Following one year of research and analysis, the final cybersecurity study on the energy sector in the Energy Community was presented at the cybersecurity workshop on 10 December in the Secretariat’s premises in Vienna. The main problem identified is the generally weak or missing focus on the energy sector in national cybersecurity strategies and implemented legislation. This is of particular concern as the energy sector requires specific communication and operation technologies, critical timescales and sensitivity to cascading effects.
The study found that all Contracting Parties address cybersecurity in their national policies, have mechanisms for enforcement of cybercrime and have adopted ISO 27000 Series of technical standards, either fully or partially. However, their application by energy companies is voluntary and incidental. The designation of critical infrastructure in the energy sector is in early stages.
The study also provides a comprehensive risk assessment applied to the Energy Community as a whole, indicating the specific exposure to various cyber threats for each type of critical infrastructure. Transmission system operators (for both electricity and natural gas) are subject to outstanding levels of risk for most types of threats.
The study provides recommendations on the follow-up including specific measures to be applied on national level, as well as common measures for the Energy Community. It advises on the required regional mechanisms for exchange of data and mutual support, platform for training and education, and directions in cooperation with ENISA, ENTSO-E, ENTSOG and other EU cybersecurity-specific associations. Most regional measures are going to be included in the work programme of the Energy Community Cybersecurity Coordination Group (CyberCG) for the period 2020 – 2021.