Scanning for threats: the cyber domain of the power sector

The EU energy sector is getting more and more digitalised, but as it does so, it should not leave cybersecurity behind. Digital solutions are powerful tools to achieve the EU’s energy transition goals, as they allow power utilities to optimise their operations with benefits for both customers and other stakeholders. However, “with great power comes great responsibility”. Digital systems, telecommunication equipment and sensors throughout the grid also provide entry points for cybercriminals, thus increasing power utilities’ exposure to cyberattacks.

Indeed, in the past few years the power sector has become a new top target for cybercriminals, forcing the EU to come up with targeted cybersecurity legislation on top of the overarching ones that are already in the implementation phase.

This week, we published our Cybersecurity Snapshot outlining the new and intensifying challenges of the digital age. Today we’re expanding on that and diving into the opportunities and threats to prevent in a digitalised energy system.

Cyber attacks are on the rise

Cyberattacks are the new weapon of modern warfare. Although cybersecurity incidents are still under-reported, we can already tell from publicly available information that?cyberattacks on utilities have been growing rapidly since 2018 and reached alarmingly high levels in 2022 following Russia’s invasion of Ukraine.

According to EnergiCERT, the energy sector’s cyber security centre, since 2022 there have been 48 publicly known attacks against European energy and supply companies. One of the most famous ones is certainly last year’s attack against Danish critical infrastructure carried out by Russian hackers, which managed to gain access to the systems of 22 energy companies.

The benefits of a digitalised grid

As alarming as this might seem, this does not mean that we should not invest in a digitalised grid. On the contrary, digitalisation is the key to meet the challenges and opportunities of a changing energy landscape. As our President and E.ON ’s CEO Leo Birnbaum pointed out,

“If we don’t fully digitalise our infrastructure, we will not be able to run our energy systems in a stable way going forward. We won’t be able to manage a complex, decentralised system, with more variable generation and flexibility needs” - Leonhard Birnbaum, President of Eurelectric on June 14, 2023

Indeed, the current grid infrastructure and technology systems are decades old and not suited to use the many data points being added to the grid system. As new and a greater number of players enter the grid ecosystem – electric vehicles, solar panels, heat pumps - digital technologies are key to managing the massive flow of data they will generate and optimising the system.

Take the example of smart meters: by sharing real-time data on the usage of electricity in homes or businesses, they can help managing peaks in electricity demand and accelerate electrification rates. On top of that, they can provide better service to customers thanks to improved billing accuracy and efficiency.

This is why one of the most important takeaways of our Wired for Tomorrow study, in partnership with Accenture, is that digitalisation is a no regret decision for DSOs, since it unlocks benefits not only for them, but for all consumers.

On top of these efforts to make the grid ready to accommodate the incoming additional RES capacity, DSOs will also need to make sure that with all these new data points being added to the grid system, data can flow in an efficient, but also safe way.

How is Europe preparing?

Overall, European industries are investing slightly less in cybersecurity compared to other regions. If we look at the composition of the IT workforce across sectors, we see that only a 4.5% share is allocated to information security, against the 6.5% in North America and 6.3% in Asia Pacific.

But if we have a closer look at Europe’s investments in cybersecurity, we see that energy is second only to the banking sector in terms of spending.

The war in Ukraine and the attacks by Russian hackers that followed played a definitive role in this increased spending, showing that the EU acknowledged the need to take concrete measures to secure its energy infrastructure from cyber threats. In June this year, the @European Commission tested the EU's energy infrastructure resilience during a pan-European exercise staging cyber-attacks.

'As cyber threats continue to evolve, it is imperative to prioritise cybersecurity exercises. These proactive measures not only enhance our readiness to defend against potential cyberattacks, but also underscore our commitment to safeguarding our systems. Moreover, with the growing sophistication of smart grids, the stakes are higher as the interconnected systems become more susceptible to cyber threats.' – Commissioner for Energy, Kadri Simson

Besides role playing, the last few years have seen regulation on cybersecurity across the board.

Regulation entering into force

Given the cross sectoral nature of digitalisation, there is legislation on cybersecurity that encompasses different sectors: ?

1. The EU Cybersecurity Act ?introduces an EU-wide cybersecurity certification framework for Information and Communication Technology (ICT) products, services and processes. Companies doing business in the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognised across the European Union. Certification is key to ensure high level of quality and reliability of highly critical and sensitive cybersecurity services which assist companies and organisations to prevent, detect, respond to or recover from incidents.
2. The EU Cyber Solidarity Act aims to strengthen capacities in the EU to detect, prepare for and respond to significant and large-scale cybersecurity threats and attacks. The Act includes a European Cybersecurity Alert System, made of Security Operation Centres interconnected across the EU, and a comprehensive Cybersecurity Emergency Mechanism to improve the EU’s cyber resilience.
3. The EU Cyber Resilience Act introduces requirements for hardware and software.
4. The NIS2 Directive is a cross-sectoral legislation, which provides legal measures to boost the overall level of cybersecurity in the EU.

Zooming in on the energy sector, we have:

1. The Network code on Cybersecurity seeks to improve the cyber resilience of critical EU energy infrastructure and services with the goal of creating a high, common level of cybersecurity for cross-border electricity flows in Europe.
2. The Risk-preparedness in the electricity sector introduces important rules for the cooperation between Member States with the aim to prevent, prepare for, and manage electricity crises. It also establishes common provisions for risk assessment, risk preparedness plans, managing electricity crises, evaluation and monitoring.

The EU is clearly not wanting of legislation for this new, cross-sectoral challenge. Time will show how Member States can work together for a cyber-safe electricity sector by implementing what has been passed.

What’s next for the electricity sector?

As the electricity sector embraces digitalisation, cybersecurity is no longer just a technical necessity, but a strategic priority. In our Cybersecurity Snapshot, we have identified the key aspects to prioritise:

1. Give the electricity sector time to implement the cybersecurity framework already in place. ?Before introducing new legislation, let’s allow the existing regulations to do what they are meant to do.
2. Create a skilled workforce by attracting, training and equipping talent to tackle the present and future challenges.
3. Improve collaboration among Member States for a safe and resilient energy system.

We look forward to seeing how the cyber landscape will evolve for the energy sector, and to collaborate with EU institutions to address the new challenges of a digitalised grid.

In the meantime, at Eurelectric we continue the conversation on digitalisation at large within our Digitopia Business Hub, a unique platform for digital gurus in the energy space for to explore the new conditions for the power industry in the digital age. If you are interested in digital and cyber topics, this might be the place for you.

This week’s edition written by:

Chiara Carminucci, Digital Communications Officer - Eurelectric

With technical input by:

Jessica Garcia, Advisor - Distribution & Market Facilitation - Eurelectric