Cyberattacks in energy sector doubled from 2020 to 2022

Cyberattacks in the energy sector have doubled from 2020 to 2022, increasing the risk of blackouts, disruptions and significant societal issues, according to Eurelectric’s latest report on cybersecurity.

In a new paper on cybersecurity in the energy sector, the organization advised the European Union to ensure consistent and harmonized implementation of the regulation, foster a skilled cybersecurity workforce, facilitate the necessary investments and promote collaboration.

The International Energy Agency has estimated that the attacks more than doubled between 2020 and 2022, with a record of 1,101 events on a global scale in 2022 where utilities were targeted, the authors note.

Since 2022, energy sector cybersecurity center EnergiCERT counted 48 publicly known attacks against European energy companies including supply, 31 ransomware attacks, of which almost half with data theft, and 15 affecting networks’ operational technology.

More than 20 cyberattacks on European energy utilities in 2022 were successful

Out of all geographical targets, attacks on EU countries rose from 9.8% to 46.5% during the first six months of 2023. More than 20 successful cyberattacks took place towards European energy utilities in 2022, according to EnergiCERT.

The publicly available data is not comprehensive due to the sensitivity of the topic, Eurelectric stressed.

Europe’s cybersecurity agency ENISA recently pointed out that the EU energy sector, in par with the banking sector, is investing more in information security measures than in sectors such as healthcare, transport and drinking water utilities.

However, globally and across sectors, the EU is investing less in information security than North America and Asia-Pacific, the paper underlines.

Eurelectric said improving ICT systems requires not only larger investments but also a proficient and skilled workforce. In 2022, the European Commission estimated the shortage of cybersecurity professionals in all sectors in the EU at between 260,000 and 500,000, while the EU’s cybersecurity workforce needs were estimated at 883,000 professionals.

The EU has a multitude of legislative dossiers and institutions in place on cybersecurity

The EU has extensive legislation and certification schemes relevant to ensuring a protected power sector. The main and first cross-sectoral legislation is the Directive on Security of Network and Information Systems (NIS Directive), which was adopted in 2016 and recently updated as NIS 2.

In the previous EU legislative term, several pieces of cybersecurity legislation were published or proposed. The main regulation can be summarized as the amendments to the Cybersecurity Act, the Cyber Resilience Act (CRA), partly the Cyber Solidarity Act (CSA) and the Network Code on Cybersecurity (NCCS).

There are as many as 12 enforcement mechanisms and agencies involved in ensuring cybersecurity across Europe. There are three subcategories: EU institutions, advisory bodies and networks of member states, the paper reads.

Eurelectric called on policy creators to implement several measures:

1. Foster a skilled workforce and facilitate investments
2. Allow time for implementation – avoid new regulation unless absolutely necessary
3. Put cybersecurity at the top of the agenda by improving collaboration.