The electricity sector, among other risks critical national infrastructure (CNI) organizations, has found itself in the crosshairs of cyber threat actors amid rising geopolitical tensions.
Frequent Russian cyber-attacks which targeted Ukrainian power grids before and since the Kremlin’s invasion of the region underlines the scale of this threat and potential impact on Western nations.
One organization tackling this challenge is the European Network for Cyber Security (ENCS) which aims to increase awareness of cybersecurity risks facing the electricity sector and how to address these collaboratively. The ENCS is a non-profit organization owned by grid operators, focused on enhancing the cybersecurity of the European Union’s (EU) grid infrastructure.
Infosecurity Magazine spoke to Anjos Nijk, Managing Director at ENCS to find out more about the importance of collaboration and information sharing in the electricity sector, and the potential impact of upcoming legislation, such as the EU’s Network and Information Security (NIS2) directive, on this area.
Infosecurity Magazine: How have cyber threats targeting the energy sector evolved in the past few years?
Anjos Nijk: Cyber threats to the energy sector have grown significantly, both in volume and sophistication. According to ENISA, over 200 cyber incidents were reported in 2023, with more than half of these targeting Europe.
This highlights the increasing focus on European energy infrastructure. However, when examining operational technology (OT) systems, which are critical to the actual operations of energy infrastructure, data in incident databases shows that only eight OT incidents were recorded in 2023, suggesting that while IT attacks are rising rapidly, the most critical OT systems are still less frequently targeted.
In the IT domain, phishing and ransomware attacks have become commonplace for energy companies, with attackers leveraging advanced technologies like software-as-a-service (SaaS) and AI to craft more complex attack scenarios.
On the OT front, we’re seeing a rise in nation-state-driven interest, focusing on building sabotage capabilities. While malware targeting OT systems has been detected, actual incidents involving OT remain relatively rare, though the threat continues to grow.
IM: What are the unique cybersecurity challenges facing the electricity sector today?
AN: Unique to the electricity sector is the blend of innovative technologies and legacy systems, which creates a vast attack surface with numerous complex interdependencies.
This underscores the importance of addressing supply chain security, as vulnerabilities within it could lead to large-scale incidents across interconnected infrastructures. These interdependencies often extend beyond the control of individual entities, making collaboration essential.
There are emerging threats from distributed energy resources and consumer equipment that fall outside the control of TSOs and DSOs and remain unregulated. These external elements introduce further complexity and potential risks to grid security, making it imperative to account for both traditional vulnerabilities and new, decentralized threats.
Additionally, there is the “real-time” requirement: unlike IT environments such as banking, the electricity grid cannot simply be switched off to investigate and repair issues. Any disruption can cause cascading effects, halting other critical infrastructures.
IM: How important is collaboration among grid operators and other stakeholders in boosting the resilience of the energy sector in Europe? What key programs and initiatives are in place to boost such collaboration?
AN: Collaboration is vital for strengthening the resilience of the energy sector. While there are many commercial threat intelligence services available, the real gap is in sharing information about actual incidents and the lessons learned. Without access to this critical knowledge, it’s difficult to prepare for and respond to threats effectively.
For example, if one operator secures their grid but neighboring networks don’t, a major incident could cause widespread disruptions. Everything is interconnected, and maintaining balance requires coordination. This is why it’s so important to break down barriers to information sharing and harmonize approaches between various stakeholders and nations.
Sharing best practices, such as risk management strategies, secure architectures and monitoring technologies, is also crucial. Standardizing security requirements for technology and processes is inevitable, but its success depends on ensuring the quality and effectiveness of these measures.
Cross-sector regulations, like the Network and Information Security Directive (NIS2), enforce risk management and information-sharing protocols.
The Network Code on Cybersecurity (NCCS), recently launched by the European Commission, addresses many of these challenges within the electricity sector. Product regulations, such as the Radio Equipment Directive (RED) and Cyber Resilience Act (CRA), enforce standards and conformity assessments for products entering the EU market.
These are strong initiatives, but their effectiveness ultimately depends on implementation and the continued involvement of experts who can support informal information-sharing networks to navigate regulatory constraints.
IM: In March 2024, the EU adopted the NCCS for the electricity sector. How significant do you expect this code to be in enhancing the cyber resilience of energy infrastructure, and what actions do grid operators need to take in relation to it?
AN: The NCCS has full potential to become a leading example on enhancing grid cyber resilience globally. Not only does it provide for a dynamic approach to risk management with a three-year cycle to keep track of technological and threat developments, but it also puts security and grid experts in the position to develop methodologies, determine thresholds and perform risk assessments in close collaboration with authorities and the wider industry.
But there are also challenges involved, such as the long timescales before the first cycles of identifying high-and critical-impact entities are completed, and before risks and controls are identified and implemented. Establishing the required expertise needed to perform the various tasks and responsibilities for authorities, institutions and utilities is and will remain a huge challenge.
Without sufficient expertise in place, there is a risk of delayed decision-making and implementation, which could impact the overall effectiveness of cybersecurity measures.
Grid operators must take key actions at both European association level and individual level. The European Network of Transmission System Operators for Electricity (ENTSO-E), together with the EU Distribution System Operators (DSO) Entity, will develop a risk assessment methodology starting in 2024 called Electricity Cybersecurity Impact Index (ECII), to qualify critical and high impact entities, as well as a Union-wide risk assessment starting in 2026.
Individual entities must do their own risk assessments starting in 2027 and will have to implement minimum and advanced controls.
"I believe the NCCS may have the greatest impact on the electricity sector's adaptation to new cybersecurity practices"
IM: To what extent is the energy sector adapting its cybersecurity practices in light of new and upcoming EU cybersecurity legislation?
AN: Quite frankly, I believe the NCCS may have the greatest impact on the electricity sector's adaptation to new cybersecurity practices. It complements NIS2 by offering specific, harmonized and compulsory measures tailored to critical, high-impact processes and assets across the sector.
While NIS2 is significant, particularly by introducing liability for board members – an important step towards greater accountability – the directive’s broad scope means that much of the implementation will depend on national authorities. This complexity, coupled with the scarcity of necessary skill sets, has resulted in many EU members lagging behind in transposing NIS2 into national law, raising concerns about inconsistent implementation across member states.
As for the CRA, its focus on vulnerability management is where I see the real benefit. Manufacturers are required to implement these processes, but the conformity assessments are mostly self-assessments, which may limit their effectiveness.
The absence of independent testing or penetration testing requirements could undermine security efforts. Furthermore, uncertainty around the implementation of the CRA might stall innovation as stakeholders wait to see how the Commission proceeds. The NCCS helps mitigate some of these concerns by allowing critical entities to impose stricter requirements on grid suppliers.
IM: What are the biggest cybersecurity successes the electricity sector is experiencing today?
AN: In my opinion, the greatest success for the electricity sector is how European grid operators have proactively established a collaborative approach to foster a culture of security awareness and a structured strategy for capacity building.
Since 2012, when ENCS was founded, individual grid operators and associations have been investing in research, testing and training. ENCS, E.DSO and ENTSO-E have jointly organized cybersecurity events to engage policymakers from the European Commission and European Parliament, joined by EE-ISAC and ENISA since 2023. Structured cybersecurity training programs have been implemented and the EU DSO Entity also became an active contributor upon its establishment in 2021.
As a result, the electricity sector now sets a benchmark for other sectors, although the work is ongoing. Despite the ever-increasing volume and sophistication of attacks, no major incidents have occurred in the European grid. There have been no significant compromises of grid systems in Europe, and even in Ukraine no major incidents resulted from cyber-attacks after the attacks it suffered in 2015/2016.
However, the attack surface continues to grow and become more complex, and attackers will target the weakest link in the chain. Therefore, it is crucial to achieve a harmonized level of security across the entire European grid, which can only be achieved through continued collaboration.