Skip to main content
11/27/24 Cyber security Legal framework Infrastructure

Cybersecurity in the electricity industry: An investment that pays off

Katerina Simou, Senior Expert for Infrastructure and Overall System, together with Dennis Rösch from Fraunhofer IOSB-AST, explains in a new dena study that investing in cyber security is worthwhile for companies in the electricity industry.

Katerina Simou
Katerina Simou, Senior Expert for Infrastructure and Overall System

The NIS2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) is expected to come into force in March 2025. It will transpose the EU-wide minimum standards for cyber security in EU Directive NIS2 into German law and regulations. The implementation of NIS2 will affect at least 30,000 companies in Germany and increase their security obligations. It represents a significant tightening of the requirements and affects a broader group of critical companies. Companies, particularly in the energy sector, will be obliged to implement the new security requirements quickly. 

The new dena study Cyber-Fit: Investing in cyber security in the electricity industry sheds light on how companies in the electricity sector can implement the requirements of the NIS2UmsuCG strategically and economically, and shows that the right investments in cyber security measures not only fulfil legal requirements, but also bring specific financial benefits.

The study was conducted as part of the Future Energy Lab’s Cyber security in the electricity industry and developed in collaboration with the Fraunhofer IOSB-AST. 

This article also focuses on further measures to increase cyber security in smaller companies.

Cyber security is a management issue

The management of an organisation is responsible for approving, implementing and monitoring IT security measures. Interviews conducted as part of the study with electricity industry representatives show that management teams are already highly aware of IT security measures and consider the costs of compliance and damage cost estimates stated in the NIS2UmsuCG to be plausible. 

The study supports management in evaluating the costs, benefits and profitability of cyber security measures. An IT security reference architecture for a distribution grid operator illustrates possible investment and forms the basis for deriving specific security measures.

IT reference architecture of an example distribution system operator with differentiation of company levels based on IEC 62443

Cyber security pays off

In addition, the Return on Security Investment (RoSI) model is used to assess the costs and benefits of the statutory measures. The RoSI calculations show that investments in IT security are already profitable in the first year for critical facilities and from the second year for particularly critical facilities - even with the relatively low damage cost estimates used for the electricity industry.

Illustration of development of RoSI for both company categories based on the estimates in NIS2UmsuCG

Smaller companies can strengthen their cyber security despite a lack of resources

1. Outsourcing and out-tasking as an opportunity to counteract staff shortages

Outsourcing and out-tasking are increasingly being used to overcome the shortage of skilled labour in IT security. The difference between the two approaches lies in the outsourcing of tasks: Out-tasking outsources individual processes, while outsourcing covers entire business areas. 

Both approaches require a careful selection of service providers and security certifications in order to safeguard sensitive IT security tasks. Outsourcing is often used particularly for the introduction and maintenance of intrusion detection systems (IDS), which require specialist expertise and high personnel costs.

2. Not everyone has to ‘reinvent the wheel’ - involvement in committees and associations 

Participation in committees and associations offers smaller IT security companies access to studies and networks. This provides them with up-to-date information and best practices, which helps them respond to legal changes and new requirements at an early stage.

3. Crisis drills help test and improve IT security in practice

Crisis drills are essential for emergency planning: They illustrate the consequences of IT attacks, raise management awareness of the importance of a crisis team and strengthen crisis communication. Regular drills improve crisis management processes and optimise the ability to react in an emergency. 

Specialised contact points offer valuable resources. The dena EnerCise project offers practical training and drills to strengthen resilience against cyber attacks. Fraunhofer IOSB-AST also offers customised programmes for carrying out crisis management drills. 

4. Develop KPIs for informed management decisions

Key Performance Indicators (KPIs) are effective for measuring the current status of IT security. These key indicators help monitor progress in implementing safety measures and evaluate their effectiveness. To identify threats and attacks, both long-term KPIs, ISO 27001, BSI basic protection and industry standards that reflect the maturity level of IT security are particularly helpful, and short-term KPIs, such as the detection rate of cyber attacks or the number of attacks averted, should be taken into account. A central aspect is that KPIs are understandable and relevant to management in order to make informed decisions to improve IT security. KPIs should be identified that can be broken down into business processes and monetary values in order to ensure universal comprehensibility.

Outlook for NIS2UmsuCG: Challenges and opportunities

The study shows that the measures required by the NIS2UmsuCG not only fulfil legal requirements, but also make economic sense. At the same time, the law opens up opportunities for joint development of security solutions through networking and knowledge sharing within the industry. However, the crucial factor will be how smaller companies in particular utilise their human and financial resources effectively in order to meet the more stringent requirements.