EU energy companies to report cyber attacks under draft law: EC
Brussels (Platts)--7Feb2013/709 am EST/1209 GMT
EU energy companies would have to report significant cyber attacks to
national authorities if a draft EU directive on network and information
security proposed by the European Commission Thursday becomes law.
"The commission proposes to extend the obligation to report significant
cyber incidents to energy, e.g. electricity and gas," the EC said in
statement.
"Generation, transmission and distribution of energy are highly
dependent on secure network and information systems," it added.
The EC gave "an electricity outage caused by a [network and information
security] incident and having a detrimental effect on businesses" as an
example of what would have to be reported.
Article continues below...
|
Platts 4th Annual European Power Generation Conference
European power: timing the tipping point: April 22-23, Dusseldorf, Germany |  |
 | Platts 4th annual European Power Generation conference will focus exclusively on power generation, with sessions addressing the latest trends and developments in conventional generation, renewables, large scale low carbon generation and biomass, market design and issues around infrastructure investment.
|
|
The directive also would require energy companies to adopt risk
management practices for cyber security issues.
Such companies would include electricity and gas suppliers, distribution
system operators and transmission system operators, as well as market,
storage and LNG operators, according to the draft directive.
In addition, they would cover oil transmission pipelines, oil storage,
and oil and gas production, refining and treatment facilities, the directive
showed.
The EC estimated in an accompanying impact assessment that about 4,000
energy companies would be covered in total.
It added that energy companies already perform strongly on cyber
security risk management and so they would not need to spend more to comply
with the draft directive.
"Being open [about attacks] is the first issue at stake," EU digital
agenda commissioner Neelie Kroes told reporters in Brussels. "It's the only
way to learn from each other and to create an incentive to do better."
Kroes added that 93% of large European corporations have said that they
were victims of cyber attacks in 2012. This made such attacks "near-
normal," she said, and not damaging to a company's repututation.
Meanwhile, the EU's 27 national governments would have to adopt a
network and information security strategy and designate a competent national
authority to prevent, handle and respond to cyber security risks and
incidents, the EC said.
National governments and the EC would also have to cooperate regularly
and formally to share early warnings on risks and incidents, it added.
The aim is "to ensure a secure and trustworthy digital environment
throughout the EU," the EC said.
The EC said there have been several large-scale internet security
breaches in recent years, including in January 2011 when the EC had to
suspend trading in the EU's Emissions Trading System after national
registries were hacked and permits stolen.
The EC said current EU obligations to adopt cyber security measures
and report significant incidents only cover telecom companies and data
controllers.
The EC proposes extending the obligation to all critical infrastructure
owners, including energy, key internet companies and the banking, transport,
health and public administration sectors.
The draft directive has to be agreed by both the European Parliament and
the EU Council, representing the EU's 27 national governments, before it can
become law.
ENERGY INDUSTRY HIT BY ATTACKS
The EC said in its impact assessment that "many major gas companies
suffered increased amounts of cyber-attacks motivated by commercial and
criminal intent," although it did not give details.
And the problem is not limited to Europe. In December, for example, oil
giant Saudi Aramco revealed that an August 2012 cyber attack affected some
30,000 of the firm's computers and was carried out by organized hackers from
several foreign countries.
"The attack targeted the whole economy of the country, not just Aramco
as an entity," Abdullah al-Saadan, who headed the company's inquiry team,
said in December.
"The aim [of the attack] was to stop pumping oil and gas to domestic and
international markets," he added.
--Siobhan Hall, siobhan_hall@platts.com
--Edited by Jeff Barber, jeff_barber@platts.com