The energy sector is having a tumultuous decade. During the COVID pandemic, the price of oil plummeted. In 2021, a ransomware attack forced one of the US’s most significant oil pipelines to cease operations for five days, causing a state of emergency in seventeen states. Putin’s war in Ukraine has disrupted natural gas supplies across Europe. And now, it seems, it is the electricity providers’ turn to suffer a blow.
On March 11th, 2024, the European Commission adopted new cybersecurity rules—the EU network code on cybersecurity for the electricity sector (C/2024/1383)—to “establish a recurrent process of cybersecurity risk assessments in the electricity sector.” If you’re a cybersecurity professional, this news is cause for celebration; if you’re an electricity provider, maybe not so much. solar battery backup
Since 2019, the EU has significantly improved critical infrastructure cybersecurity. In 2019, the Commission adopted sector-specific guidance, presented in a Recommendation and a staff working document, to help energy providers adopt horizontal cybersecurity rules. In the same year, the Commission adopted the Clean Energy for All Europeans package, reinforcing the cybersecurity of digital transformation in the energy sector.
In 2020, the EU Commission set out its EU Security Union Strategy, which acknowledged the need for sector-specific initiatives in the energy sector and outlined an upcoming initiative to make critical energy infrastructure more resilient against physical, cyber, and hybrid threats.
As you can see, the EU network code on cybersecurity for the electricity sector continues the EU’s commitment to improving critical infrastructure cybersecurity. It comes amid an increasingly tense geopolitical environment in which cyberattacks are leveraged more often.
The new network code is the EU’s attempt to standardize cybersecurity risk assessments in the electricity sector. It establishes a governance model that aligns with the EU’s existing Network and Information Security Directive (NIS2) to systematically identify the “entities that perform digitalized processes with a critical or high impact in cross-border electricity flows, their cybersecurity risks, and then the necessary mitigating measures that are needed.”
The new network code is the EU’s attempt to standardize cybersecurity risk assessments in the electricity sector. It establishes a governance model that aligns with the EU’s existing Network and Information Security Directive (NIS2) to systematically identify the “entities that perform digitalised processes with a critical or high impact in cross-border electricity flows, their cybersecurity risks, and then the necessary mitigating measures that are needed.”
The main takeaway for electricity providers is that they must carry out assessments every three years to identify cyber risks and implement protections to prevent significant problems. Perhaps more important, however, is that suppliers to electricity providers are also subject to these rules; this will likely significantly increase the security of electricity supply chains. Similarly, power equipment manufacturers must design equipment with cybersecurity in mind.
These provisions will likely stretch electricity provider resources further than they already are. The energy sector is already in crisis, and these rules will exacerbate the problem, albeit for a worthy cause.
However, the truly encouraging element of this legislation—for cybersecurity professionals at least—is its information-sharing provisions. The network code mandates that cyber regulators in each EU country share information with other member states within 24 hours of a company disclosing a breach and share information about vulnerabilities that affect the electricity sector.
Again, these information-sharing laws will be welcome news to cybersecurity professionals. Far too often, information about threats, attacks, and vulnerabilities is siloed where it isn’t of any use.
However, these provisions will be an unwelcome development for some electricity providers: in many cases, organizations are reluctant to share information about a breach because it would give their competitors an advantage. Essentially, if an electricity company suffers a cyberattack—from their perspective at least—it would be preferable for their competitors to suffer one, too. The EU’s network code prevents them from withholding information that would make that more likely.
All in all, while electricity providers may struggle to find the necessary resources for compliance, the EU network code on cybersecurity for the electricity sector will undoubtedly improve critical infrastructure cybersecurity at a time when it is sorely needed.
300kva generator Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.