect cross-border electricity flows.
- Establish information flows by establishing rules for the collection and sharing of information in relation to cross-border electricity flows, compatible with other national and EU legislation.
- Establish effective processes to identify, classify, and respond to cyber-attacks impacting the cross-border flows of electricity.
- Set up effective processes for the management of cross-border electricity crises related to cyber-attacks.
- Define common principles for electricity cybersecurity exercises to increase resilience and improve the risk preparedness of the electricity sector.
- Protect the information exchanged under this Regulation.
- Determine a process for monitoring the implementation of this Regulation to assess the effectiveness of investments in cybersecurity protection and to report on the progress of cybersecurity protection across the Union.
- Ensure that the recommendations on the cybersecurity procurement specifications with relevance for cross-border electricity flows are not detrimental to innovation, new systems, processes and procedures.
Key Takeaways
The new network code is the EU’s attempt to standardize cybersecurity risk assessments in the electricity sector. It establishes a governance model that aligns with the EU’s existing Network and Information Security Directive (NIS2) to systematically identify the “entities that perform digitalised processes with a critical or high impact in cross-border electricity flows, their cybersecurity risks, and then the necessary mitigating measures that are needed.”
The main takeaway for electricity providers is that they must carry out assessments every three years to identify cyber risks and implement protections to prevent significant problems. Perhaps more important, however, is that suppliers to electricity providers are also subject to these rules; this will likely significantly increase the security of electricity supply chains. Similarly, power equipment manufacturers must design equipment with cybersecurity in mind.
These provisions will likely stretch electricity provider resources further than they already are. The energy sector is already in crisis, and these rules will exacerbate the problem, albeit for a worthy cause.
However, the truly encouraging element of this legislation—for cybersecurity professionals at least—is its information-sharing provisions. The network code mandates that cyber regulators in each EU country share information with other member states within 24 hours of a company disclosing a breach and share information about vulnerabilities that affect the electricity sector.
Again, these information-sharing laws will be welcome news to cybersecurity professionals. Far too often, information about threats, attacks, and vulnerabilities is siloed where it isn’t of any use.
However, these provisions will be an unwelcome development for some electricity providers: in many cases, organizations are reluctant to share information about a breach because it would give their competitors an advantage. Essentially, if an electricity company suffers a cyberattack—from their perspective at least—it would be preferable for their competitors to suffer one, too. The EU’s network code prevents them from withholding information that would make that more likely.
All in all, while electricity providers may struggle to find the necessary resources for compliance, the EU network code on cybersecurity for the electricity sector will undoubtedly improve critical infrastructure cybersecurity at a time when it is sorely needed.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.