Brussels, 24 July 2024
Today, EU Member States, with the support of the Commission and of the EU Agency for Cybersecurity (ENISA), published a report on the cybersecurity of the telecommunications and electricity sectors in the EU, as well as recommendations to bolster their resilience.
The report identifies threats such as cyber-attacks and espionage activities from state-sponsored threat actors and cyber criminals in both sectors. Supply chains, especially regarding 5G networks and renewable energy infrastructures, are at particular risk.
To mitigate the identified risks, the report contains recommendations to Member States, the Commission and ENISA to timely implement resilience-enhancing measures. These recommendations include sharing good practices on mitigating ransomware, improving collective cyber-situational awareness and information sharing; improving contingency planning, crisis management and operational collaboration; assessing dependencies on high-risk third-country providers to strengthen supply chain security.
The report follows Council conclusions calling for the development of the EU’s Cyber Posture and follows-up on the report on the cybersecurity and resilience of the EU communications infrastructures and networks.
More information on the report is available here.
Risk assessment report on cyber resilience on EU’s telecommunications and electricity sectors
24 July 2024
The report points to concerns about a number of risks, including risks to supply chain security, the lack of cyber professionals and the risks posed by malicious activities from cyber criminals and state-sponsored threat actors.
The risk evaluation identified technical and non-technical risks in more detail. In both the telecommunications and electricity sectors, supply chain risks remain the main concern, especially regarding 5G rollout and renewable energy infrastructures. Ransomware, data wipers and exploitation of zero-day vulnerabilities were also identified as an ongoing but pressing concerns in both sectors, especially where operational technology is concerned.
For the electricity sector, the most critical risk identified is malicious insiders, spurred by a difficulty in adequately vetting new personnel and attracting local cybersecurity talent. For the telecommunications sector, the main threats include attacks via roaming infrastructures and attacks originating from large bot networks.
In addition, the physical sabotage of cable infrastructure and the jamming of satellite signals were identified as specific risks that are particularly difficult to mitigate.
To mitigate these risks, the report puts forward a number of recommendations across 4 areas for improvement, which can be summarised as follows:
- Resilience and cybersecurity posture can be improved through sharing good practices on mitigating ransomware, vulnerability monitoring, human resources security and asset management. Additionally, cooperation with technical Member States’ network, the Computer Security Incident Response Team (CSIRTs), law enforcement and international partners needs to be stepped up. Member States should conduct further self-assessments for the sectors as per the NIS2 Directive and CER Directive.
- Collective cyber situational awareness and information sharing needs to be improved and include the geopolitical context, potential physical harm and disinformation.
- Contingency planning, crisis management and operational collaboration needs to be improved by shortening lines between sectors and cybersecurity authorities in procedures.
- Supply chain security should be further addressed with follow-up assessments of dependencies on high-risk third-country providers and the development of an EU framework for supply chain security.
Given the criticality of the infrastructures and networks in the scope of this report and in view of the fast-evolving threat landscape, and without prejudice to the Member States’ competences as regards national security, Member States, Commission and ENISA are encouraged to implement these resilience-enhancing measures as soon as possible, based on the work that has already started on the implementation of some of the recommendations.
Download the report below for more information:
Background
The Council, in its Conclusions on the development of the European Union’s cyber posture of 23 May 2022, ‘invite[d] the Commission, the High Representative and the NIS Cooperation Group, in coordination with relevant civilian and military bodies and agencies and established networks, including the EU CyCLONe, to conduct a risk evaluation and build risk scenarios from a cybersecurity perspective in a situation of threat or possible attack against Member States or partner countries and present them to the relevant Council bodies.’
Moreover, in its 23 May 2023 Conclusions on the EU Policy on Cyber Defence, the Council ‘invite[d] the above-mentioned actors to ensure that risk evaluations, scenarios and subsequent recommendations are taken into account when defining and prioritising measures and support, at EU and where appropriate national level’. The Council furthermore calls for ‘the risk scenarios to be considered by all relevant actors in risk assessment processes, as well as in the development of cyber exercises’.
The risk evaluation follows up on a recent report on the cybersecurity and resilience of the EU communications infrastructures and networks, which was published in February 2024.
You can read further information about Cybersecurity Policies.
Downloads
-
EU cybersecurity risk evaluation and scenarios for the telecommunications and electricity sectors: Download