Tech talk |The EU’s new cybersecurity network code unpacked
Image courtesy 123rf
The EU’s new network code on cybersecurity for the electricity sector is aimed at improving the cyber resilience of this critical energy infrastructure and services.
The large-scale digitalisation of the energy system, key for the delivery of a fit-for-purpose grid for net zero, is bringing with it new demands for cybersecurity, which must cover the whole value chain, from production and transmission to distribution and the consumer, including all the digital interfaces along this path.
As the number of connected resources grows – and they are rapidly with the fast-increasing uptake of distributed energy resources – so too do the number of interfaces and the number of involved parties. And with that the challenges to achieve a cyber secure system.
The EU’s new network code on cybersecurity, one of the 25 key deliverables of the energy system digitalisation action plan, is focussed primarily on the cross-border electricity flows that form a central component of the single market and was widely consulted in development.
Have you read?
US developing uniform guidance on distribution cybersecurity
Energy Transitions Podcast: Cybersecurity innovation at the core of digital transformation
In its 60+ pages, it covers a breadth of topics, prefaced with a ‘General’ section covering such issues as the need for national competent authorities to carry out the tasks assigned in the regulation, cooperation between parties at national level, the important cooperation between ENTSO.E and the DSO Entity, which is at the heart of its implementation, and cooperation with ACER.
A key foundation for the network code is the establishment of a recurrent – every three years – process of cybersecurity risk assessments in the electricity sector at national and regional levels, aimed at systematically identifying the entities that perform digitalised processes with a critical or high impact in cross-border electricity flows and their cybersecurity risks, and then the necessary mitigating measures that are needed.
For that, the network code establishes a governance model that is aligned with existing mechanisms in EU legislation, such as the revised Network and Information Security Directive, with ENTSO.E and the DSO Entity required to propose the risk assessment methodologies.
‘High impact’ and ‘critical impact’
This notion of ‘high impact’ and ‘critical impact’ is fundamental and depends on the degree of impact of possible cyber attacks in an entity’s processes or operations, with those entities primarily those that have a direct impact on cross-border flows of electricity in the EU.
A second key component is the establishment of a common electricity cybersecurity framework with minimum and advanced controls respectively for ‘high impact’ and ‘critical impact’ entities.
Cybersecurity procurement and the broader supply chain are another key area, with recent cyber-attacks show that entities are increasingly becoming the target of supply chain attacks.
The TSOs are required to develop non-binding procurement recommendation for ICT products, services and processes – again differentiating whether the entity is deemed of high or critical impact.
Information flows and crisis management in the wake of a cyber attack also are crucial and the network code establishes rules around reporting and information sharing.
Finally, the regulation sets out rules for the undertaking every three years by critical impact entities – and on their request also critical service providers – of a cybersecurity exercise including one or more scenarios with cyber attacks affecting cross-border electricity flows directly or indirectly and related to the risks identified during the cybersecurity risk assessments.
The template for this is to be developed by ENTSO.E and the DSO Entity, with the involvement of ACER and ENISA.
Under the EU rules of procedure, the delegated act is subject to scrutiny by the EU co-legislators, i.e. the European Parliament and Council, each for 2 months with a possible 2-month extension.
Jonathan Spencer Jones
Specialist writer
Smart Energy International
Follow me on LinkedIn