The energy sector in the EU is increasingly preparing for cyber attacks. This is not least due to a new directive that obliges companies to take stricter cyber security measures, according to experts at Pinsent Masons.
According to a recent report by the German Federal Office for Information Security (BSI), the threat level in cyberspace is higher than ever. The energy sector is considered to be particularly vulnerable, as some energy systems have to react so quickly that standard security measures cannot be introduced due to the associated delay. In addition, infrastructure was often built long before the time of cyber threats and now needs to be upgraded accordingly. Also, energy networks in Europe - and far beyond - are so heavily interconnected that the failure of a single operation can trigger outages across the EU - making the energy sector particularly vulnerable and attractive to cyber attacks.
According to EU Commissioner Thierry Breton, more than 200 reported cyber incidents targeted the energy sector in 2023 alone, and more than half of these were specifically against installations in the EU.
An exercise was therefore carried out last week to prepare the European energy sector for cyber attacks and test its resilience. The exercise tested coordination and cooperation skills as well as crisis management capabilities to assess the sector's resilience. An analysis report will be published following the exercise.
"Cyber security is particularly important for various regulated industries," Florian Elsinghorst, regulated industries expert at Pinsent Masons, said. "While it is obvious that cyber security plays an important role for the financial and insurance sectors, for example, the relevance for the energy sector is most tangible - everyone has heard and read about the horror scenarios surrounding blackouts. The committed and systematic approach at EU level is to be welcomed."
The Europe-wide exercise involved 30 national cyber security authorities, a number of EU agencies, organisations and networks as well as the EU Commission with over 1,000 experts.
Daniel Widmann, cyber security expert at Pinsent Masons, commented: "The exercise must also be seen against the backdrop of the EU's NIS 2 Directive, which must be transposed into the national law of the member states by autumn this year."
According to BSI, there are currently 295 companies that are considered critical infrastructure in the energy sector. These 295 companies are already subject to mandatory IT security laws. The Directive on measures for a high common level of cyber security (NIS 2 Directive) will soon add additional cyber security standards that most energy suppliers and grid operators in Germany will then have to comply with.
"The NIS 2 Directive, which will apply from October 2024, will be applicable to all businesses with more than 50 employees or an annual turnover of more than ten million euros. This will probably apply to most of the roundabout 28,000 energy suppliers in Germany," Widmann said.
The companies covered by the NIS 2 Directive are obliged to take technical, operational, and organisational measures to ensure the security of network and IT systems even in the event of a cyber-attack. The directive also specifies concrete measures. For example, a risk concept must be drawn up, measures must be defined in the event of an attack and measures must be taken to secure supply chains and business continuity. "Significant security incidents" must also be reported to the authorities within 24 hours.
"According to the NIS 2 Directive, a significant security incident is deemed to have occurred if a security incident can cause financial losses for the organisation in question. According to this definition, every security incident is likely to be reportable under NIS 2, as cyber-attacks can usually be associated with high financial losses for the affected companies," Widmann said.
Under the NIS 2 Directive, managing directors should approve the risk management measures taken by the companies concerned and monitor their implementation. In the event of violations, the management may be held liable.
Breaches of the provisions of the NIS 2 Directive can result in fines of up to ten million Euros or two percent of global turnover from the previous financial year.