Cyber Security
Risk assessment report on cyber resilience on EU’s telecommunications and electricity sectors
EU member states, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, published the first report on the cybersecurity and resilience of Europe’s telecommunications and electricity sectors.
The report points to concerns about a number of risks, including risks to supply chain security, the lack of cyber professionals and the risks posed by malicious activities from cyber criminals and state-sponsored threat actors.
The risk evaluation identified technical and non-technical risks in more detail. In both the telecommunications and electricity sectors, supply chain risks remain the main concern, especially regarding 5G rollout and renewable energy infrastructures. Ransomware, data wipers and exploitation of zero-day vulnerabilities were also identified as an ongoing but pressing concerns in both sectors, especially where operational technology is concerned.
For the electricity sector, the most critical risk identified is malicious insiders, spurred by a difficulty in adequately vetting new personnel and attracting local cybersecurity talent. For the telecommunications sector, the main threats include attacks via roaming infrastructures and attacks originating from large bot networks.
In addition, the physical sabotage of cable infrastructure and the jamming of satellite signals were identified as specific risks that are particularly difficult to mitigate.
To mitigate these risks, the report puts forward a number of recommendations across 4 areas for improvement, which can be summarised as follows:
- Resilience and cybersecurity posture can be improved through sharing good practices on mitigating ransomware, vulnerability monitoring, human resources security and asset management. Additionally, cooperation with technical member states’ network, the Computer Security Incident Response Team (CSIRTs), law enforcement and international partners needs to be stepped up. Member States should conduct further self-assessments for the sectors as per the NIS2 Directive and CER Directive.
- Collective cyber situational awareness and information sharing needs to be improved and include the geopolitical context, potential physical harm and disinformation.
- Contingency planning, crisis management and operational collaboration needs to be improved by shortening lines between sectors and cybersecurity authorities in procedures.
- Supply chain security should be further addressed with follow-up assessments of dependencies on high-risk third-country providers and the development of an EU framework for supply chain security.
Given the criticality of the infrastructures and networks in the scope of this report and in view of the fast-evolving threat landscape, and without prejudice to the Member States’ competences as regards national security, Member States, Commission and ENISA are encouraged to implement these resilience-enhancing measures as soon as possible, based on the work that has already started on the implementation of some of the recommendations.
Download the report below for more information.
Background
The Council, in its Conclusions on the development of the European Union’s cyber posture of 23 May 2022, ‘invite[d] the Commission, the High Representative and the NIS Cooperation Group, in co-ordination with relevant civilian and military bodies and agencies and established networks, including the EU CyCLONe, to conduct a risk evaluation and build risk scenarios from a cybersecurity perspective in a situation of threat or possible attack against Member States or partner countries and present them to the relevant Council bodies.’
Moreover, in its 23 May 2023 Conclusions on the EU Policy on Cyber Defence, the Council ‘invite[d] the above-mentioned actors to ensure that risk evaluations, scenarios and subsequent recommendations are taken into account when defining and prioritising measures and support, at EU and where appropriate national level’. The Council furthermore calls for ‘the risk scenarios to be considered by all relevant actors in risk assessment processes, as well as in the development of cyber exercises’.
The risk evaluation follows up on a recent report on the cybersecurity and resilience of the EU communications infrastructures and networks, which was published in February 2024.
You can read further information about Cybersecurity Policies.
Downloads
EU cybersecurity risk evaluation and scenarios for the telecommunications and electricity sectors
Related topics
CybersecurityElectronic communications and PrivacyTelecom rules
Share this article:
-
Press Freedom3 days ago
The overreach of extraterritorial legislations
-
China-EU3 days ago
Further Deepen Reform Comprehensively, Advance Chinese Modernization, And Usher in a New Chapter for China-Belgium Cooperation
-
Azerbaijan3 days ago
COP29: Azerbaijan supports global peace
-
Israel3 days ago
Who is running the Foreign Office? Lammy or Corbyn?