Cyber security risks for the energy sector
A reliable energy supply is indispensable for everyday life today, since electricity and gas are needed for a variety of purposes and otherwise life would quickly come to a standstill. One example is a hacker attack on a power plant in Ukraine, which led to 700,000 Ukrainian households being deprived of an electricity supply for hours in December 2015.
With regard to the US, Russian hackers could “flip the switch” at any time according to US authorities and everything would turn black. The attackers have been targeting power utilities for years and could cause blackouts if they wanted to with potentially catastrophic consequences. Hackers have been infiltrating energy suppliers for years and the US Department of Homeland Security talks about hundreds of companies that are affected, but many of them remain oblivious to the problem.
In Germany, too, several network operators have become targets of hacker attacks in the past. Thus, the German legislator has paid particular attention to IT security in the energy sector and transferred special competencies to two authorities: the „Federal Office for Information Security“ (BSI) and the Federal Network Agency (BNetzA). This deserves a brief overview of the requirements for IT security for network operators and generation plants in general and in detail on the questions of who is the addressee of the regulations, which requirements arise from a technical point of view and which fines result from a failure to observe the legal requirements.
1. Who is subject to IT security rules in the energy sector?
Undertakings operating gas or electricity networks and operators of energy installations (such as power plants) must maintain adequate and specifically designed safeguards. This should provide adequate protection for installations necessary for the secure operation of the network.
In consultation with the BSI, the BNetzA had to draw up and publish so-called minimum standards for IT security in the energy sector. This was initially completed in August 2015 with an “IT security catalogue for operators of electricity and gas grids”. The operation of a secure energy supply network shall in particular include adequate protection against threats to telecommunications and electronic data processing systems necessary for secure network operation. Core criteria are:
- the secure operation of telecommunications and IT systems for network control;
- the introduction of an information security management system in accordance with DIN ISO/IEC 27001 and the corresponding certification of the company;
- the continuous review and improvement of processes;
- the creation of a network structure plan with all IT components;
- the appointment of an IT security officer who can, among other things, provide the BNetzA with information on the company’s internal IT security measures.
This was followed in December 2018 by the “IT Security Catalogue for Operators of Energy Installations”. The latter regulation applies to all energy installations that have been designated as critical infrastructure according to the BSI Kritis Ordinance and are connected to an energy supply network. The safety requirements contained in the “IT Security Catalogue for Operators of Energy Installations” essentially correspond to those of the safety catalogue for operators of energy supply networks described above. Differences arise, however, since the preparation of a network structure plan is not planned, but stricter standards apply with regard to risk treatment. To prove that the aforementioned requirements of the IT security catalogue have been implemented, the operator of the energy installation must notify the BNetzA of the completion of the certification procedure by 31 March 2021 by submitting a copy of the certificate.
2. Which reporting obligations exist?
Network operators and operators of energy installations are subject to specific reporting obligations according to German law. Thus, these operators are required to report immediately to BSI any:
- disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes which have led to a failure or a significant impairment of the operability of the power supply network or the energy installation in question and
- significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes, which may lead to a failure or significant impairment of the operability of the energy supply network or the energy installation concerned.
3. What happens in case of non-compliance with specific IT security rules?
German law takes the view that transparency and a constant information basis and strict observance of the IT security catalogue are crucial to prevent security issues. Therefore, network operators and operators of energy installations face administrative offences if they do not comply (at all, not fully or not on time) with the security requirements. The same applies in case of non-compliant reporting behaviour. These administrative offences can be fined up to 100.000 €.