Cybersecurity in the Energy Sector: a Comparative Analysis between Europe and the United States Études de l'Ifri, February 2018
The acceleration of the digitization of energy infrastructure has brought many economic benefits, including greater efficiency in the rationalization of energy consumption. However, this has also increased the risk of cyberattacks, where malicious software is able to take advantage of the increasing digitization of energy equipment.
The recent cyberattacks that have targeted critical infrastructure in Ukraine highlight that the threat is real and growing. Vulnerability is not restricted to infrastructure located within the European Union (EU) or the United States (US): the cyberattacks that recently hit Ukraine spread to many Western firms through their subsidiaries, underlining the danger of contagion.
As a result, over the last few years, the EU and the US have gradually sought to put in place a series of policies and rules to protect energy infrastructure from cyber threats. The American and European approaches in this area present many differences. The United States has favored a strategy of ‘security in depth’ with strict and detailed regulations in specific sectors, which are implemented by institutions possessing coercive powers. By contrast, the EU has adopted a more flexible and exhaustive approach covering a wide range of issues, leaving an important margin of maneuver for member states in the implementation of norms. Nevertheless, these approaches are potentially complementary in that the strengths of the American system can serve as a model to improve certain weaknesses in the European approach, and vice versa, since the US could also learn from the EU in a number of areas.
Indeed, the American model is in advance compared to the EU in terms of the development of precise and detailed norms on cybersecurity, as well as for the implementation of these norms. Only a handful of EU member states, including France, have an equivalent level of norms, and Europe suffers from inadequacies both at the EU level and at the national level. Nevertheless, the US can learn from the EU in other areas, such as the protection of privacy and personal data, cybersecurity for renewable energies and low carbon technologies, as well as the protection of the electricity network at the level of distribution. Moreover, California and France present a number of relevant specificities regarding cybersecurity.
To read the full text, please download the pdf below.