The growing vulnerability of the European energy system

Almost ten years after 9/11, the EU has barely taken any steps to develop a common policy to protect its critical energy infrastructures. Responsibility for the security of the crucial energy infrastructure systems that our societies depends on continues to lie with the governments of member states, many of which do not give the matter much priority. At the same time, as the integration of the European energy market is proceeding apace, countries are becoming more and more dependent on each other's security systems. 'The chain is as strong as the weakest link.'

'Few people realise that the electricity system has few back-up possibilities'
Stephen Gregory shudders to think of what might have happened that day 'in a large European city'. If a certain event had not been 'disrupted', he says, 'it would have removed electricity supply for 6 million people'. To get the power system up and running again 'would have taken 6 months'. An unimaginable disaster.

Although he does not want to discuss specifics, Gregory, CEO and owner of security risk management consultancy Harnser Group, is apparently referring to a planned (but prevented) terrorist attack in London, aimed at the heart of the city's electrical power system. The "near disaster" prompted the British government to start a programme to look into detail at "critical (energy) infrastructure protection" or CIP as it is called nowadays. All this was before 9/11. It goes without saying that after 9/11, the importance of CIP has not diminished.

No incentive

There is no question that modern society has become increasingly dependent on critical infrastructure, and in particular on power supply. Most people are aware of this. What few people realise, however, says Gregory, is that the electricity system has few back-up possibilities if certain critical components are knocked out. 'If you destroy a 400,000 Volt transformer, it could take between 6 and 12 months to build a new one. You cannot buy such components off the shelf. And they are not held in reserve.' Obviously, if the power supply were to be disrupted for such a long time, the consequences for society would be catastrophic.

Gregory notes that in the current situation there is no incentive for private operators to spend large sums of money on backup components that might never be used. 'There is a tension between societal needs and shareholder requirements. Companies have tight financial requirements. And reserve components and installations can be very costly.'

So who should take the responsibility to act, before disaster strikes us? First of all, national goverments, says Gregory. They should make sure that companies do what is necessary to protect critical infrastructure. They should also address the question of who is to pay the bill.

Board level

What is crucial in this respect, according to Gregory, is that the message gets through to the private sector at board level. 'At this moment, most CIP efforts take place at a lower management level. What is needed is that the responsibility for security is placed at the highest level within the company. It should be reported to the board, so that it can be monitored on a regular basis, and so that the board that can take the decisions that are needed to ensure that the networks and other installations remain safe.'

In his capacity as advisor to companies that are responsible for looking after critical assets, Gregory is well aware of the potential threats and risks. 'We recently audited a European transmission system operator that had a security system which worked like cameras in a supermarket. There was no information

'We audited a transmission system operator that had a security system which worked like cameras in a supermarket'
system that told people what was going on or what they had to do in case of an emergency.'

In another instance, Harnser was asked by a European gas transmission company to invesigate the vulnerability of the operations of a gas transmission system operator on the other end of a pipeline. 'We discovered that the other network was not very well protected, to say the least. This of course led to increased vulnerability to the network as a whole.'

Declining production

International dependencies are a particularly complex issue when it comes to CIP. 'The continuing integration of the EU energy market is leading to growing interdependencies within Europe', says Gregory. 'A small failing somewhere in the system can have a cascading effect, which won't stop at the borders anymore. This means that any country these days is dependent on security measures taken in other countries. The chain is as strong as the weakest link.'

Given the continuing integration of the European energy market, the question is, how should responsibilities be divided between national governments and Brussels. Gregory believes that national governments are 'primarily responsible' for security issues. The European Commission does have a role to play, though. 'It has to ensure that member states do what is required.'

For example, Brussels has to continue to develop European regulation for the power and gas networks. Gregory notes that 'gas pipelines don't recognise national borders, but they are still mostly regulated on a national basis. So you get a complicated system of services over which no single operator or country has control. Incidentally, don't forget that gas supply is crucial to electricity production these days, as more and more power is produced in gas-fired power stations.'

Primary responsibility

So what has Brussels been doing in CIP since 9/11? So far, its actions look to have been fairly limited. In June 2004, the European Commission was asked by the European Council to prepare a 'strategy' to enhance CIP. In November 2005, it adopted a Green Paper, which led in 2007 to the adoption of a European Programme for Critical Infrastructure Protection (EPCIP). This resulted in December 2008 in the adoption of a 'Directive on the identification and designation of European critical infrastructures'.

The protection of crucial energy infrastructure does not seem to be a high priority in the EU
This Directive, however, which falls under the Directorate-General for Home Affairs, does not manifest much urgency. It only focuses on energy and transport to begin with. In addition, it hardly imposes any obligations on member states. It is, as the Directive itself puts it, merely 'a first step in a step-by-step approach to identify and designate European critical infrastructures and assess the need to improve their protection'.

The Directive states that 'the primary and ultimate responsibility' for CIP rests on the member states. Their major obligation is to 'inform the other member states which may be significantly affected by a potential European Critical Infrastructure (ECI) about its identity and the reasons for designating it as a potential ECI'. Member states have to engage in 'discussions' with other member states that may be 'significantly affected' by the ECI. That's about as far as it goes.

Threat assessment

For the Directorate-General of Energy, the Directive was a reason to set up a discussion group among energy infrastructure operators. This so-called 'Thematic Network on Critical Energy Infrastructure Protection' (or TNCEIP) is to meet every three months to exchange views. Its first meeting was held in December last year, the second one will take place on 14 April 2011.

According to José Antonio Hoyos Pérez, the Policy Officer at DG Energy responsible for this dossier, the TNCEIP network currently has some thirty members from across the EU. More would be welcome. He stresses that it is an 'informal talking group'. 'It is a purely voluntary platform to discuss CIP issues. We

'There were widespread complaints that some European Union governments and private sector CEOs are not taking the issue seriously enough'
are not about to draft any standards or come to formal decisions.' In fact, as Hoyos Pérez notes, the group has little other choice, as the Directive is 'the only legal instrument' the Commission has in this area. He does not rule out that the Directive could be followed by other legal initiatives in the future, though 'this is not on the agenda now'.

The topic of the April meeting of the TNCEIP, says Hoyos Pérez, is threat assessment. The idea is that papers will be produced about this, but only for the network members. TNCEIP does not have a publicly available website. (For more information, see here)

Additional cost

Another action supported by the European Commission on CIP was the development of a risk management project in the form of the Euracom project, which was started in 2009. Euracom, which is funded under the 7th Framework Program (FP7) of the Commission, is a joint initiative of the the European Organisation for Security (EOS), three research centres - the Joint Research Council (JRC), the French Atomic Energy Commission (CEA), TNO of the Netherlands - and three private companies - Thales, Edisoft and Altran. Under the auspices of Euracom, several workshops were conducted last year which created a dialogue between operators, national governments and suppliers of security technologies ("the European Forum on Energy Infrastructures"). On 24 January 2011, a "final conference" was held, about which a report was published on 27 February.

At this conference, many of the same sentiments could be heard that are also voiced by Stephen Gregory. 'There were widespread complaints that some European Union governments and private sector CEOs are not taking the issue seriously enough, with many businesses viewing increased security measures as an unnecessary additional cost', notes the report on the conference.

Alexander Pschikal, Ministerial Counsellor in the Security Policy Department of Austria's Federal Chancellery, gave a strong warning that a number of European governments are not taking the

'At least four member states did not identify any critical infrastructure in the energy sector'
European Programme for Critical Infrastructure Protection seriously. 'At least four members from the EPCIP programme did not show up to these discussions, and at least four member states did not identify any critical infrastructure in the energy sector', he complained. 'Many others are really reluctant …and only a few are really active.'

Cyberattacks

Luigi Rebuffi, Chief Executive Officer of EOS (European Organisation for Security), says in a telephone interview with EER that he is not happy with the progress that is being made on CIP in Europe. 'Many governments are lagging behind, and many companies are reluctant to share information, especially oil companies.' He notes that security of energy supply is a high priority for the European Commission, but the Commission only looks at the aspect of diversification of supplies, and pays little attention to the equally important issue of CIP.

According to Rebuffi, Euracom will come out with a final report by the end of March, after which the project will officially end. He says it is certain that it will be followed up, but not yet how this will be done. 'The use of the risk management methodology we developed for the implementation of the Directive, is already being considered by a few member states. But we are still finalising the results. We should come out with more details soon', he says.

One particular threat that was highlighted at the conference is the relatively new risk of cyberattacks. ‘The internet is a terrorist instrument’, said Fernando Sanchez Gomez, Director of the National Centre for the Protection of Critical Infrastructure at the Ministry of the Interior in Spain. ‘This is a real threat.’ Eric Luiijf, a CIP specialist at TNO, a leading Dutch research centre, concurred. He pointed out that ‘the increased divulgence of data being exchanged by companies as a result of the push for European energy market liberalisation was increasing their vulnerability to hackers’.

Joachim Vanzetta, Chairman of the Working Group on Critical System Protection at ENTSO-E (European Network of Transmission System Operators), made the interesting point that the advent of renewable energy is also having consequences for the vulnerability of the power system. ‘A big task for example in Germany is that we have to transport renewable energy from the northern part of Germany to the southern part … and therefore we need a lot of new transmission lines … Then comes that the problem that people do not want to have new lines. They want to have green energy, but they do not want to have transmission lines.’

Environmentalists

Stephen Gregory notes that in addition to threats from terrorist attacks, energy companies should also be aware of the possibility of attacks from environmentalists. ‘They may have very different intentions, but they can still cause a lot of damage.’ In this respect, for an energy producer to reduce its CO2-emissions is also to lower the possibility of environmentalist threats, says Gregory.

But perhaps the most fundamental problem at the moment, according to Gregory, is that when it comes to CIP, ‘there are no generally accepted international standards’. There is no harmonisation. Both the

'What is at stake is the very state of welfare and the daily lives of the citizens'
private and the public sector are left to their own devices. One exception may be the nuclear power sector, but, says Gregory, their standards cannot easily be applied to other sectors, since they tend to be ‘cumbersome, restrictive and expensive’. He concludes that ‘on a subject of such importance, this seems to me an opportunity for the EU or NATO to at least provide a platform dedicated to CIP’.

Until such time, however, the reality is that our societies remain quite vulnerable. Even though, as Sanchez Gomez said at the Euracom conference, ‘what is at stake is the very state of welfare and the daily lives of the citizens. We are so dependent on these services that we simply cannot do without them … we would be paralyzed and we would be taken back to the Stone Age’.