Analysis
Attacks and Vulnerabilities
News
Regulation, Standards and Compliance
Risk & Compliance
Technology & Solutions
Threat Landscape
Utilities: Energy & Power, Water, Waste

Revised network code on electric cybersecurity submitted by ACER to European Commission

July 18, 2022
Revised network code on electric cybersecurity submitted by ACER to European Commission

The EU Agency for the Cooperation of Energy Regulators (ACER) submitted last week to the European Commission its revision of the network code for cybersecurity aspects of cross-border electricity flows. The cybersecurity network code aims to further contribute to maintaining the security and resilience of the electricity system across Europe.

The Agency, with the support of an expert group and extensive consultation, revised the proposal for a network code submitted by ENTSO-E (European Network of Transmission System Operators for Electricity) and the EU DSO Entity in January 2022. The network operators’ proposal was based on the ACER Framework Guideline on sector-specific rules for cybersecurity aspects of cross-border electricity flows, which provided high-level principles for developing an EU-wide binding network code.

In its revision, ACER conducted extensive consultations with the relevant stakeholders and considered the views provided by all involved parties during the drafting proposal led by ENTSO-E and the EU DSO Entity. “On 13 July 2022, the draft network code was given a favourable opinion by the Board of Regulators pursuant to Article 22(5)(a) of Regulation (EU) 2019/9423,” Christian Zinglersen, ACER director, wrote in a letter to the directorate-general for energy at the European Commission.

The network code includes rules on various electricity cybersecurity-related aspects, including a common electricity cybersecurity framework aimed to standardize the measures in place to protect the EU electricity cyber perimeter, governance of cybersecurity for the electricity sector, and a comprehensive cross-border risk management process. It also covers cybersecurity information sharing flows to ensure timely information, foster quick and coordinated reactions of relevant stakeholders, and provide incident handling and crisis management rules. 

Furthermore, the network code covers a cybersecurity exercise framework to enhance the preparedness of all operators, rules for the protection of information exchange, and a framework for monitoring, benchmarking, and reporting.

The main changes introduced by ACER’s review of the network operators’ proposal include specifying the elements and principles in terms, conditions, and methodologies. It also introduces the legal basis for developing guidelines for exchanging information and allows the Member States to be exempted from provisions for national security reasons. In addition, ACER thoroughly checked the proposed network code to ensure its compatibility with the NIS Directive and the risk preparedness regulation.

Zinglersen also drew attention in his letter to the governance aspects of the NCCS, especially the adoption process of the terms, conditions, and methodologies (TCMs) envisaged in Article 8 of the NCCS and ACER’s competencies. “Regarding the first aspect, we would like to express our serious concerns that the unanimity principle foreseen for the adoption of TCMs will put the effective implementation of this NCCS at significant risk. Based on the existing legislation, we were not able to propose a more robust governance framework, but we would invite the EC to carefully consider this issue. Regarding the second aspect, we would like to emphasise that, during the review process, ACER carefully analysed its role with regard to cybersecurity aspects of cross-border electricity flows,” he added. 

While ACER understands that it has a clear mandate in the process for the establishment of a network code in this regard, ACER’s mandate concerning cybersecurity tasks and vis-à-vis cybersecurity bodies is not entirely evident in the current legislation, Zinglersen wrote. “For the above reasons, we do see a need to improve the overall governance framework of this NCCS, in particular with regard to the adoption of TCMs, as well as clarify ACER’s mandate and competences with regard cybersecurity,” he added. 

Zinglersen further added in his letter that in ACER’s view, creating a clear mandate for ACER on cybersecurity, with the necessary competencies and resources, is essential to prevent future uncertainty. “For example, ACER could be provided with the competence to issue opinions on cybersecurity aspects of cross-border electricity flows to both NRAs and to the NCCS-NCAs, as this would allow more efficiency in the coordination and cooperation on cybersecurity matters in the electricity sector. Cooperation with ENISA in this regard could also be clarified,” he added. 

The ACER director also said that the ongoing revision of Directive (EU) 2016/1148 will be published before the adoption of the NCCS. ACER would like to stress the importance of aligning the NCCS with the provisions of the revised Directive (NISD2). The measure comes to avoid duplication of supervision regimes and incident reporting channels, prevent duplication or fragmentation of tasks for all involved actors, align the entry into force of the provisions of the NCCS with those in the NISD2, and maintain a coherent approach with the already established cybersecurity governance in the Member States. 

“ACER has taken the above aspects into consideration in its revision of the NCCS,” according to Zinglersen. “However, we would find it necessary to further align some provisions once the NISD2 is finalised. For example, it would be essential to align the scope of the NCCS in light of the final NISD2,” he added.

ACER has submitted the revised network code to the European Commission within the allowed time limit of six months. Next, the Commission will review the submitted network code and initiate its procedure for adopting delegated acts. When adopted by the Member States, it becomes legally binding across the EU.

Earlier this month, the European Union Agency for Cybersecurity (ENISA) released an open and transparent framework to support the development of threat landscapes and bring about consistent and transparent threat intelligence sharing. By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the agency aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and sectorial cybersecurity threat landscapes.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation