The European Commission (“Commission”) has published a Recommendation on cybersecurity in the energy sector (“Recommendation”). The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here). It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.
This Recommendation sets out the main issues related to cybersecurity in the energy sector and identifies actions to enhance cybersecurity preparedness. The Commission calls on Member States to encourage industry stakeholders to build up knowledge and skills related to cybersecurity and, where appropriate, to include these considerations into their national cybersecurity framework (e.g., through strategies, laws, regulations and other administrative provisions).
• Address real-time requirements of energy infrastructure components. The Commission recognizes the challenge of implementing cybersecurity measures in elements of the energy system that need to work under “real-time” conditions (i.e., reacting to commands within milliseconds). Among other things, the Recommendation encourages energy network operators to take the following particular measures:
• apply the most recent security standards for new installations, and consider complementary physical security measures where the installed base of old installations cannot be sufficiently protected by cybersecurity measures;
• implement international standards on cybersecurity and adequate specific technical standards for secure real-time communication as soon as respective products become commercially available; and
• consider privately owned networks for teleprotection schemes to ensure the quality of service level required in light of real-time constraints (the Recommendation also sets out specific issues to consider when using public communication networks).
• Implement relevant cybersecurity preparedness measures related to cascading effects in the energy sector. The Commission recognizes that because electricity grids and gas pipelines are strongly interconnected across Europe, a cyber-attack that creates an outage or disruption in one part of the energy system can trigger “far-reaching cascading effects into other parts of that system.” Accordingly, the Recommendation encourages Member States to evaluate interdependencies and criticality of power generation and flexible-demand systems, transmission and distribution substations and lines, and the associated impacted stakeholders. Member States should also ensure that energy network operators have a framework in place to communicate with all key stakeholders in order to share early warning signs and cooperate on crisis management.
For their part, the Recommendation states that energy networks should, in particular:
• ensure that new devices, including Internet of Things (“IoT”) devices, have and will maintain a level of cybersecurity appropriate to a site’s criticality;
• adequately consider cyber-physical effects when establishing and periodically reviewing business continuity plans; and
• establish design criteria and an architecture for a resilient grid.
• Protect against threats to legacy and state-of-the-art technology. The Recommendation recognizes that two different types of technologies co-exist in today’s energy system (i.e., “an older technology with a lifespan of 30 to 60 years, designed before cybersecurity considerations, and modern equipment, reflecting state-of-the-art digitalisation and smart devices”). Particular recommendations include:
• Member States should encourage energy network operators and technology suppliers to follow the relevant internationally accepted standards on cybersecurity wherever possible;
• technology suppliers should provide tested solutions for security issues in legacy or new technologies “free of charge and as soon as a relevant security issue becomes known”; and
• energy network operators should analyse the risks of connecting legacy and IoT equipment; take suitable measures against malicious attacks from bots; establish an automated monitoring and analysis capability for security-related events in legacy and IoT environments; regularly conduct specific cybersecurity risk analysis on all legacy installations; update software and hardware of legacy and IoT systems to the most recent versions; and formulate tenders with cybersecurity in mind.
Member States will be called upon to communicate to the Commission – within 12 months after the adoption of this Recommendation, and every two years thereafter – detailed information regarding the state of implementation of this Recommendation through the NIS Cooperation Group (established under the NIS Directive). The Commission intends to regularly review this Recommendation in consultation with Member States and relevant stakeholders.