Cybersecurity in the Energy Sector, Electricity Subsector

The "all-hazards approach" in Electricity Cybersecurity, from the US Presidential Policy Directive (PPD) to the NIS 2 Directive of the European Union

In the USA, the Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience (February 12, 2013) asks for an all-hazards approach. According to the PPD, the Federal Government must work with critical infrastructure owners and operators to take proactive steps to manage risk and strengthen the security and resilience of the US critical infrastructure, considering all hazards that could have a debilitating impact on national security, economic stability, public health and safety, or any combination thereof. These efforts shall seek to reduce vulnerabilities, minimize consequences, identify and disrupt threats, and hasten response and recovery efforts related to critical infrastructure.

According to the PPD, the term "all-hazards" means a threat or an incident, natural or manmade, that warrants action to protect life, property, the environment, and public health or safety, and to minimize disruptions of government, social, or economic activities. It includes natural disasters, cyber incidents, industrial accidents, pandemics, acts of terrorism, sabotage, and destructive criminal activity targeting critical infrastructure.

In the USA, the Sector Spotlight: Cyber-Physical Security Considerations for the Electricity Sub-Sector is a Cybersecurity and Infrastructure Security Agency (CISA) and Department of Energy (DOE) co-branded product that provides the broader critical infrastructure community with a product that highlights key cyber-physical attack vectors facing the electricity sub-sector, best practices for mitigating risk, and recommendations for maintaining resilience.

According to CISA and the DOE, cybersecurity is an evolving security challenge for the electricity sub-sector. Cyberattacks pose a persistent threat to the electricity sub-sector and can cause severe physical and economic harm. Hackers can disrupt operations through ransomware attacks or by exploiting virtual private networks and gaining access to control systems responsible for critical operational components, such as tap changers on transformers. Malicious actors may use cyber activity to bypass physical security measures.

A single compromised manufacturer or poorly secured component for Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), or software management systems, when broadly distributed across the electricity subsector, could compromise utility systems. Attacks on the subsector’s supply chain for critical component manufacturers could delay the acquisition of key operational components.

Electricity sub-sector operators are increasingly integrating Industrial Internet of Things (IIoT) devices with ICS to help monitor, regulate, and manage operating environments. These connected devices pose many of the same risks to enterprise security as traditional ICS. Inherent risks of IIoT devices include vulnerabilities in design, manufacturing, implementation, configuration, and disposal. For example, an IIoT device using outdated or unpatched software or firmware could be at greater risk of compromise and used to infiltrate enterprise networks, systems, and data stored in the cloud.

According to CISA, the energy infrastructure is divided into three interrelated segments: electricity, oil, and natural gas. The U.S. electricity segment contains more than 6,413 power plants (this includes 3,273 traditional electric utilities and 1,738 nonutility power producers) with approximately 1,075 gigawatts of installed generation.

Approximately 48 percent of electricity is produced by combusting coal (primarily transported by rail), 20 percent in nuclear power plants, and 22 percent by combusting natural gas. The remaining generation is provided by hydroelectric plants (6 percent), oil (1 percent), and renewable sources (solar, wind, and geothermal) (3 percent). The heavy reliance on pipelines to distribute products across the US highlights the interdependencies between the Energy and Transportation Systems Sector.

The reliance of virtually all industries on electric power and fuels means that all sectors have dependence on the Energy Sector.

In the European Union, the European Union Agency for the Cooperation of Energy Regulators (ACER) was established in March 2011 by the Third Energy Package legislation. ACER is one of the EU decentralised agencies. Distinct from the EU institutions, agencies are set up as separate legal entities to perform specific technical and scientific tasks that help EU institutions and Member States to implement policies and take decisions.

Since the Directive on common rules for the internal market in electricity (1996), which marked the beginning of the market integration process at the European level, significant progress has been made towards establishing an efficient Internal Electricity Market. The successive legislative packages, and more recently the 'Clean Energy Package' contributed to further strengthening the foundations of the Internal Electricity Market.

According to ACER, cyber incidents and attacks can disrupt energy related essential services e.g. causing electricity blackouts or causing damages to existing infrastructure. A reliable energy system is the backbone of the economy. Energy supply powers industry and is essential to our daily lives (home, work, movement and entertainment).

The harmful effects of cyber incidents and attacks can be widespread on individuals, organisations and communities. A cyberattack or a cyberincident in one country can affect the EU energy digitalised system in more than a single geographical area, also causing cascade effects.

Cybersecurity is so critical in energy that Europe's legislators have adopted a sector-specific approach to reinforce cyber security in electricity which applies in addition to the general cyber laws.

The NIS 2 Directive of the European Union entered into force the 16th of January 2023.

In Article 1 (subject matter of the NIS 2 Directive), we learn that NIS 2 lays down cybersecurity risk management measures and reporting obligations for entities of a type referred to in Annex I or II.

In Annex I (Sectors of High Criticality), we find that the following entities are in the scope of the NIS 2 Directive:

- "Electricity undertakings, which carry out the function of ‘supply’",

- "Distribution system operators",

- "Transmission system operators",

- "Producers",

- "Nominated electricity market operators",

- "Market participants providing aggregation, demand response or energy storage services", and

- "Operators of a recharging point that are responsible for the management and operation of a recharging point, which provides a recharging service to end users, including in the name and on behalf of a mobility service provider."

According to Article 21 (Cybersecurity risk-management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the "state-of-the-art" and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

The measures shall be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include "at least" the following:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Cyber Risk GmbH, a private company incorporated in Horgen, Switzerland, is not affiliated or connected to the entities referred above in any way. Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the Energy sector, Electricity subsector, and programs that assist the Board of Directors and the CEO in understanding cybersecurity challenges.

The Board of Directors and the CEO of entities in the Energy sector, Electricity subsector must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.

Our training programs

Energy Sector, Electricity Subsector, Cybersecurity Training.

The NIS 2 Directive as it applies in the Energy Sector, Electricity Subsector.

Cybersecurity Training for the Board of Directors, in the Energy Sector, Electricity Subsector.