Policy Highlights
To achieve the recommendation stated in the chapter title, we propose the following:
-
EU Member States must enforce the implementation of a comprehensive, multi-layered security approach to enhance and strengthen the defence of digital energy systems.
-
EU Member States must enforce mandatory cybersecurity training programmes to address human vulnerabilities. Energy operators must undertake these programmes to ensure adequate education and promote digital hygiene.
-
All EU Member States should deploy Artificial Intelligence ethically to improve the sector’s cybersecurity while sharing the technology’s benefits equitably with all stakeholders.
-
Interdisciplinary approaches, combining Engineering and Social Science insights, can inform recommendations to address complex cybersecurity challenges.
You have full access to this open access chapter, Download chapter PDF
Keywords
1 Introduction
The EU Green Deal targets reducing greenhouse gas emissions by 55% and boosting the share of energy from renewable sources to 45% (European Commission, 2019). The 2022 REPowerEU plan outlines strategies for conserving energy, diversifying supply, and expanding renewable energy utilisation (European Commission, 2022). Together, these initiatives aim to ensure that all EU citizens can access reliable, affordable, and environmentally sustainable energy (European Commission, 2024).
Digitalisation has already contributed much to energy systems, including advanced energy management and distribution through smart grids, i.e., networked power grid control equipment that relies on Information and Communication Technology (ICT) (Eder-Neuhauser et al., 2017). Smart grids support the integration of renewable energy sources and dynamically balance supply and demand, enhancing grid stability and efficiency. Data analytics and Artificial Intelligence (AI) advances add to energy supply management, addressing variability and storage, optimising energy use, forecasting demand, and implementing preventive maintenance (European Commission, 2023).
Yet, energy sector digitalisation also introduces considerable security challenges. Digitalised energy systems are more vulnerable to cyberthreats since the increasing integration of ICT, smart meters, data collectors, and other connected devices expands the potential entry points for cyber attackers, making possible disruption of service or data theft (ECSO, 2018).
The Internet of Things (IoT) is a network of physical devices embedded with sensors, software, and other technologies connecting and exchanging data with other devices and systems over the Internet, whose inclusion in power networks exposes smart grid devices to wired and wireless cyberattacks (Ghiasi et al., 2023).
Additionally, energy systems have traditionally been split into physical infrastructure used in energy generation and transmission (known as Operational Technology, or OT), and Information Technology (IT) used in the administration domain. However, the energy sector’s reliance on smart OT systems has expanded exponentially, removing the separation between physical and digital infrastructure. This shift has implications for security since attacks like ransomware start in IT environments but can potentially spread to OT networks.
Therefore, cybersecurity is at the forefront of the EU’s efforts to maintain and develop digitally secure and resilient energy systems. Adopting an interdisciplinary approach to address this complex challenge, which has different technical, legal, ethical, and social dimensions, is essential. The interdisciplinary method combines Science, Technology, Engineering and Mathematics (STEM) fields, which design and implement secure technical systems, with insights from Social Sciences and Humanities (SSH) fields, ensuring that these technologies are socially responsible and legally compliant.
Specifically, this collaboration involves Electrical and Electronics Engineering, Telecommunications Systems and Networks, Public Policy, and Security Studies. The first two provide the technical backbone, delivering advanced solutions for secure infrastructure and reliable data communication. Public Policy insights ensure our recommendations comply with current and future regulations, while Security Studies assess the societal and ethical implications of these technologies, so that the policies mitigate threats, enhance public trust, and reflect EU values.
This chapter presents a recommendation to protect the EU’s digital energy infrastructure against an increasingly complex cyberthreat landscape. It highlights the necessity of robust cybersecurity strategies, mandated training programmes, and the ethical integration of cutting-edge technologies across Member States. These measures support the European Green Deal’s objectives to decarbonise energy systems and enhance energy efficiency at cost-effective rates.
The methodology that informed the development of the policy recommendation included an in-depth analysis of a wide range of EU policy documents, academic sources, and EU organisational reports, alongside guidelines from well-known security vendors. It draws a comprehensive picture of the current situation from legal, practical, and technical perspectives on the path to a securely digitalised, cybersafe EU energy sector.
The chapter is structured as follows. Section 9.2 discusses common cyberthreats and challenges in the digital energy sector. It analyses the existing EU cybersecurity policy and regulatory framework and explains how to implement comprehensive cybersecurity countermeasures. Section 9.3 concludes and sets out our policy recommendation for EU Member States.
2 Cybersecurity in the Digital Energy Sector: Challenges, Current Policies, and Recommended Actions
2.1 Common Cyberthreats and Challenges in the Digital Energy Sector
Recent years have seen a significant increase in cyberattacks on the critical infrastructure of the energy sector (ECSO, 2018; EnergiCERT, 2022), with the attack intensity and frequency hitting a peak in 2022 (Casanovas & Nghiem, 2023). The energy sector’s vulnerability is notably concerning, as it experiences 39% of all cyberattacks (Security, 2024). Understanding the origins of these attacks is vital to defeating them. External and internal sources pose considerable risks to the ability of energy systems to function reliably and securely.
External threats include complex cyberattacks conducted by various threat actors, namely individuals or groups carrying out malicious activities by exploiting hardware or software system weaknesses to damage their targets (ENISA, 2023). Some state-sponsored groups engage in cyber espionage and sabotage, threatening national energy security, whereas organised cybercriminals execute coordinated attacks to disrupt energy systems or secure financial gain by using ransomware to hold critical infrastructure hostage, demanding payment for its release (EnergiCERT, 2022).
Advanced Persistent Threats (APTs) represent a substantial cyber risk to the EU digital energy sector. These are prolonged, stealthy cyber campaigns conducted by highly skilled actors aiming to steal sensitive data or spy on organisations over extended periods (Chen et al., 2014; ENISA, 2023). APTs targeting the energy sector could infiltrate energy trading platforms to manipulate market prices or gain unauthorised access to proprietary technology in renewable energy systems.
While most cyberthreats originate from external sources, internal factors are also part of the threat landscape. Insiders, including employees, contractors, and interns—with varying levels of trust and privilege—unintentionally open the door for threat actors in approximately one-third of incidents (Security, 2024) through deliberate attacks or accidental errors. Such errors include misconfigured security settings, mishandling sensitive information, or failing to update vital software.
Susceptibility to phishing attacks represents another primary vector for internal threats. Phishing involves persuading potential victims to divulge sensitive information through deceptive means, often appearing as communications from legitimate sources—e.g. emails, messages, or websites that impersonate trusted entities—employing scare tactics, or urgent requests to provoke a response by exploiting the trust and access granted to insiders (ENISA, 2023).
Smart grids and Supervisory Control and Data Acquisition (SCADA) systems are typical targets for internal and external cyberattacks, due to their interconnectedness and essential role in modern energy systems. SCADA is a key technological backbone of the energy sector, enabling monitoring, and controlling processes, to efficiently manage power generation and distribution.
Smart grids are vulnerable to various cyberthreats, such as disruption attacks, primarily through Distributed Denial-of-Service (DDoS), temporarily disrupting critical services and impacting grid operations. Additionally, destructive attacks can cause physical damage to infrastructure, necessitating extensive repairs (Eder-Neuhauser et al., 2017). Another attack targeting smart grids is theft, either of service (in this case, energy services (McLaughlin et al., 2010)), or data, such as sensitive information (Eder-Neuhauser et al., 2017).
SCADA systems’ ability to monitor and control grid operations makes them particularly susceptible to cyberthreats, including destructive cyberattacks by APTs. In some incidents, APTs reprogramme Programmable Logic Controllers (PLCs) to alter the functionality of fundamental equipment, misleading operators with false ‘normal’ operating conditions. Such tactics pose risks of operational disruption and highlight the severe potential for lasting damage to the physical components of the energy sector’s infrastructure (Demertzis & Iliadis, 2018).
EU energy sector challenges extend beyond the previously mentioned cyberattacks to broader concerns, encompassing the sector’s struggle to ensure cross-border grid stability, adapt to evolving cyberthreats, and integrate cutting-edge technologies (EECSP, 2017). Key issues include standardising cybersecurity measures, protecting key operators, managing supply chain risks, and developing crisis response mechanisms across EU Member States (SGTF EG2, 2019).
Another threat to energy systems is advanced malware fuelled by AI, as it may be highly targeted, activating only under certain conditions, making it harder to detect and more harmful. Thus, traditional cybersecurity approaches need updating to combat this threat. Defence efforts to establish the source of certain malware varieties are complicated because they can blend seamlessly with legitimate software (Blauth et al., 2022).
Given the dynamic nature of cyberthreats, with human errors exacerbating the severity of the risk, and the emergence of AI-powered malware, the EU is well aware that its cross-border energy sector must address present challenges and proactively anticipate forthcoming threats. Strengthening EU defences via standardisation, training, and innovation is not just a suggestion but an absolute necessity to protect the future of EU energy.
2.2 Analysis of Existing EU Cybersecurity Policy and Legislation in the Digital Energy Sector
The EU has responded with detailed legislation in the face of the growing cybersecurity threat to crucial energy infrastructure. The Network and Information Security (NIS) Directive (European Union, 2016) was the first piece of EU-wide legislation to attain a uniformly high level of cybersecurity across the Member States.
The NIS2 Directive (European Union, 2022), following NIS, focused on providing the EU energy sector with solid foundations for long-term cybersecurity measures. It elaborated on the importance and effectiveness of detailed and immediate information sharing about incidents. The newly adopted EU Network Code (European Commission, Directorate-General for Energy, 2024) for the electricity sector aims to address energy cybersecurity across the board, on the level of the Union, Member States, regions, and entities.
To secure the digital energy sector, these are highly ambitious initiatives (Table 9.1) for well-integrated and resilient energy production, distribution, management, and maintenance across the EU. However, there are challenges on the path to their realisation. The key limitation is the complicated nature of the EU constitution and institutional structure because Member States and their various regions and entities have varying degrees of competencies, financial means, and instruments.
Traditional cybersecurity measures cannot keep up with the cyberthreat landscape, especially due to AI advancements, which evolves much faster than policy and training efforts at the national level. This creates a security gap, especially for developing economies and lower-income sections of the population, necessitating the EU to provide technical and financial support to ensure a union-wide cybersecure energy supply.
While the newly adopted Network Code provides financing, it is too early to confirm if actual delivery can match the ambition. The first reading suggests the provisions might prove too complicated for the sector’s weaker actors to benefit from the available financing.
Despite the comprehensive EU policies, gaps in how modern security approaches are integrated and emphasised still exist. Proposing new guidelines for Member States to adopt these security approaches within their national cybersecurity strategies for the energy sector does not eliminate potential challenges, such as legacy systems, interoperability issues, or the need for sector-specific guidance on how to implement these models.
2.3 Implementing Comprehensive Cybersecurity Countermeasures in the Digital Energy Sector
To enhance the cybersecurity of ICT energy systems, many countermeasures, such as technological, educational, and administrative ones, must be implemented, at different levels. Regarding technology, cybersecurity relies on many layers of protection, including perimeter defence, network security, endpoint protection, and application security (McNab, 2017).
Cybersecurity in the constantly evolving threat landscape requires an approach responsive to these evolutions, including shifting from network segmentation to more micro-segmentation (breaking down security perimeters into smaller zones, each requiring different access permission), adopting zero-trust models (multiple security levels, including identity verification, device authentication, application-level security restrictions, and data encryption to ensure that security is not based only on a single point of defence by requiring verification at each layer) over trusted perimeters, shifting focus from threat prevention to response automation (automation of cyberattack and security incident prevention), and expanding protection from networks to assets, data, and digital identities (Cisco, 2023; McNab, 2017; Mukherjee, 2020).
Security in all its forms starts with the human factor, and cybersecurity is no different. The human factor is the one element that could immensely lower the incidence rates and the response time to incidental/accidental cybersecurity breaches. Educating the staff working in and with digitalised energy systems is crucial for overall cybersecurity.
The European Commission has underscored the gap in trained personnel and the inadequacy of current educational curricula to defeat the industry’s cyberthreats. The EU Member States have not implemented a comprehensive action plan to mandate staff training to a unified standard, nor created a collective EU-wide educational programme for employees in the energy sector.
Cyberspace is an ever-evolving threat environment, and a minimum level of knowledge is necessary to maintain a safe environment. Thus, training courses following the regular assessment of employee knowledge of the current threat landscape, and different training programmes for staff from specific departments whose security levels and needs may diverge from each other, are beneficial in addressing human vulnerabilities, mitigating accidental insider threats, and reducing cyber breaches. A cybersecure workplace also requires a company culture, whereby cybersecurity policies are communicated to all staff, and consolidated by regular awareness campaigns, so that cybersecurity becomes part of the company’s day-to-day operations at all levels.
The use of AI in energy systems is a subject of ongoing debates (Sovrano & Masetti, 2022) that has been addressed in the EU AI Act (European Parliament, 2024). However, AI-powered cybersecurity systems can provide proactive threat intelligence by constantly discovering new cyberthreats and responding accordingly. The energy sector may use predictive and data-driven approaches to defend against existing cyberthreats and prepare for future difficulties, necessitating coordination among industry experts, cybersecurity professionals, and legislators to ensure successful, realistic solutions that meet the specific needs of the energy sector. AI examines enormous data volumes to detect potential risks and vulnerabilities before exploiting them. Thus, the use of AI should comply with data protection laws. Energy companies must prioritise data protection and foster a security-focused mindset within their organisations.
3 Achieving Our Recommendation
To sustain the energy supply, EU policies and strategies must respond swiftly to the evolving threat landscape. By combining technical and social science expertise, we believe a more holistic understanding of the challenges would bring novel and practical solutions. This interdisciplinary approach informed our policy recommendation, as outlined in our title to protect the EU’s digital energy infrastructure against cyberthreats through advanced technologies, human vulnerability mitigation, and ethical practices. Our recommendation, and the actions to support its achievement, is applicable across the EU and complements current energy policies.
Enhance and Strengthen Defensive Techniques by Establishing a Comprehensive, Multi-Layered Security Approach to Protect Digital Energy Systems. Cyberthreats are shifting rapidly in scope and structure, and the ICT components in use by the energy sector must, therefore, be able to adapt as swiftly. The strategy to ensure robust cybersecurity must include a layered defence structure that can coordinate to withstand attacks. The layered response should involve an EU-wide stance beyond cross-border information and best practices sharing between Member States. Energy operators must also navigate their pivotal role in protecting infrastructure and collaborate effectively with various suppliers, ensuring clear communication between operators and suppliers across the sector.
Mandate Cybersecurity Training and Professional Development for All Employees. As the human factor is the weakest link in the security chain, all employees must be provided with a set level of compulsory training, followed by professional development, to close the security loop against both external attacks and internal accidents caused by human errors. Therefore, EU-level mandated cybersecurity training plans and programmes for all involvement levels are needed. Energy operators must also enforce these educational and training programmes within their workforce.
Ethically Use Artificial Intelligence (AI) for Predictive Threat Identification to Strengthen and Improve the Energy Sector’s Cybersecurity Posture. Proactive response is the most significant benefit of AI-driven systems, enabled by learning-driven defence adaptations. These benefits must be shared equitably across the energy sector actors, from large to small-scale companies sharing know-how and information. Another aspect of ethical employment of AI is developing sector-based ethical frameworks and policies for fair, transparent, and responsible use of AI.
References
Blauth, T. F., Gstrein, O. J., & Zwitter, A. (2022). Artificial intelligence crime: An overview of malicious use and abuse of AI. IEEE Access, 10, 77110–77122. https://doi.org/10.1109/ACCESS.2022.3191790
Casanovas, M., & Nghiem, A. (2023). Current cyberattack trends pose an unprecedented threat to critical infrastructure, such as electricity systems. IEA. https://www.iea.org/commentaries/cybersecurity-is-the-power-system-lagging-behind
Chen, P., Desmet, L., & Huygens, C. (2014). A study on advanced persistent threats. In C. Salinesi, M. C. Norrie, & Ó. Pastor (Eds.), Advanced information systems engineering (Vol. 7908, pp. 63–72). Springer. https://doi.org/10.1007/978-3-662-44885-4_5
Cisco. (2023). Digitalizing Europe’s energy system to power the green energy revolution. https://storage.googleapis.com/blogs-images/ciscoblogs/1/2023/09/Cisco-Paper-DigitalisationOfEnergy_2023-ClimateWeek.pdf
Demertzis, K., & Iliadis, L. (2018). A computational intelligence system identifying cyber-attacks on smart energy grids. In N. J. Daras & T. M. Rassias (Eds.), Modern discrete mathematics and analysis (Vol. 131, pp. 97–116). Springer. https://doi.org/10.1007/978-3-319-74325-7_5
ECSO (European Cyber Security Organisation). (2018). Energy networks and smart grids: Cybersecurity for the energy sector. ESCO. https://ecs-org.eu/?publications=https-ecs-org-eu-documents-publications-5fdb2673903c6-pdf
Eder-Neuhauser, P., Zseby, T., Fabini, J., & Vormayr, G. (2017). Cyber attack models for smart grid environments. Sustainable Energy, Grids and Networks, 12, 10–29. https://doi.org/10.1016/j.segan.2017.08.002
EECSP. (2017). Cyber security in the energy sector: Recommendations for the European Commission on a European strategic framework and potential future legislative acts for the energy sector. Energy Expert Cyber Security Platform.
EnergiCERT. (2022). Cyber attacks against European energy & utility companies. https://sektorcert.dk/wp-content/uploads/2022/09/Attacks-against-European-energy-and-utility-companies-2020-09-05-v3.pdf
ENISA (European Union Agency for Cybersecurity). (2023). ENISA threat landscape 2023: July 2022 to June 2023. EINSA. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023
European Commission. (2019). The European Green Deal. COM(2019) 640 final. European Commission.
European Commission. (2022). REPowerEU. COM(2022) 230 final. European Commission.
European Commission. (2023). Grids, the missing link—An EU action plan for grids. COM(2023) 757 final. European Commission.
European Commission. (2024). Digitalisation of the European Energy System. https://digital-strategy.ec.europa.eu/en/policies/digitalisation-energy
European Commission, Directorate-General for Energy (2024). Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sector-specific rules for cybersecurity aspects of cross-border electricity flows. Official Journal of the European Union.
European Parliament. (2024). Artificial Intelligence Act. TA(2024)0138. European Parliament.
European Union. (2016). Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. Official Journal of the European Union.
European Union. (2022). Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). Official Journal of the European Union.
Ghiasi, M., Niknam, T., Wang, Z., Mehrandezh, M., Dehghani, M., & Ghadimi, N. (2023). A comprehensive review of cyber-attacks and defense mechanisms for improving security in smart grid energy systems: Past, present and future. Electric Power Systems Research, 215, 108975. https://doi.org/10.1016/j.epsr.2022.108975
McLaughlin, S., Podkuiko, D., & McDaniel, P. (2010). Energy theft in the advanced metering infrastructure. In E. Rome & R. Bloomfield (Eds.), Critical information infrastructures security (Vol. 6027, pp. 176–187). Springer. https://doi.org/10.1007/978-3-642-14379-3_15
McNab, C. (2017). Network security assessment: Know your network (3rd ed.). O’Reilly Media.
Mukherjee, A. (2020). Network security strategies: Protect your network and enterprise against advanced cybersecurity attacks and threats. Packt Publishing.
Security. (2024). Energy sector faces 39% of critical infrastructure attacks. Security Magazine. https://www.securitymagazine.com/articles/99915-energy-sector-faces-39-of-critical-infrastructure-attacks
SGTF EG2 (Smart Grid Task Force Expert Group 2). (2019). Recommendations to the European Commission for the implementation of sector-specific rules for cybersecurity aspects of cross-border electricity flows, on common minimum requirements, planning, monitoring, reporting and crisis management.
Sovrano, F., & Masetti, G. (2022). Foreseeing the impact of the proposed AI Act on the sustainability and safety of critical infrastructures. 15th International Conference on Theory and Practice of Electronic Governance, pp. 492–498. https://doi.org/10.1145/3560107
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2024 The Author(s)
About this chapter
Cite this chapter
Mersni, A., Novikau, A., Koczan, M., Shobole, A.A. (2024). Protect the EU’s Digital Energy Infrastructure Against Cyberthreats Through Advanced Technologies, Human Vulnerability Mitigation, and Ethical Practices. In: Crowther, A., Foulds, C., Robison, R., Gladkykh, G. (eds) Strengthening European Energy Policy. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-031-66481-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-66481-6_9
Published:
Publisher Name: Palgrave Macmillan, Cham
Print ISBN: 978-3-031-66480-9
Online ISBN: 978-3-031-66481-6
eBook Packages: Social SciencesSocial Sciences (R0)