Opinion on Supplementing Regulation (EU) 2019/943

The authors welcome and hail the supplementing regulation of (EU) 2019/943 to strengthen the cybersecurity of cross-border electricity flows of the Union, and, by extension, the overall cybersecurity of the energy sector. With the intention to support and contribute to this effort, we reached the decision to provide our perspective on the proposed legislation, taking into account the current state of science and art, the legal and normative situation within, as well as outside of the Union, and our experience and expertise in the domain of Cybersecurity overall, but also in particular in Intelligent Energy Systems Cybersecurity. Fraunhofer SIT, with its dedicated Department of Cyber-Physical Systems Security has been on the forefront of research on the domain, thus being enabled to insight into the specifics and nuances of the regulation. While we view the overall state of the regulation draft in a positive light, in regard to its content, processes and methods, we would highlight some areas that demand a more nuanced approach. Centerpiece of the regulation is the Risk Assessment methodology, and subsequent derivation of the Electricity Cybersecurity Impact Index (ECII), which drives, guides, and shapes the rest of the activities to be undertaken. The success of the whole endeavor depends on the robustness of this methodology, and we would urge for a more rigorous approach, particularly to impact criteria selection, criteria scaling and flexibility. Secondly, the interface between the sector, as well as the implications of the ECII, to the National Security of Member States and current Security Architecture of the Union and the NATO Alliance should be paid attention to, as in the unfortunate event of an electricity crisis stemming from cyber vectors, it could lead to complications in the decision-making process of policymakers. Furthermore, the temporal pace of the described activities could align more with the speed of innovation of Information Technology and Cybersecurity, as well as the evolution rate of the threat landscape. With the target cybersecurity profile being achieved in more than eight years, the risk of obsolescence of what is now considered state of the art, is real. Lastly, while we understand that the text should not be prescriptive to technology or implementation approaches, we deem that strategic and tactical design principles for mitigation, prevention, and restoration should supplement the minimum and advanced controls to be selected. As a final note, we stress the volatility of the threat, its socio-technical nature, and the inevitability of compromise. Our adversaries are adaptive, agile, and, most importantly, intelligent.