Information technologies enable monitoring and controlling of energy facilities’ operations, collecting data on supply and consumption and creating market forecasts. Therefore, it is as important to ensure the information security of energy systems as to ensure their physical security. In this article, we review cybersecurity in the energy sector, and the legal framework in Türkiye.
Cybersecurity Concepts in the Energy Sector
Energy systems today constitute an indispensable part of the quotidian life of individuals as well as the production and industrial sectors. Considering its integrated structure with many other sectors, disruptions in energy systems have the potential to cause significant damage to the society. For this reason, the energy sector is recognized among the sectors of critical infrastructure. Critical infrastructures are defined as “infrastructures that host information systems that can cause loss of life, large-scale economic damage, national security vulnerabilities or disruption of public order when the confidentiality, integrity or accessibility of the information/data they process is disrupted”.
Cybersecurity, in general, refers to the ability to prevent or defend against cyber-attacks, aimed at exploiting, disrupting, modifying, preventing access to, or damaging information in cyberspace, and to protect the availability and integrity of networks, infrastructure and the confidentiality of the information contained therein. The cybersecurity definition consists of the aspects of confidentiality, integrity and availability. In the context of energy systems, confidentiality refers to ensuring that only generation, transmission, distribution company personnel and consumers have access to information; integrity refers to preventing the alteration, corruption and destruction of information on voltage, frequency, electric power, load flow and billing; and accessibility refers to ensuring that actors in the sector have access to information within a certain hierarchy.
The energy sector utilizes various management and control systems that enable operations to be monitored, and sometimes managed, from one or more centers. These systems, referred to as industrial control systems, are defined in general terms in the applicable legislation.4 The Supervisory Control and Data Acquisition System (“SCADA”) is known to be the most frequently utilized system.5 The function of these systems, in the simplest terms, is to collect and process real-time data, interact directly with devices and keep records of occurrences. Today, most energy facilities are equipped with industrial control systems, enabling data to be easily collected and reliable forecasts to be made in terms of supply and demand balance in energy markets.
The Significance of Cybersecurity in the Energy Sector
Energy is among the primary necessities of individuals such as in transportation, lighting and many other areas of daily life. In this respect, it is of great importance that energy facilities continue to function uninterruptedly. According to data for 2022, 403 cyber-attacks have so far taken place against the energy sector, with each attack resulting in an average loss of 4.72 million dollars.
In the event of a cyber-attack, even for a short period of time, many essential services such as health and transportation can be disrupted.7 For instance, in the Colonial Pipeline attack in 2021, the pipes were rendered dysfunctional by the creation of a pressure surge in natural gas transmission systems, and the disabled fuel had to be transferred by road. As a result of the attack, the local population rushed to gas stations to stock up on gasoline in a panic, and the price of gasoline skyrocketed to the highest level in the country of the recent years.
Cyber-attacks can have a negative impact on daily life as well as on the functioning of energy markets. In the electricity market, the data that constitute the basis for day-ahead and day-after forecasts are obtained from the information systems that power plants are equipped with. When these systems are subjected to attacks that alter or destroy information, the energy supply and demand balance may be disrupted and imbalances may occur in the system. Furthermore, if a damage occurs in one of these components, it can easily affect the others and ultimately, the infrastructure as a whole due to the intertwined nature of the generation, transmission and distribution infrastructures. To give an example, in 2015, as a result of a cyber-attack on a supply company in Ukraine, SCADA systems were accessed through malware and substations were cut off from power. On that day, 3 MWh of electricity could not be supplied and the country was plunged into darkness for 1 to 6 hours after the blackout. In the Stuxnet attack against a nuclear power plant in Iran, fluctuations were caused in the electric current frequencies that provide energy to centrifuges, causing centrifuges to explode and resulting radioactive damage.
In light of these facts, due to the critical role played by cybersecurity in the energy sector, it is of vital importance for the relevant authorities as well as the investors operating in the sector to establish and regularly monitor the appropriate IT infrastructure in order to prevent attacks and to take the necessary actions as soon as possible during and after the attack.
Legal Framework for Cybersecurity of Energy Systems in Türkiye
As in every sector, increasing digitalization in the energy sector entails a growing number of cyber threats, which in turn leads states to formulate cybersecurity strategies. In this regard, many action plans have been developed in the field of cybersecurity in Türkiye since 1999. At present, the National Cybersecurity Strategy and Action Plan (“Action Plan”) covering the period 2020-2023, prepared by the Ministry of Transport and Infrastructure in accordance with the Presidential Circular No. 2020/1512, is being implemented.
The Action Plan sets out principles and objectives for ensuring the cyber security of critical infrastructure sectors, also including the energy sector, and calls for the relevant institutions and organizations to work on regulations and implementation towards this end. The objective set in the Action Plan include protecting the cybersecurity of critical infrastructures on a 24/7 basis, developing a cybersecurity approach based on regulation and supervision in critical infrastructure sectors, and continuing to develop a proactive cyber defense approach to respond to cyber incidents. In this regard, the Energy Market Regulatory Authority (“EMRA”) is actively engaged in initiatives to enhance the cybersecurity within the electricity, natural gas and petroleum markets. The Regulation on Cybersecurity Competency Model in the Energy Sector (the “Regulation”), published last June, along with the Security Analysis and Testing Procedures and Principles for Industrial Control Systems Used in the Energy Sector, published in July, regulate the minimum standards and control principles for cybersecurity.
Compared to the previous regulations, the Regulation sets out the main control headings, sectoral criticality levels, implementation and audit issues in more detail.
According to the Regulation, the responsible entities are:
On the other hand, Organized Industrial Zone distribution and generation license holders are excluded from the scope of the Regulation.
Although many entities holding licenses in various energy subfields fall within the scope of the Regulation, only the control models for the electricity and natural gas distribution have been included under the Regulation while EMRA is currently in the process of developing models for other sectors. The obligations envisaged for these sectors within the framework of the relevant models came into effect on the date of publication of the Regulation in the Official Gazette. However, except for electricity and natural gas distribution license holders, other entities’ obligations under the Regulation will come into effect once the model studies for these sectors are finalized and published by EMRA.
The competency model comprises three fundamental competency levels. The parameters for these competency levels, which the responsible entities should meet, shall be determined by EMRA based on the criticality level of each sector, and afterwards EMRA shall notify the criticality levels to these entities. Depending on the criticality levels, main control categories that responsible entities must adhere to shall be determined, and following the targeted completion period stipulated for each heading, responsible entities shall ensure that their infrastructure complies with the requirements set forth under the relevant main control categories.
Compliance of responsible entities with the competency model shall undergo a three-stage audit. Accordingly; the first stage involves an “internal audit/gap analysis” to be conducted by the responsible entities by using their own resources, followed by a second stage, where a “sectoral audit” is to be performed by firms and personnel meeting the conditions determined by EMRA, and finally in the third stage, there is an “institutional audit” to be conducted by EMRA’s internal resources.
The Regulation does not provide specific provisions with regard to administrative sanctions to be imposed in case of a breach of the obligations. Hence, the type and amount of fines will be determined in accordance with the provisions stipulated in the primary legislations of the energy markets in which they operate.
Conclusion
The energy sector, classified as a critical infrastructure, is exposed to growing cybersecurity threats due to the increasing digitalization of energy systems. Following the cyber-attacks, the issue of information security for energy systems has gained prominence on the agendas of many countries, including Türkiye. In this regard, EMRA conducts the standards and controls to be applied in electricity, natural gas and petroleum sectors in Türkiye. The Cybersecurity Competency Model Regulation published in June provides a comprehensive framework for detecting, preventing, and responding to cyber threats and imposes obligations on the license holders in the electricity, natural gas and petroleum markets. Compliance with these obligations in the Regulation is essential not only for the operational energy facilities but also for the entire national grid and the integrated supply chain of energy infrastructure and the daily lives of the individuals.
SENIOR ASSOCIATE
Müşavvir Enerji / Elektrik Petrol ve Doğal Gaz Madencilik Taşımacılık ve Lojistik Kamu Özel İşbirlikleri ve İmtiyazlar İnşaat ve Altyapı Finansal Hizmetler Projeler ve Proje Finansmanı Bankacılık ve Finans Şirketler ve Ticaret Hukuku Sermaye Piyasası Hukuku Kamu İhale Hukuku Gayrimenkul Hukuku
INTERN LAWYER
Avukat Tüketim Ürünleri Enerji / Elektrik Madencilik Savunma Şirketler ve Ticaret Hukuku Birleşme ve Devralmalar Dava ve Uyuşmazlık Çözümleri
Stay Informed
Subscribe to stay up to date on legal and regulatory information.
ÇAKMAK © 2024 | All rights reserved.