cybersecurity in the energy sector · cybersecurity in the energy sector ... dg ener,b.3 . cyber...

CLEAN ENERGY FOR ALL EUROPEANS

Cybersecurity

in the energy sector

IEA Digitalization and Energy

Workshop: Digital Resilience

Michaela Kollau

European Commission,

DG ENER,B.3

Cyber Security in the Energy Sector – Clean Energy Package Contribution

What is the role of cybersecurity in the energy transition strategy?

Issues Key questions

The legacy industrial control systems are today essential, but :

- controlling traditional areas of the grid increases

vulnerability of the energy network

- their interconnection with smart components raises

vulnerabilities for the energy infrastructure

Are cybersecurity and security of

supply two sides of the same

energy coin?

The effects by cyber-attacks are not fully considered in the

security design rules of the existing power grid; in other

words, the n-1 principle for the secure design of energy

systems might not be enough to cover effects of cyberattacks.

How to secure our energy

network?

Suppliers of information technologies - very often from outside

Europe - do not have strong obligations to make their

applications secure.

What standards or certification

do we need to put in place for the

IT supply chain?

Cyber Security in the Energy Sector – Clean Energy Package Contribution

What is the role of the energy sector in the cybersecurity strategy?

ICT

Energ

y

Tra

nsport

Fin

ancia

l

Health

Oth

er

secto

rs

ICT Energy

Tra

nsport

Fin

ancia

l

Health

Oth

er

secto

rs Energy

Cyber Security in the Energy Sector – Clean Energy Package Contribution

EU cybersecurity road map and specific energy activities at EU level

2013 2014 2015 2016 2017 2018 2019 2020 2021

Revision

strategy EU Cyber strategy and NIS proposal

EU Agenda Security 2015-20

NIS and GDPR

Digital Service

Operator

NIS transposition and Operator of

Essential Services

EC assessment OES

EC review NIS implementation

Clean

Package

Revision of

EU strategy

• grids

• meters SGTFEG1

• BAT

• DPIA

SGTFEG2

• strategy

• Actions EECSP Input

G7 Rome

• Technical capacity

• explore rules

SGTF-EG2

Dr M. SANCHEZ– EC DG ENER

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Market Design (5)

Commission Proposal - Clean Energy for all Europeans

Cyber Security in the Energy Sector – Clean Energy Package Contribution

How the Clean Energy Package acknowledges cybersecurity?

The legislative proposals put a lot of emphasis on smarter and more efficient management of the grid, by using digital technologies and the flexibility of consumers and their electrical appliances -PV, eV, etc

Innovation is at the core of the package, from renewable energy legislation, to energy efficiency and the new market design proposals

The package acknowledges the importance of cyber security for the energy sector, and the need to duly assess cyber-risks and their possible impact on the security of supply.

It proposes the adoption of measures to prevent and mitigate the risks identified as well as the adaption of technical rules for electricity (i.e. a Network Code) on cyber-security.

The Commission's proposal for a revised security of gas supply regulation, currently at trilogue level, also acknowledges the importance of cyber security in gas.

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Market Design (7)

Energy Expert Cyber Security (EECSP) – Expert Group

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Overview of the work of the

Energy Expert Cyber Security Platform (EECSP)-Expert Group

(ref. EECSP Report)

http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3341

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Documents analysed

Strategy papers

• EU Cyber Security Strategy

• Digital Single Market Strategy

• 50 national cyber security strategies

Legislation with focus

on cyber security for

critical infrastructure

providers

• Network and Information Security (NIS) Directive

• European Programme for Critical Infrastructure

Protection (EPCIP) Directive

• Contractual Public-Private Partnership

Legislation with focus

on security of supply

• Security of Supply (SoS) Directive

• Security of Gas Supply Regulation

Legislation with focus

on data protection and

privacy

• General Data Protection Regulation (GDPR)

• Data Protection Impact Assessment (DPIA)

Template

Cyber Security in the Energy Sector – Clean Energy Package Contribution

10 cyber security challenges in the energy sector (ref. EECSP Report)

Electricity Oil Gas Nuclear

1 Grid stability in a cross-border interconnected energy

network. x x x

2 Protection concepts reflecting current threats and risks. x x x x

3 Handling of cyber-attacks within the EU. x x x x

4 Effects by cyber-attacks not fully considered in the

design rules of an existing power grid or nuclear facility x x

5 Introduction of new highly interconnected technologies

and services. x x

6 Outsourcing of infrastructures and services. x x x

7 Integrity of components used in energy systems. x x x

8 Increased interdependency among market players. x

9 Availability of resources and their competences. x x x x

10 Constraints imposed by cyber security measures in

contrast to real-time/availability requirements. x x x

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Identified Strategic Areas – Needs (ref. EECSP Report)

1 European threat and risk landscape and treatment

2 Identification of provider of essential services

3 Cyber response framework

4 Crisis management

5 European cyber security maturity framework

6 Supply chain integrity framework for components

7 Capacity & competence build-up

8 Best practice and information exchange

9 Forster international collaboration

10 Awareness campaign from top level EU institutions

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Strategic Priorities Strategic Areas Areas of Actions

I

Set-up an effective

threat and risk

management

system

European threat and risk landscape and

treatment

1. Identification of provider of essential services

for the energy sector at EU level.

2. Risk analysis and treatment.

3. Framework of rules for a regional

cooperation.

4. EU framework for vulnerabilities disclosure

for the energy sector.

Identification of provider of essential services

Best practice and information exchange

Forster international collaboration

II

Set-up an effective

cyber defence

framework

Cyber response framework 5. Define and implement cyber response

framework and coordination.

6. Implement and strengthen the regional

cooperation for emergency handling

Crisis management

III

Continuously

improve cyber

resilience

European cyber security maturity framework 7. Establish a European cyber security maturity

framework for energy.

8. Establish a cPPP for supply chain integrity

9. Foster European and international

collaboration

Supply chain integrity framework for

components

Best practice and information exchange

Awareness campaign from top level EU

institutions

IV

Build-up the

required capacity

and competences

Capacity & competence build-up 10. Capacity and competence build-up.

(ref. EECSP Report)

Cyber Security in the Energy Sector – Clean Energy Package Contribution

High level Roundtable on main Challenges for Cyber Security

in the Energy System 24. March 2017, Rome

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Main Conclusions - Rome

1. Cyber security in the energy sector has its specificities

2. The importance of information technology suppliers

3. Ensure the right balance between cyber security, data protection and economic growth

4. Address IT skills shortage

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Smart Grids Task Force Working Group on Cyber Security

Cyber Security in the Energy Sector – Clean Energy Package Contribution

European Smart Grid Task Force - Expert Groups 2017-18

Dr M. SANCHEZ– EC DG ENER©2017. FSR Florence 24 March 2017 - (16)/17

Data Format and

Procedures Cybersecurity

Demand

Response

Chair by EC EC EC EC

one expert and

one alternate

1) no alternate

2) Multiple functional player

3) Covering the role of supplier

4) 2 experts and 2 alternates

5) EC ask BEUC case by case,

according with the issue to

discuss

CEER CEER CEER

CEDEC(1) (2) CEDEC (1) (2) CEDEC (1) (2)

EDSO (1) EDSO (1) EDSO (1)

Eurelectric (1) (3) Eurelectric (1) (3) Eurelectric (1) (3)

GEODE (1) GEODE (1) GEODE (1)

ENTSO-E (4) ENTSO-E (4) ENTSO-E (4)

Orgalime/T&D Orgalime/T&D Orgalime/T&D

ESMIG Digital Europe ESMIG

ANEC/BEUC (5) ANEC/BEUC (5) ANEC/BEUC (5)

SEDC SEDC SEDC

ENTSO-G (4) ETNO/GSMA ECOS

MARCOGAZ BEREC CECED

ETNO/GSMA ENCS EHC

BEREC EUTC ebIX

ebIX

Cyber Security in the Energy Sector – Clean Energy Package Contribution

Dear eTendering user

The following events occurred between 27/01/2017 22:00 and 07/02/2017 22:00

Call for Tenders "ENER/B3/2017-465" (id: 2120)

Feb 7, 2017 4:00:11 AM The Call for Tenders has been updated.

Call for Tenders: ENER/B3/2017-465 - Study on the evaluation of risks of cyber incidents and on costs of preventing cyber incidents in the energy sector.

This message has been sent by the eTendering application. Do not use the 'Reply'

function nor use this sender e-mail address. Please contact us using the contact link provided on the eTendering website.

Publications Office - eTendering: Calls for tenders from the European institutions

Call closes 10 April

Cyber Security in the Energy Sector – Clean Energy Package Contribution

http://ec.europa.eu/energy/en

http://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-and-meters