European Union Agency for Network and Information Security ENISA - The EU Cyber Security Agency
The overall objective of the ENISA's 'Secure Infrastructure & Services Team' is to assist Member States in the consistent implementation of the Directive (EU) 2016/1148 on security of network and information systems (NISD). The team also supports public and private stakeholders to enhance the security and resilience of their smart infrastructures and services and delivers NISD related trainings to enhance their capabilities.
Follow the EU cyber security affairs of ENISA: www.enisa.europa.eu & Facebook, Twitter, LinkedIn, YouTube, RSS feeds
Source: iStock
The energy infrastructure is arguably one of the most complex and, at the same time, critical infrastructures relied upon by business to deliver essential services. Because of this reliance, any prolonged disruption could trigger a cascade of effects across society.
In the past, physical access to a substation was required in order to disrupt the energy flow and seriously impact society; today the same damage can be achieved with a single keystroke from anywhere in the world.
The Ukraine power grid attack[1] illustrates the impact of cyber-attacks on the electricity subsector. This attack resulted in several outages that caused approximately 225,000 customers to lose power across the country. As the use of digital devices and advanced communications grows, so too does the cyber risk.
Another important challenge to cybersecurity is the rapid rate of change in the energy market. There is a shift towards renewable energy, with closer integration between supply and demand. The energy market is transforming, with new market players such as virtual power plants, and citizens themselves become energy producers.
'Another important challenge to cybersecurity is the rapid rate of change in the energy market. There is a shift towards renewable energy, with closer integration between supply and demand.'
In such a complex ecosystem, operators must focus on the operational environment, to protect information systems, detect potential attacks and respond to and recover from any incidents. With threats evolving, response and recovery are of increasing importance. Operators are not typically in a position to classify the threat actor without intelligence support from the Member State. For coordinated attacks from both non-state and state actors, a response structure at cyber level might be apt for the European Union and Member States, along with a coordinated response across Member States.
The European Union is already working towards this in many ways; it is, however, time to streamline and synchronise all efforts. In 2013, the European Union set out a Cybersecurity strategy[3] launching numerous work streams to improve cyber resilience. The main goals of this strategy were to foster a reliable, safe and open cyber ecosystem for all, goals that remain valid today. However, the continuously evolving threat landscape calls for more effective measures.
In 2017, the European Union published its Communication[4] on resilience, deterrence and defence to build strong cybersecurity for the EU, giving the Member States the tools and policies required to address cybersecurity. Though it remains a national priority, the scale and cross-border nature of the threats (like WannaCry[5]) show that it is in fact a joint responsibility. All actors need to work together – the European Union, Member States, industry and individuals – to deliver a stronger EU response to cyber-attacks.
In 2016, the European Union adopted the Network and Information Security Directive[6]. It is the first piece of EU legislation aimed specifically at improving cybersecurity throughout the Union; a very significant step towards securing the European Union’s information systems. Full implementation of the Directive by all Member States by the end of May 2018 is imperative for ensuring resilience in the Union.
ENISA, the European cybersecurity agency, not only plays a major role in the implementation of the NIS Directive6 but also in supporting the Member States and private sector in achieving a higher level of cybersecurity. It has conducted numerous activities and studies[7] on cybersecurity in the energy sector, and industrial control and SCADA systems, in close collaboration with public and private stakeholders.
The Agency has engaged all relevant stakeholders and contributed to European Commission policy initiatives such as the DG Energy Expert Group 2[8] and the CEN/CENELEC Mandate 490[9]. To ensure effective information flows on evolving threats and to facilitate responses to cyber incidents, Information Sharing and Analysis Centres (ISAC)[10] should be encouraged to engage with all relevant bodies. ENISA is already a member of the existing European Energy ISAC.
We can do a lot to address the challenges identified for the energy sector at EU level:
- Harmonise the approach to cybersecurity across EU Member States to reduce the risk of weak links in the increasingly interconnected European grid.
- Develop a common understanding of the cybersecurity threat landscape.
- Develop a common cyber-response framework that helps operators to identify what is needed in order to protect themselves from cyber-attacks.
At corporate level:
- Top management must invest in cybersecurity and launch awareness campaigns, bridging the cultural gap between Operations and Information Technology divisions.
- Information sharing and knowledge exchange among energy sector actors and between public and private stakeholders would enable a greater understanding of the impact of cyber risks for energy companies and for the sector as a whole.
- Companies providing energy services should adopt a holistic approach that incorporates the key phases of cybersecurity: prepare and prevent, detect and respond, recover and share.
It is a shared ENISA view that cybersecurity is a common responsibility; we can only safely adopt new technology and reap the benefits of the evolving power grid by working together and exchanging good practice.
[1] World Analysis of the Cyber Attack on the Ukrainian Power Grid, Defense Use Case, March 18, 2016, SANS ICS and E-ISAC. Energy Council Perspectives – The road to resilience, 2016.
[2] The 'Clean Energy for all Europeans' package of 30 November 2016 acknowledges the importance of cyber security for the energy sector, and the need to assess at various levels (e.g. European, regional and national) cyber risks and their possible impact on the security of supply. The full set of documentation is available at https://ec.europa.eu/energy/en/news/commission-proposes-new-rules-consum....
[3] Commission Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, JOIN(2013) 1, 7.2.2013, on Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace.
[4] Commission Joint Communication to the European Parliament and the Council, JOIN(2017) 450, 13.9.2017, on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU.
[5] ENISA Info-note on WannaCry Ransomware Outburst, 15.5.2017, available at https://www.enisa.europa.eu/publications/info-notes/wannacry-ransomware-....
[6] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016).
[7] The reader can search at https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/scada and https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/smart-grids
[8] Expert Group 2 – Regulatory recommendations for privacy, data protection and cyber-security in the smart grid environment, more information at: https://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-....
[9] European Commission Standardisation Mandate no M/490 to European Standardisation Organisations (ESOs) to support European Smart Grid deployment, 1.3.2011, https://ec.europa.eu/energy/sites/ener/files/documents/2011_03_01_mandat....
[10] ENISA, Information Sharing and Analysis Center (ISACs) - Cooperative models, 14.2.2018, available at https://www.enisa.europa.eu/publications/information-sharing-and-analysi....