European regulation to increase utility cybersecurity

The European Union is currently working on several new regulations, measures and technologies to protect utility critical infrastructure from evolving cyber threats.
Published: Thu 02 Aug 2018

The future of the energy industry is here - the industry is evolving and changing quicker than ever before.

The sector is now increasingly digitised, automated and smart, and utility networks and systems are more and more interconnected and communicative.

Whilst this fast-paced evolution is surely enabling the energy transition, the other side of the equation is that cyber threats against utility systems are also evolving at a quick rate. Utilities operate a section of critical infrastructure for society, which makes them prime targets for hackers and other hostile agents seeking to infiltrate the network.

In addition, energy networks have seen multiple elements and services being added to it in recent years, from electric vehicles (EVs) to smart meters and other customer applications. These new additions also represent additional entry points into the grid that hackers are likely to target.

In fact, according to a 2016 report by the Cambridge University Centre for Risk Studies, 14% of all cyber attacks in the UK were targeted against the energy sector. In comparison, 30% of attacks targeted the financial sector and 15% the telecommunications sector, the sectors with the highest and second highest incidence of cyber attacks respectively.

In a complex, interconnected and digital energy infrastructure in Europe, these figures mean that cyber attacks targeting the sector have a possible cascading effect in the network. The European Union then started to develop robust regulatory frameworks and guidelines for utilities to protect the integrity of the network.

In an Engerati webinar, ‘How can Europe help to increase cyber resiliency in utilities’, we discussed the latest regulatory actions in Europe to define new cybersecurity regulation and the development of security certification approaches, alongside industry experts from the European Smart Meter Industry Group (ESMIG), a European representative of smart solution providers, and Oesterreichs Energie, a consultant for Austrian energy companies.

European regulations for cyber resiliency

European Union bodies are actively working towards improving cyber resiliency in utilities, says Armin Selhofer, Head of Certification at Oesterreichs Energie.

For example, "in 2015, the European Commission started an energy cybersecurity platform that investigated the whole situation. It had a look at the challenges in the energy industry and its needs. It then identified gaps between the industry's needs in that front and their current coverage, and finally proposed actions."

The result was the Energy Expert Cyber Security Platform (EECSP), which comprised a report that recommended several actions to the European Commission to increase utility cybersecurity: to set up an effective threat and risk management system, to set up an effective cyber response framework, to continuously improve cyber resilience, and to build up the required capacity and competencies.

Subsequently, the European Commission formed a second Expert Group, which is compiling a report expected to be ready by the end of 2018.

The European Commission’s timeline to develop framework guidelines and network code for cybersecurity on the energy infrastructure

"This group is currently preparing the ground for the framework guidelines that will, later on, be defined by the Agency for the Cooperation of Energy Regulators (ACER), and from within this framework the Network Code will be developed and defined," explains Selhofer.

"We have already identified in this group the objectives we want to achieve. The idea is to have energy systems which shall be protected against current and future threats and risks, having some kind of forecast.

“Additionally, we need to have plans on how to manage crises and to limit the effects of attacks on European society and economy.

“We have also identified vital components that make up the risks that we have to deal with in the supply chain, to bring trust and transparency for cybersecurity in the energy supply chain. Finally, we need to have harmonised maturity and resilience levels for cybersecurity across the EU in all member states,” says Selhofer.

Security certification

For Willem Strabbing, Managing Director of ESMIG, it is equally important to develop guidelines and regulations for privacy and security, particularly for smart meter data. "The reason to carry out this work on privacy and security was that there were concerns about these issues from the very beginning of the smart meter rollout. There are still discussions about what happens with this data, where does it go, how is it protected, how is it collected, etc.”

Strabbing points out that ensuring privacy protection matters in the context of GDPR compliance as well. “Organisations that have access to smart meter data have to think about how to protect it to comply with GDPR."

Willem Strabbing, Managing Director of ESMIG, explains the importance of a unified European certification approach for energy cybersecurity and data protection.

As such, works began to lay out unified security certification guidelines throughout all of the EU. “If every member state had different certification approaches, these products should be certified 27 times, which would drive up the price of smart meters. That's why we started working on a European approach.”

This approach, which is being developed by ESMIG in conjunction with the CEN/CENELEC/ETSI Coordination Group for Smart Meters, was based on the Common Criteria (IEC/ISO 15408), which is an internationally accepted approach for certification of IT products, as the basis for the EU certification scheme.

Another significant measure is the Cybersecurity Act - the European Parliament has already voted on a final version of the Act and it is currently running a trial phase. "The Cybersecurity Act defines formal certification for smart meters, and it means that formal certification is done by independent third parties which would also issue the certificate, " explains Strabbing.

"The Cybersecurity Act matters because it gives a mandate to the European Union Agency for Network and Information Security (ENISA) to develop this framework and for the guidelines for schemes to be developed."

Watch the webinar

To find out more about European strategies to improve energy cybersecurity, watch the webinar‘ How can Europe help to increase cyber resiliency in utilities’. Willem Strabbing and Armin Selhofer will also both be presenting at the cybersecurity session at European Utility Week on the 7th of November.