Several European countries have moved to adopt distinct cybersecurity measures as a result of the increased interconnectivity within Europe’s energy system along with a changing paradigm that includes decentralized power sources, the integration of electric vehicles, new digital infrastructure, and connected operational technology.
According to a 2016 survey by the European Commission, at least 80% of European companies have experienced one or more cybersecurity incidents. While the commission has adopted a series of measures to tackle cybersecurity, it did not enact the European Union’s (EU’s) first broad legislation on cybersecurity until August 2016. Member states have until 2018 to adopt the directive on security of network and information systems (NIS), which essentially creates a network of computer security incident response teams across the EU to react to cyberthreats. It also establishes cooperation between member states.
The NIS directive will be integral to addressing some jurisdictional challenges that plague the industry in Europe, industry trade group Eurelectric said in a December 2016 report.
Europe lacks critically needed cross-border coordination, “which lead[s] to an inefficient global response to cyber security related incidents,” the group that represents more than 3,500 companies in power generation, distribution, and supply said. Meanwhile, it is often not clear which authority is in charge of smart grid cybersecurity, the report notes. And, while most network operators seem to tackle this challenge effectively, “many others lack the incentive and expertise, and many National Regulatory Authorities (NRAs) lack the mandate to take on this responsibility.”
However, Eurelectric also said that a number of pressing cybersecurity challenges faced by European power companies remain unaddressed by the NIS directive. The biggest challenge relates to long investment cycles that make technology assessments difficult and have led to a time lag between implemented and up-to-date solutions, the report says. Likewise, informational technology and operational technology environments have “mismatched” life cycles and diverging practices in terms of design, qualification, and maintenance, “which can lead to a different approach regarding the security of each technology, creating gaps that can be maliciously exploited,” it notes. Also, cybersecurity offered by commercial “off-the-shelf” products to keep up with smart grid development can be insufficient, while “tailor-made solutions” can lead to financial and technical inefficiencies.
The organization called for national authorities to set security baselines that equipment and service providers would have to follow. These entities should also provide security certifications that distribution system operators (DSOs) could use on their networks or for products that could be used by third-party companies on customer premises.
However, Eurelectric noted that a number of countries have moved to adopt important initiatives that could help address larger concerns.
Denmark. The country encourages a close exchange of data between grid operator Energinet.dk, and generators, DSOs, and retailers via a “data hub.”
Norway. Companies must report major incidents to national authority NVE. In 2014, the country also set up KraftCERT, a “tool” for the entire power industry that helps handle and prevent security incidents. It specializes in monitoring, counseling, and incident response.
Austria. The country has established public-private cooperation to set up voluntary national security standards for the power sector and carry out a risk assessment.
France. The government has issued a decree that obliges some companies to declare security incidents to the national cybersecurity authority ANSSI. It also has a basic certification (Certification de Sécurité de Premier Niveau) for black-box testing of product cybersecurity.
Sweden. A common security website (https://www.energisakerhetsportalen.se) curates relevant information for the energy sector.
Portugal. A national cybersecurity center coordinates crisis management and operational response to cyberattacks, including initiatives for the energy sector.
Germany. The country enacted the national IT-Security Act in June 2015, a law that obliges operators of energy-related critical infrastructure to report network and informational security incidents. Transmission operators and DSOs must comply with the ISO/IEC 27001 certification standard while generators will be required to comply with standards that are currently being drafted by the national regulatory authority.
—Sonal Patel is a POWER associate editor.