Electricity Cybersecurity | Hybrid and Cyber Risks
The electricity subsector is experiencing a structural shift in its risk profile as cyber threats, information operations, and geopolitical contestation interact with physical vulnerabilities and market mechanisms in ways that traditional governance was never designed to manage.
The system that produces, transports, and settles electrical energy is increasingly digital, increasingly modular, and increasingly dependent on third parties for everything from protective relays and phasor measurement units to cloud-hosted market platforms and demand response aggregators. In this environment, the risk is hybrid. Adversaries combine cyber intrusion, physical disruption, data manipulation, and narrative pressure to create outcomes that are economic, technical, legal and operational.
The emergence of adversarial artificial intelligence introduces challenges and opportunities. On the defensive side, operators employ machine learning for anomaly detection, asset health insights, and contingency analysis. On the offensive side, attackers use generative tools to accelerate reconnaissance, and automate low-and-slow attacks that evade static thresholds.
Low-and-slow attacks that evade static thresholds are intrusion techniques designed to blend into normal operational noise by changing behavior so gradually or intermittently that detectors never flag them. Instead of a noisy, high-impact burst that triggers alarms, the attacker scripts tiny, incremental changes to control setpoints, telemetry values, or ledger entries over long periods so that each individual change falls within configured acceptable bounds.
The automation element matters because adversaries no longer need human patience or manual trial-and-error. They deploy AI agents that probe detection boundaries, learn the operational rhythms, and schedule perturbations to coincide with benign variability (shift changes, maintenance windows, or seasonal load swings). The same automation can choreograph low-bandwidth lateral movement, periodic credential theft, stealthy exfiltration of configuration files, or incremental poisoning of machine-learning models used for anomaly detection or predictive maintenance, all while maintaining an operational profile that looks statistically innocuous to static thresholds tuned to single event spikes.
The legal risk shifts from confidentiality toward integrity, the ability to prove that data used for operational decisions and market settlements is complete, accurate, and unaltered. This elevates secure time sources, cryptographic signing of telemetry, and tamper-evident logs. Governance must anticipate that AI-assisted misinformation will accompany major grid events, requiring preplanned public communications that are technically literate, regulator-aligned, and evidence-based, avoiding statements that later conflict with forensic findings.
Interdependencies intensify hybrid exposure. Electricity is both a supplier to and a consumer of other critical infrastructures. Gas compression, water treatment, telecommunications backhaul, data centers, rail signaling, and healthcare all rely on uninterrupted power. Modern grid operations depend on communications networks, satellite timing, and in some regions gas-fired generation for balancing. Adversaries may try to sequence effects across sectors to amplify chaos.
Modernization is essential, but it is also a risk vector. Replacing legacy protection and control with digitally native systems promises rich telemetry, remote maintenance, and flexible automation, but it also introduces complexity and software supply chain exposure.
The "all-hazards approach" in Electricity Cybersecurity, from the US Presidential Policy Directive (PPD) to the NIS 2 Directive of the European Union
In the USA, the Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience (February 12, 2013) asks for an all-hazards approach. According to the PPD, the Federal Government must work with critical infrastructure owners and operators to take proactive steps to manage risk and strengthen the security and resilience of the US critical infrastructure, considering all hazards that could have a debilitating impact on national security, economic stability, public health and safety, or any combination thereof. These efforts shall seek to reduce vulnerabilities, minimize consequences, identify and disrupt threats, and hasten response and recovery efforts related to critical infrastructure.
According to the PPD, the term "all-hazards" means a threat or an incident, natural or manmade, that warrants action to protect life, property, the environment, and public health or safety, and to minimize disruptions of government, social, or economic activities. It includes natural disasters, cyber incidents, industrial accidents, pandemics, acts of terrorism, sabotage, and destructive criminal activity targeting critical infrastructure.
In the USA, the Sector Spotlight: Cyber-Physical Security Considerations for the Electricity Sub-Sector is a Cybersecurity and Infrastructure Security Agency (CISA) and Department of Energy (DOE) co-branded product that provides the broader critical infrastructure community with a product that highlights key cyber-physical attack vectors facing the electricity sub-sector, best practices for mitigating risk, and recommendations for maintaining resilience.
According to CISA and the DOE, cybersecurity is an evolving security challenge for the electricity sub-sector. Cyberattacks pose a persistent threat to the electricity sub-sector and can cause severe physical and economic harm. Hackers can disrupt operations through ransomware attacks or by exploiting virtual private networks and gaining access to control systems responsible for critical operational components, such as tap changers on transformers. Malicious actors may use cyber activity to bypass physical security measures.
A single compromised manufacturer or poorly secured component for Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), or software management systems, when broadly distributed across the electricity subsector, could compromise utility systems. Attacks on the subsector’s supply chain for critical component manufacturers could delay the acquisition of key operational components.
Electricity sub-sector operators are increasingly integrating Industrial Internet of Things (IIoT) devices with ICS to help monitor, regulate, and manage operating environments. These connected devices pose many of the same risks to enterprise security as traditional ICS. Inherent risks of IIoT devices include vulnerabilities in design, manufacturing, implementation, configuration, and disposal. For example, an IIoT device using outdated or unpatched software or firmware could be at greater risk of compromise and used to infiltrate enterprise networks, systems, and data stored in the cloud.
According to CISA, the energy infrastructure is divided into three interrelated segments: electricity, oil, and natural gas. The U.S. electricity segment contains more than 6,413 power plants (this includes 3,273 traditional electric utilities and 1,738 nonutility power producers) with approximately 1,075 gigawatts of installed generation.
Approximately 48 percent of electricity is produced by combusting coal (primarily transported by rail), 20 percent in nuclear power plants, and 22 percent by combusting natural gas. The remaining generation is provided by hydroelectric plants (6 percent), oil (1 percent), and renewable sources (solar, wind, and geothermal) (3 percent). The heavy reliance on pipelines to distribute products across the US highlights the interdependencies between the Energy and Transportation Systems Sector.
The reliance of virtually all industries on electric power and fuels means that all sectors have dependence on the Energy Sector.
In the European Union, the European Union Agency for the Cooperation of Energy Regulators (ACER) was established in March 2011 by the Third Energy Package legislation. ACER is one of the EU decentralised agencies. Distinct from the EU institutions, agencies are set up as separate legal entities to perform specific technical and scientific tasks that help EU institutions and Member States to implement policies and take decisions.
Since the Directive on common rules for the internal market in electricity (1996), which marked the beginning of the market integration process at the European level, significant progress has been made towards establishing an efficient Internal Electricity Market. The successive legislative packages, and more recently the 'Clean Energy Package' contributed to further strengthening the foundations of the Internal Electricity Market.
According to ACER, cyber incidents and attacks can disrupt energy related essential services e.g. causing electricity blackouts or causing damages to existing infrastructure. A reliable energy system is the backbone of the economy. Energy supply powers industry and is essential to our daily lives (home, work, movement and entertainment).
The harmful effects of cyber incidents and attacks can be widespread on individuals, organisations and communities. A cyberattack or a cyberincident in one country can affect the EU energy digitalised system in more than a single geographical area, also causing cascade effects.
Cybersecurity is so critical in energy that Europe's legislators have adopted a sector-specific approach to reinforce cyber security in electricity which applies in addition to the general cyber laws.
The NIS 2 Directive of the European Union entered into force on the 16th of January 2023.
In Article 1 (subject matter of the NIS 2 Directive), we learn that NIS 2 lays down cybersecurity risk management measures and reporting obligations for entities of a type referred to in Annex I or II.
In Annex I (Sectors of High Criticality), we find that the following entities are in the scope of the NIS 2 Directive:
- "Electricity undertakings, which carry out the function of ‘supply’",
- "Distribution system operators",
- "Transmission system operators",
- "Producers",
- "Nominated electricity market operators",
- "Market participants providing aggregation, demand response or energy storage services", and
- "Operators of a recharging point that are responsible for the management and operation of a recharging point, which provides a recharging service to end users, including in the name and on behalf of a mobility service provider."
According to Article 21 (Cybersecurity risk-management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.
Taking into account the "state-of-the-art" and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.
The measures shall be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include "at least" the following:
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
11 March 2024 - European Commission, Delegated Regulation (EU) 2024/1366 establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows.
Note: In the EU, the European Network of Transmission System Operators for Electricity (the ‘ENTSO for Electricity’), the European Entity for Distribution System Operators (the ‘EU DSO entity’), and the regional coordination centres must comply with their obligations under the regulatory framework of the internal market for electricity.
Regulation (EU) 2024/1366 establishes a network code which lays down sector-specific rules for cybersecurity aspects of cross-border electricity flows, including rules on common minimum requirements, planning, monitoring, reporting and crisis management.
According to Article 4, by 13 December 2024, each EU Member State must designate a national governmental or regulatory authority responsible for carrying out the tasks assigned to it in this Regulation (‘competent authority’).
According to Article 16, the ENTSO for Electricity and the EU DSO entity shall cooperate in performing cybersecurity risk assessments in particular the following tasks:
(a) development of the cybersecurity risk assessment methodologies;
(b) development of the Comprehensive Cross-border electricity cybersecurity risk assessment report;
(c) development of the common electricity cybersecurity framework;
(d) development of the cybersecurity procurement recommendation;
(e) development of the cyber-attacks classification scale methodology;
(f) development of the provisional electricity cybersecurity impact index (‘ECII’) electricity cybersecurity impact index;
(g) development of the consolidated provisional list of high-impact and critical-impact entities;
(h) development of the provisional list of Union-wide high-impact and critical-impact processes;
(i) development of the provisional list of European and international standards and controls;
(j) performance of the Union-wide cybersecurity risk assessment;
(k) performance of the regional cybersecurity risk assessments;
(l) definition of the regional cybersecurity risk mitigation plans;
(m) development of guidance on European cybersecurity certification schemes for ICT products, ICT services, and ICT processes;
(n) development of guidelines for the implementation of this Regulation in consultation with ACER and ENISA.
Learn more about hybrid risk, in the following Cyber Risk GmbH websites:
1. https://www.hybrid-risk.com
2. https://www.hybrid-risk-management.com
3. https://www.hybrid-stress-testing.com
4. https://www.defensive-hybrid-intelligence.com
This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.
Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.
Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.
Cyber Risk GmbH, some of our clients
