Specific Challenge:
The Electrical Power and Energy System (EPES) is of key importance to the economy, as all other domains rely on the availability of electricity, hence a power outage can have direct impact on the availability of other services (e.g. transport, finance, communication, water supply) where backup power is not available or the power restoration time goes beyond the backup autonomy.
With the transition to a decentralised energy system, digital technologies are playing an increasingly important role in the EPES: they contribute reducing the energy consumption; they enable the integration of higher shares of renewables and promote a more energy efficient system. At the same time, with the growing use of digital devices and advanced communications and interconnected systems, the EPES is increasingly exposed to external threats, such as worms, viruses, hackers and data privacy breaches.
Without appropriate cyber-defence measures, systems access could be violated (e.g. with the malware spreading over the system) and may cause power outages, damages and cascading effects to interconnected systems, and energy services. Therefore, with increased digitalisation, the EPES will face an increasing range of threats requiring an attentive evaluation of the cyber security risk that allows taking proper countermeasures. For example, the growing use of interconnected smart devices in the EPES will increase the number of access points (e.g. smart meters, IoT), hence increasing the exposure to cyberattacks. In addition, even if security improvements may have been made since, legacy systems such as SCADA/ICS (Supervisory Control and Data Acquisition System/Industrial Control Systems) do not have cybersecurity measures embedded because designed in times when cybersecurity was not part of the technical specifications of the system design.
Furthermore, a control system in the EPES that is under attack might not be easily disconnected from the network as this could potentially result in safety issues, brownouts or even blackouts. On the other hand, with the decentralisation leading to a distributed energy system, microgrid operations and/or islanding could be further exploited against cyber-attacks and cascading effects in the EPES.
In order to pursue the integration of renewables and to ensure the benefits of a modern digitalised electricity grid, there is the need to detect and prevent threats with severe impacts and to shield the electric system against cyber-attacks. Without an adequate strategy and measures to protect the energy system from cyber-attacks, the energy transition would be more risky, more costly and possibly in danger.
The European Commission adopted in April 2019 a sector-specific guidance[1] that identifies the main actions required to preserve cybersecurity and be prepared to possible cyberattacks in the energy sector, taking into account the characteristics of the sector such as the real-time requirements, the risk of cascading effects and the combination of legacy systems with new technologies. In March and April 2019 respectively, the European Parliament and the Council have adopted the proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act''))[2].
