Renewable energies are increasingly becoming the decisive backbone of electricity supply. In 2022 the EU-27 states had generated nearly 40 % of the EU-wide energy mix through renewable energy resources1. It is not only large-scale photovoltaic (PV) and wind plants that play an important role in supplying energy and stabilizing the electricity grid. Smaller PV systems installed privately or on leased roofs have long been combined by aggregators to form larger
virtual power plants by means of energy storage fleets.
Digitalization and new vulnerabilities
As a result of this and the digitalization of the energy industry, renewable energy plants (REP) are becoming strongly networked distributed energy resources (DER) with a high degree of automation and remote control. This in turn increases the risk of disruption to the European and national energy supply due to cyber attacks. After all, every single DER represents a vulnerable point of attack. And centralized control centers can become a springboard for adversaries to infiltrate thousands of facilities. There is not only the risk of data
leaks and manipulation of consumption data, but also a risk of local
and regional blackouts with losses and fines amounting to millions.
In the worst case, facilities can be irreparably damaged and human
lives endangered.
Legal requirements under NIS2
For this reason, special legal requirements for cyber security apply to players in the European energy supply. The NIS2 Directive and the corresponding national implementing laws significantly expand the requirements for actors in the energy sector and make the management board personally liable. All large REP operators, aggregators, energy storage operators and electricity suppliers are listed as sectors with high criticality2 and at least as »important entities«. Many of these fall under the category of »essential entities« for which stricter requirements apply. Even if the specific requirements are only defined in the respective national implementation laws, all companies affected by NIS2 must implement measures that enable them to deal with security incidents. In
addition to preventing incidents, it should also be possible to detect (occurring) security incidents.
eBook: Challenges and Recommendations
This eBook outlines the different challenges investors, management
and operators face with regard to REPs’ and DERs’ cybersecurity.
The document provides a detailed overview of evidence-based cyber
risks that exist and, based on this, formulates clear recommendations
for ensuring sustainable, efficient cybersecurity measures in
renewable energy plants.
