Europe Energy Briefs | Status of cybersecurity in Europe's electricity sector

Europe's electricity sector is one of the three most critical and most mature sectors when it comes to cybersecurity in the region, the EU’s Agency for Cybersecurity (ENISA) has reported.

Along with telecoms and banking as the other most critical and most mature sectors, these have benefited from significant regulatory oversight, funding and investments, political focus and overall a robust public-private partnership, according to ENISA in its NIS360 report on cybersecurity across the critical sectors set out in the EU’s 2022 NIS2 directive.

Gas on the other hand, along with several other sectors, falls into the NIS360 risk zone. The sector needs to continue to work towards developing its incident readiness and response capabilities through the development and testing of incident response plans at national and EU levels but also through enhanced collaboration with the electricity and manufacturing sectors.

The study, the first of its scope, is intended to assess the maturity and criticality of the NIS2 sectors, of which there are 18 identified.

Also of interest
How to protect your business from a supply chain cyber-attack
Energy Transitions Podcast: Cybersecurity innovation at the core of digital transformation

Policy, risk management, collaboration and preparedness

ENISA points to each of the energy subsectors having its distinct level of maturity influenced by policy frameworks and guidance, risk management practices, collaboration and information sharing and operational preparedness.

Electricity ranks highest in the policy framework and guidance dimension, guided by the NIS directive and the sector-specific Network Code on Cybersecurity (NCCS), which became effective on 13 June 2024, with gas and hydrogen and district heating and cooling following lower.

Across the sector, entities benefit from supervision and support by experienced national and/or sector-relevant authorities. However, while this oversight is generally viewed positively, more opportunities exist to further enhance the level of support offered, the report indicates.

Many entities report implementing robust cyber risk management practices. These include securing leadership approval for cyber risk management controls, adopting supply chain cybersecurity policies and deploying measures to enhance trust within the supply chain.

However, national and sector-relevant supervisory authorities highlight differences across subsectors, with electricity and gas making meaningful progress in implementing NIS2-aligned measures to identify, protect against and detect cyber threats, while district heating and cooling and hydrogen are reported to have made limited advancements.

Authorities also note that entities across all energy subsectors tend to perform better in pre-incident measures compared to post-incident ones.

Across the energy sector, many entities report participating in information-sharing and collaboration initiatives, primarily through industry associations and EU or national ISACs, with nearly all engaging with their national competent authority.

Entities also engage in preparedness-building activities, most commonly within their own organisations, and to a lesser extent via EU-level exercises and community-driven workshops and training sessions.

From a supervisory authority standpoint, electricity subsector entities are seen as the most prepared for incidents or crises, with many having documented and tested plans and processes through cyber exercises.

Criticality

The report notes that the EU energy sector's growing reliance on ICT and interconnected systems makes it increasingly vulnerable to a range of cyber threats.

Nevertheless, the criticality of EU energy subsectors varies based on several factors. These include not only the level of ICT dependency within each subsector, but also the potential socioeconomic impact of cyber attacks against them and the speed at which such an impact would be felt.

In terms of socio-economic impact the electricity subsector stands out with the highest impact score, reflecting its central role within the energy sector and its importance to the broader economy

The electricity subsector also stands out as the most reliant on digital technologies, especially with the ongoing digital transformation of power grids, and it ranks highest in time criticality as a significant incident would have immediate impacts due to its central role in daily life and interdependencies with critical sectors like telecoms and transportation, potentially causing cascading effects.

Gas follows in all dimensions. While cybersecurity incidents could result in temporary service disruptions, time criticality is only moderate and the effects would be less widespread than those of a similar event in the electricity subsector, with fewer ripple effects across other sectors.

Areas for improvement

Based on its analysis, ENISA offers five areas for improvements and/or intervention to help the sector further develop its cyber maturity.

• Help national authorities deepen their understanding of the less mature energy subsectors’ unique challenges to ensure more effective support and supervision of entities within it, particularly in the district heating and cooling and hydrogen spaces.
• Equip national authorities to effectively support entities in implementing and harmonising requirements outlined in NIS2 and other applicable legislation to ensure consistent support across member states.
• Support the development/strengthening of the energy sector's risk management capacity. For the electricity sector, this is expected to happen through targeted support towards the development of cybersecurity risk assessment methodologies, the identification of controls to mitigate applicable risks and the promotion of their implementation as foreseen via the cybersecurity network code.
• Strengthen information sharing and collaboration among sector entities in the electricity and gas sectors, and continue to share sectorial situational awareness updates with stakeholders.
• Support sector entities in developing and implementing robust incident response and crisis management plans and strengthen the capacity of national authorities to respond to cross-border incidents.