#H2020Energy info days

Cybersecurity & Digital Privacyin the Energy sector

Carmen IFRIM, Michaela Kollau, Mario Dionisio

European Commission

DG CNECT, DG ENER

Transformation of the energy system

Electrification (EV, smartcharging, etc.)

Decentralisation (demand response, PV, storage, etc.)

Digitalisation (network technologies, smart metering, beyond the meter measures, smart appliances, IoT, etc.)

INGREDIENTS TO IMPROVE PERFORMANCE AND ENABLE COST SAVINGS

Connectivity

2

State of the art

3

• It powers cities, transport, industries, hospitals, etc. Key importance

• Safe without interconnection, isolated from the

outside world

• Increasing digitalisation interconnected grid

advantages, but also risks

ELECTRICAL POWER AND ENERGY SYSTEM (EPES)

Risks

4

• Exposure to cyberattacks for:o Increased access pointso Evolving attacks complexity

• The grid was build when cyberattacks did not exist:o Vulnerabilities emerge (buffer overflows, use

of hard-coded credentials, cross-site scripting, etc.)

o Not all assets can be patched

DECENTRALISATION and DIGITALISATION

A European Energy UnionWhy does the energy sector require specific considerations in terms of cyber security?

5

Real-time requirements

…simply cannot be addressed by standard cyber security solutions like authentication or

encryption.

Cascading effects

…can trigger black-outs in other sectors and

countries.

Technology mix

…creates risks from legacy components designed

when cyber security was not an issue, and from new Internet-of-Things devices not made with

cyber securityin mind.

What is needed

6

•Defining cybersecurity design principles •Designing a cyber-secure system architecture • To make legacy assets (e.g. SCADA, ICS) resilient • Certification at system level• Keeping in mind that:

MAKE THE GRID RESILIENT

A high level of digitalisation can happen only if it will not endanger the EPES

Digital Single Market Strategy – COM(2015) 192 of 6.5.2015;

European Agenda for Security – COM(2015) 185 of 28.4.2015;

NIS Directive – Directive (EU) 2016/1148 of 6/7/2016 concerning measures for a high common level of security of network and information systems across the Union;

eIDAS – Regulation (EU) 910/2016 of 23.7.2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;

General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 of 27.4.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

7

Policy context (1/3)

Communication on "Strengthening Europe's Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry" – COM(2016) 410 of 5.7.2016;

e-Privacy - Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications - COM(2017) 10 of 10.1.2017;

Cybersecurity Package: Joint Communication on "Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" – JOIN(2017) 450 of 13.9.2017;

Cybersecurity Act - Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') - COM/2017/0477 final

8

Policy context (2/3)

Proposal for a Regulation of the European Parliament and of the Council establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres to support the development of the technological and industrial capabilities necessary to autonomously secure its digital economy and increase Europe's competitiveness with regard to cybersecurity and privacy - COM(2018) 630

9

Policy context (3/3)

Clean Energy for all Europeans Package Risk Preparedness Regulation (EU) 2019/941: mandates Member States to develop national

risk preparedness plans and coordinate their preparation at regional level, including measures to cope with cyber-attacks

Recast of the Electricity Regulation (EU) 2019/943: gives a mandate to the Commission to develop a network code on cyber security for the electricity sector in order to increase its resilience and protect the grid

Regulation of Security of Gas supply (EU) 2017/1938: includes provisions to consider cybersecurity as part of Member States' national risk assessments

Sector-specific guidance for the energy sector - Recommendation C(2019)240 final and Staff Working Document SWD(2019)1240 final

10

Energy Policy context (1/1)

Work Programme 2018-2020 - Societal Challenge 7 “Secure Societies – Protecting freedom and security

of Europe and its citizens”

Call: Digital Security

Topic: SU-DS04-2018-2020: Cybersecurity in the Electrical Power and Energy System (EPES): an armour against cyber and privacy attacks and data breaches

Type of action: Innovation Action (IA)

Budget: 20 MEUR (2020);

Proposed opening: mid-March 2020;

Proposed deadline: end-August 2020;

#H2020Energy

Cybersecurity in energy Main challenges: Digital technologies playing a more important role in the energy system, which is facing higher risks and

vulnerabilities, exposed to an increasing range of cyber threats;

With increased digitalisation, EPES faces an increasing range of threats requiring an attentive evaluation of the cybersecurity risk, allowing taking proper countermeasures;

Older technologies in legacy systems were designed in times when cybersecurity was not part of the technicalspecifications for the system design;

Control system in EPES that is under attack might not be easily disconnected from the network (potentially safetyissues, brownouts or even blackouts);

Micro grid operations and/or islanding could be further exploited against cyber-attacks and cascading effects inEPES;

Need for new security approaches in detecting and preventing threats, building protection against cyber and privacyattacks;

Cybersecurity in energy Scope of action (1/2):

Develop solutions to make the energy sector more resilient to growing and more sophisticated cyber and privacy attacks, more cyber secure;

Demonstrate the resilience of EPES through design and implementation of adequate measures able to make assets and systems less vulnerable, reducing its expositions to cyber-attacks;

Develop scenarios for possible attacks, with appropriate counteracting measures, designed, described, tested on a demonstrator, to verify effectiveness;

Apply measures to new assets or to existing equipment where data flows were not designed to be cyber protected;

Develop security information and event management system collecting security-related documentation;

Cybersecurity in energy Scope of action (2/2):

Implement activities to make the electric system cyber secure:

assess vulnerabilities and threats in a collaborative manner;

design adequate security measures to ensure a cyber-secure system;

implement both organisational and technical measures in representative demonstrator to test the cyber resilience of the system with different types of attacks/severity;

demonstrate the effectiveness of the measures with a cost-benefit analysis;

Define cybersecurity design principles with a set of common requirements to inherently secure EPES;

Formulate recommendations for standardisation and certification in cybersecurity at component, system and process level;

Propose policy recommendations on EU exchange of information;

Cybersecurity in energy

Other specific conditions:

Dimension of a pilot/demonstrator: at large scale level (e.g. neighbourhood, city, regional), involving generators, one primary substation, secondary substations and end users;

Include types of entities such as: TSO, DSO, electricity generators, utilities, equipment manufacturers, aggregators, energy retailers, and technology providers;

Proposals may refer to Industry 4.0 and other proposals and/or projects dealing with cybersecurity in energy;

Foresee activities and envisage resources for clustering with other projects funded under this topic and other H2020 relevant projects in the field, in particular under the BRIDGE initiative (http://www.h2020-bridge.eu/);

Cybersecurity in energy

Impact expected:

Increased resilience against cyber and privacy attacks, and data breaches;

Ensured continuity of the critical business energy operations;

Energy sector better enabled to easily implement NIS Directive;

Cyber protection policy design and uptake;

Set of standards and rules for certification of cybersecurity components, systems and processes in the energy sector;

Disclaimer: The views are those of the services and may not in any circumstances be regarded as stating an official position of the Commission. Only the adopted work programme will have legal value. Information given in this presentation may not appear in the final work programme and likewise, new elements may be introduced at a later stage.

Thank you!

#H2020Energy

EU Funding & Tenders Portalwww.ec.europa.eu/research/participants

#H2020Energy