The energy industry has had a tumultuous decade. Oil prices plummeted during the COVID-19 pandemic. In 2021, a ransomware attack forced one of the U.S.'s most important oil pipelines to shut down for five days and prompted states of emergency to be declared in 17 states. Putin's war in Ukraine disrupted natural gas supplies across Europe. And now it looks like power companies are taking a hit.
On March 11, 2024, the European Commission adopted a new cybersecurity regulation, the EU Network Code on Cybersecurity in the Power Sector (C/2024/1383), to establish a regular process for cybersecurity risk assessment in the power sector. If you’re a cybersecurity expert, this news is welcome news, but maybe not so much for electricity suppliers.
How We Got Here
Since 2019, the EU has significantly improved the cybersecurity of its critical infrastructure. In 2019, the European Commission adopted sector-specific guidance presented in a recommendation and staff working document to help energy suppliers adopt cross-cutting cybersecurity rules. In the same year, the Commission adopted the “Clean Energy for All Europeans” package, strengthening cybersecurity for the digital transformation in the energy sector.
In 2020, the EU Commission developed the EU Security Union Strategy, acknowledging the need for a sectoral initiative in the energy sector and outlining upcoming initiatives to make critical energy infrastructure more resilient against physical, cyber and hybrid threats.
As you can see, the EU Network Code on Cybersecurity in the Power Sector continues the EU’s efforts to improve cybersecurity of critical infrastructure. It comes in an increasingly tense geopolitical environment where cyber attacks are being used more frequently.
Network Code
The new Network Code is the EU's attempt to standardize cybersecurity risk assessment in the electricity sector. The Code establishes a governance model in line with the EU's existing Network and Information Security Directive (NIS2) to systematically identify “entities carrying out digitalization processes with significant or significant impacts on cross-border electricity flows, their cybersecurity risks and the necessary mitigating measures.”
The objectives are as follows:
- Establish rules on the governance of cybersecurity aspects of cross-border electricity flows to ensure close coordination with existing governance structures on power system reliability and cybersecurity.
- Determine common criteria for conducting cybersecurity risk assessments on the operational reliability of the power system for cross-border electricity flows.
- Promote a common electricity cybersecurity framework, thereby promoting a common minimum level of electricity cybersecurity across the EU.
- It provides a mechanism for assessing the application of minimum and advanced cybersecurity controls to systems that may affect cross-border electricity flows.
- Establish information flows by establishing rules for the collection and sharing of information related to cross-border electricity flows, consistent with other national and EU law.
- Establish effective processes for identifying, classifying, and responding to cyber attacks that affect cross-border electricity flows.
- Establish effective processes for managing cross-border electricity crises related to cyber attacks.
- Define common principles for electricity cybersecurity exercises to increase the resilience of the power sector and improve risk preparedness.
- This regulation protects the information exchanged.
- Determine a process for monitoring the implementation of this Regulation in order to assess the effectiveness of investments in cybersecurity protection and to report on progress in cybersecurity protection across the EU.
- Ensure that recommendations on cybersecurity procurement specifications related to cross-border power flows do not negatively impact innovation, new systems, processes, and procedures.
Key Takeaways
The new Network Code is the EU's attempt to standardize cybersecurity risk assessment in the electricity sector. The Code establishes a governance model in line with the EU's existing Network and Information Security Directive (NIS2) to systematically identify “entities carrying out digitalization processes with significant or significant impacts on cross-border electricity flows, their cybersecurity risks and the necessary mitigating measures.”
The main takeaway for utilities is that they will need to conduct assessments every three years to identify cyber risks and put in place safeguards to prevent major issues. But perhaps more importantly, utilities' suppliers will also be subject to these rules, which could significantly improve the security of the power supply chain. Similarly, power equipment manufacturers will need to design their equipment with cybersecurity in mind.
These provisions will likely put even more strain on utility resources: the energy sector is already in crisis, and these rules, even for good reason, will make the problem worse.
But the really encouraging element of the law, at least for cybersecurity experts, is its information-sharing provisions. The Network Code requires national cyber regulators in the EU to share information with other member states within 24 hours of a company disclosing a breach, and to share information about vulnerabilities affecting the power sector.
Again, these information-sharing methods will be good news for cybersecurity professionals, as information about threats, attacks and vulnerabilities is too often siloed in places where it's not useful.
But these provisions will be an unwelcome development for some utilities. Companies are often hesitant to share information about breaches because it could give their competitors an advantage. Essentially, if a utility suffers a cyberattack, it would be better, at least from the utility's perspective, if its competitors were to suffer a cyberattack as well. The EU Network Code prohibits utilities from concealing information that increases their vulnerability to cyberattack.
Overall, while utilities may struggle to find the resources they need to comply, the EU Network Code on Cybersecurity in the Power Sector will undoubtedly improve cybersecurity of critical infrastructure at a time when it is sorely needed.
Editor's note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.