Digitalisation and cyber security are high on energy regulators’ agenda. In CEER, we have dedicated our 2018 annual customer conference to discuss, with consumer bodies, the opportunities and risks of digitalisation for consumers.
The recent wave of digitalisation in the energy sector creates additional risks, including cyber risks. CEER has published a Cybersecurity report on the state of cybersecurity in Europe’s electricity and gas sectors, and the evolving EU legislative environment (see the Feature article below). This report is a part of CEER’s strategy to prepare for and respond to the increasing digitalisation of energy markets, with further work on digitalisation and cyber planned for 2019.
Meanwhile, watch out for two CEER upcoming reports: one on the subsidies for renewables, and the other on CEER’s retail market monitoring.
Feature: CEER’s report on cyber security in Europe’s electricity and gas sectors
CEER has published a report on cyber security in Europe’s electricity and gas sectors.
Why is cyber security such an important topic for energy regulators?
Cybersecurity incidents can disrupt the proper functioning of the energy system, and in a worst-case scenario, create massive adverse events (black-outs, lack of gas in pipelines, disruption of heating systems) in widespread areas. Cyber threats have become a reality in energy. In December 2015, 230,000 customers in Ukraine lost power in a cyberattack (started by malicious software) on the electricity grid infrastructure. This attack provoked an already growing wave of concern among energy operators, governments and European energy regulators.
What’s in the cybersecurity report?
CEER’s cybersecurity report describes the state of cybersecurity in the energy sector, with a particular focus on the need for trust, the use of Cloud computing, Big Data analytics and the European legislative environment. The latter includes the NIS Directive, GDPR and the Clean Energy for All Europeans Package.
The report outlines recommendations concerning those regulatory and organisational aspects which may help in improving the effectiveness of cybersecurity. Some key recommendations include:
• Even companies not listed as Operators of Essential Services (OES) should strive to follow similarly high standards;
• Energy National Regulatory Authorities (NRAs) should engage with energy stakeholders on implementing European-level legislation and best practices;
• Energy NRAs will need to develop capacity to evaluate cybersecurity expenditure in regulated entities; and
• Energy companies should have a cybersecurity strategy and they should set clear and effective cybersecurity measures prior to embracing new technologies such as Cloud computing.
What else does CEER do on cybersecurity?
For several years, Europe’s energy NRAs work on cyber issues in a joint CEER-ACER cyber task force. CEER provides training for regulators to be fully informed and prepared on cyber issues. We contribute expertise to the European Commission’s expert groups on developing European cyber strategies and legislation (see for example CEER comments on the Cybersecurity Act in the Energy Context, December 2017).
European energy regulators frequently meet with fellow regulators in the US to share expertise and experience on issues such as standards, strategy and prudency of investment. The latter is important given that utility spending to address cyber vulnerabilities can impact consumers’ energy bills. Energy regulators want to ensure that money spent on cybersecurity by energy operators in the EU, particularly regulated monopolies, follows a prudent and structured approach, maximising the effect of the investment toward achieving the final goal of a cyber-secure energy market whilst impacting customers tariffs to the smallest extent possible.
Cybersecurity is one area where increased cross-authority collaboration is needed. These efforts are underway via CEER's PEER initiative. CEER is planning an event on digitalisation and cyber security in March 2019 which will bring together international cyber experts (beyond the field of energy) to deepen our collective understanding and better protect citizens in fast-moving markets that are exposed to cyber risks.