A recent paper, prepared by the Institut Français des Relations Internationales (IFRI) analyses what Europe and the US can learn from one another when it comes to cybersecurity policies applied to energy infrastructure.
Both the EU and US have heavily invested in cybersecurity in recent years. This includes strengthening systems and putting in place several policies designed to protect critical infrastructure in the event of a cyber attack, to identify threats and eliminate them as soon as possible.
However, the nature of the policies adopted by both parties contrasts noticeably to one another, the paper shows. While the US has adopted a strategy of ‘security in depth’, with strict and detailed regulations in specific sectors, the EU adopted a strategy which favours the protection of a wide range of different sectors such as electricity distribution, low carbon technologies, and privacy and personal data.
Both approaches are complementary and highlight what lessons can be learned from each party in order to protect the energy infrastructure, which utilities are under increasing pressure to protect.
National security agencies, such as the UK National Cyber Security Centre, the FBI and the US Department of Homeland Security, have alerted utilities to the importance of protecting against cyber attacks, with significant threats posed by hostile foreign agents to the energy infrastructure.
Heightened concerns for cybersecurity in critical infrastructure comes after attacks such as that on the electrical grid in Kiev, Ukraine. Power distribution systems were affected and over 200,000 residents were left without power for hours. The same malware that was used in this cyber breach in Ukraine was found in utilities’ systems in the US as well.
The British National Healthcare System was also targeted by a ransomware attack in 2017, infecting computers in over 150 countries and affecting about 300,000 users.
Strict cybersecurity standards: US lessons
The paper describes US cybersecurity standards as "among the most detailed and comprehensive cybersecurity standards in the world, and mandatory for all 3,000 electric utilities in the United States."
The US has been working on strict cybersecurity policies for the energy sector since the 9/11 terrorist attack in 2001.
From 2005, when the US Congress ratified the Energy Policy Act, federal regulations have established security standards for the electricity network. The North American Electric Reliability Corporation (NERC), a private organisation, has developed a series of cybersecurity norms targeting the production and transmission sections of the power grid.
The Critical Infrastructure Protection Standards (NERC-CIPs), first approved in January 2008, include measures regarding the security of management controls, personnel and training, recovery plans for computer systems in the event of a cyber attack, and others. In addition, these have been regularly updated to stay current according to the rapid development of cyber threats.
As such, the paper affirms that EU policies lack the level of detail and strictness of American standards, when regulations "leave a wide margin of manoeuvre for member states and [...] define only general and imprecise criteria for the protection of critical infrastructure." In addition, a study by the Software Alliance (BSA) points out that cybersecurity norms within the EU vary significantly between member states, which presents challenges since a large part of the European energy infrastructure is connected.
For example, the 2006 European Programme for Critical Infrastructure Protection, as well as the 2008 European Critical Infrastructure Directive, leave a wide margin for EU member states and propose only general criteria for the protection of critical infrastructure, the policy paper says. In addition, the 2013 EU Cybersecurity Strategy focuses on sectors mostly focused on cyber criminality and does not propose any concrete measures.
The EU can then take valuable pointers from the American NERC-CIPs, and learn from these to elaborate norms with far less room for error and interpretation, the paper suggests. European regulations need to be stricter and more detailed on how to protect the energy infrastructure from cyber attacks, as well as regularly updated according to the evolution of cyber threats. One recommendation, for instance, is that the EU stipulates that each member state establishes a national cybersecurity centre.
Customer data and renewable energy: EU lessons
The US can take lessons from European policies where it concerns the protection of the network for electricity distribution, for example. The NERC-CIPs do not protect the network at the level of electricity distribution, which has been left to individual US states, the paper points out, and few US states have taken responsibility to protect the network at distribution level.
This includes smart meter installation, which will take place in bulk in the US in the upcoming years and form part of the distribution network. As such, smart meter data would not be covered by the NERC-CIPs, which can expose customers to privacy and data breaches, as well as presenting an opening to the physical and material damage potentially caused by malware.
The EU, on the other hand, includes smart meters as the distribution network must be included in cybersecurity policies established by legislation. The paper describes EU regulation on data protection and security as "some of the most advanced legislation in the world", with policies such as the General Data Protection Regulation - active from 25 May 2018 - effectively protecting individual rights and data.
The US, however, has no equivalent regulation, and the paper identifies shortcomings in the federal legislative system to put this in place; and individual states have not passed meaningful legislation for data protection and security either.
The EU also has a headstart in cybersecurity for renewable energy and low carbon technologies. Clean energy is increasingly neglected in current American politics, and even in climate-conscious US states, cybersecurity is rarely integrated into renewable energy strategies, the paper points out.
On the other hand, the EU has been more active in integrating renewable energy into its energy policies, including cybersecurity regulations. EU policies have specifically referred to cybersecurity issues for clean energy - for example, the European Commission's Winter Package outlines specific policies to protect European renewable energy infrastructure from cyber attacks.
Such different approaches to cybersecurity regulations, focusing on different areas, critically highlights the importance of bilateral cooperation between governments to share experiences. Reinforcing dialogue and information sharing are crucial, the policy paper says, and this partnership can potentially lead to the development of international cybersecurity standards for the energy sector.