The ransomware attack on Colonial Pipeline Co. last month ignited concerns about cybersecurity in Europe, where lawmakers are drafting laws that will apply to energy firms and other critical infrastructure.
European Union officials are negotiating details of a draft bill, proposed in December, that will increase cybersecurity requirements on critical companies such as energy and electricity suppliers, as well as technology suppliers such as cloud-computing companies. After approval, which could happen in several months, following negotiations between lawmakers, the bill would replace a 2018 law. That law, the network and information systems, or NIS, directive, introduced cybersecurity rules for critical infrastructure providers.
Regulators are also drafting separate rules specific to the electricity sector this year.
The 2018 law was a “huge leap in the right direction,” but companies and government bodies need to improve how they share information about cyber threats, said Anders Rimstad, chief security officer at
A, a Norwegian holding company that operates in the industrial, engineering and energy sectors. Norway applies the law even though it is not part of the EU.
While the EU law created new rules for energy providers, there are differences in how it is applied in the 27 EU countries. National authorities decide which companies count as critical infrastructure in their own countries, with some naming significantly more operators than others. Cyprus designated 10 organizations as critical infrastructure while Finland counts more than 10,000, according to a 2019 report from the European Commission, the EU’s executive arm.
Cybersecurity experts say that is a risk because the continent shares an electricity grid and attacks could spread among countries.
“The possibilities for cross-border effects are higher for the energy sector than in many other sectors,” Øyvind Toftegaard, an expertat ACER, the EU agency of energy regulators, said last week during an event about the coming cybersecurity rules for the electricity sector.
In the U.S., the nonprofit North American Electric Reliability Corp. enforces cybersecurity rules for electric utilities. The Department of Homeland Security last month issued new requirements for energy pipeline companies, including a mandate to report actual or suspected cyberattacks that could affect a range of industrial and technology systems. Pipelines have so far been subject to voluntary guidelines in the U.S.
Cybersecurity rules for the U.S. electricity sector include specific requirements such as for minimum password length for some equipment. Those detailed requirements seem to have raised security standards among American companies to a higher baseline compared with what European regulations have achieved, said Rosa Kariger, chief information security officer at Spanish energy firm
The 2018 EU cybersecurity law required critical infrastructure companies to comply with basic security rules and let each member country define more specific provisions. “There are no clear standard references for companies to follow,” she said.
“If a major incident happens, you need to have complete integrated crisis management.”
Blackouts in 2003 and 2006 that spread between a few countries in Europe have shown that disruption in one country can affect other parts of the continent’s energy grid. Several blackouts were caused by bad weather. A cyberattack on a Ukrainian power utility in 2016 caused blackouts in parts of Kyiv, for about an hour. There isn’t a clear system for responding to a cyberattack that affects more than one country, said
senior vice president for global security at energy technology supplier Hitachi ABB Power Grids.
“That’s a fundamental shortcoming. If a major incident happens, you need to have complete integrated crisis management,” Mr. Graf said.
The coming draft rules for the electricity sector include a requirement for companies to assess their risks for cybersecurity incidents that could affect electricity flows between countries and implement measures to safeguard against those, said Mr. Toftegaard, of the energy regulators’ group.
The cybersecurity bill that was proposed in December includes measures requiring national authorities to share information about cyberattacks with officials in other EU member states, including whether attacks could affect other countries.
The updated EU cybersecurity rules could improve how energy companies protect themselves against hackers, but there is a need for an agency that responds to cyberattacks and potentially helps detect them, said Guido Gluschke, managing director of the Institute for Security and Safety at Brandenburg University of Applied Sciences.
“If we have a massive cyberattack against the whole infrastructure, we don’t have an adequate mechanism for defending against that,” he said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8