ACER and Cybersecurity

ACER and Cybersecurity

Why is cyber security such an important topic for ACER and energy regulators?

Image
acer image

Cyber incidents and attacks can disrupt essential energy-related services e.g. causing electricity blackouts or damages to existing infrastructure. A reliable energy system is the backbone of the economy. Energy supply powers industry and is essential to our daily lives (home, work, movement and entertainment). 

The harmful effects of cyber incidents and attacks can be widespread, affecting individuals, organisations, and communities. A cyberattack or incident in one country can affect the EU's digitalised energy system across multiple geographical areas, potentially causing cascade effects.

Cybersecurity is so critical in energy that Europe's legislators have adopted a sector-specific approach to reinforce cybersecurity in electricity which applies in addition to the general cyber laws.

See ACER's Cybersecurity Glossary.​
 

How realistic are cyber threats in energy?

Cyber threats within the energy sector represent a real and escalating risk, with cyber incidents increasing in frequency and impact. In Ukraine, 225,000 people lost power in a cyberattack on the electricity grid infrastructure in 2015. For electricity systems, the threat of cyberattack is substantial and growing.

With heightened cyber threats, increasingly digitalised critical energy infrastructure is vulnerable to attacks. The very interconnectedness of assets across the energy system, if not cyber secure, makes them vulnerable to threats.

 

How does ACER contribute to cybersecurity?​

​​​ACER contributes to strengthening the cybersecurity of Europe's energy system in three main ways:

1. Advising on EU legislation and rules

ACER and national regulators provide expert advice on EU legislation and cyber rules relating to the energy sector.

  • In 2021, at the request of the European Commission, ACER developed a Framework Guideline (under the Electricity Regulation) which will help shape a legally binding EU-wide Cybersecurity Network Code for Cross-Border Electricity.

  • ACER and regulators are actively engaged in European Commission Expert Groups.

2. Sharing information among energy regulators and capacity building

Since 2015, ACER and the national energy regulators cooperate and share information in a dedicated cybersecurity task force co-chaired by ACER and CEER:

  • Such collaboration covers issues such cybersecurity preparedness, response, recovery planning, and regulatory approaches to drive prudent risk reduction effort.

  • Outputs include shared resources, reports and recommendations.

  • This task force (and CEER training courses) help ongoing capacity building with the aim to prevent, detect, respond, and recover from cyberattacks.

  • Prepare and distribute factsheets, reports and papers with the aim to explain and explore complex and emerging cybersecurity topics of interest for the energy community, as well as to provide the position of regulators in respect to the adoption of such principles and technologies.

3. ACER's leading cyber experts contribute to EU and international collaboration

ACER's cyber specialists are leading global cybersecurity experts who foster best practices globally:

  • ACER and energy regulators engage with fellow international experts (e.g. NERC, EPRI and NARUC in the US) to share expertise and experience on issues such as standards, strategy, and the prudency of investment​.

  • ACER engages with network operators and the EU Institutions and Agencies (e.g. ENISA, DG ENER, and the Joint Research Centre), participating in the Commission's expert groups in developing European-wide cyber approaches.

  • ACER engages with the standardisation community with the purpose to use already existing standards, where those exist, or to strive future standardisation efforts that may be needed for the efficient implementation of the Regulation.

ACER and Cybersecurity

Is there a European approach to cyber security?

Image
acer image

The EU works on various fronts to promote the efficient implementation of cyber resilience in all sectors of EU human life. Europe has a cybersecurity strategy and cross-sectoral cybersecurity legislation (the 2016 NIS Directive and the 2019 Cybersecurity Act and a (2020) proposal to revise the original NIS Directive). The Cybersecurity Act standardises the certification of cybersecurity products at the European Union level and in the energy sector, and strengthens ENISA (the EU's agency that deals with cybersecurity).​
 

Europe sees electricity as “critical" and reinforces its cybersecurity with an additional electricity sector-specific approach​

​Europe's 2019 energy laws complement Europe's horizontal cybersecurity legislation by reinforcing cybersecurity in electricity sector-specific legislation. In 2019, the European Commission also adopted a Recommendation on cybersecurity in the energy sector.

Both the recast (2019) Electricity Directive and Electricity Regulation have cybersecurity measures. For example, the Electricity Directive deals with issues related to smart meters and cybersecurity, while the Electricity Regulation establishes binding EU-wide rules for cybersecurity in electricity – known as Cybersecurity Network Code. The Electricity Regulation also assigns a cybersecurity role to the new EU entity for Distribution System Operators (EU DSO entity).

Europe's general cyber laws (specifically, the NIS Directive on security of network and information systems) also apply to the energy sector, which is defined as “critical". Under the NIS Directive, “operators of essential services" include those operators identified by Member States as energy critical infrastructures. Hence, most of the Energy Operators (including many electricity suppliers, many Distribution System Operators (DSOs) and all Transmission System Operators (TSOs)) are subject to the cybersecurity and notification requirements of the NIS Directive. These operators are also required to assess cyber risks and to respect minimum standards that aim to mitigate such risks, as well as to fulfill other related obligations.

ACER and Cybersecurity

The journey towards the Cybersecurity Network Code

In July 2021, ACER has published its non-binding Framework Guideline on sector-specific rules for cybersecurity aspects of cross-border electricity flows.

The Framework Guideline provides high-level principles for the development of a binding Cybersecurity Network Code that will contribute to maintain the security of the electricity system across Europe.

It covers various topics:

  • governance

  • cross-border risk assessment & management

  • a common electricity cybersecurity framework

  • information sharing and essential information flows

  • incident handling and crisis management (including data collection)

  • an electricity cybersecurity exercise framework

  • protection of information exchange in the context of data processing

  • monitoring, benchmarking and reporting

Next steps

In July 2021, ACER has submitted the Framework Guideline to the European Commission.

As a next step, a specific drafting committee will prepare a network code’s proposal based on the ACER Framework Guidelines.

ACER will then revise the proposed network code to ensure compliance with its Framework Guideline and that it does not hamper the market’s efficient functioning. ACER shall submit the revised network code to the European Commission within six-months.

ACER and Cybersecurity

What will the new Cybersecurity Network Code cover?

Image
acer image

​These new sector-specific rules for cybersecurity covering issues such as:

  • establishing methodologies and governance for electricity cross-border risk assessment

  • define a set of common minimum cybersecurity requirements and standards applicable to all actors for the electricity markets

  • further development and orchestration of cybersecurity information co​llection and dissemination among all electricity community actors

  • planning

  • monitoring

  • and reporting obligations​