The European Network for Cyber Security (ENCS) is a non-profit organization dedicated to enhancing cybersecurity across the European Union. Owned by grid operators, including Distribution System Operators (DSOs) and Transmission System Operators (TSOs), ENCS works to improve cybersecurity in critical infrastructure. ENCS operates through three long-term security programs, developed and managed in close collaboration with its members, who are experts in EU cybersecurity. The organization focuses on generating and sharing knowledge through events, security requirements, and best practice documents. To support its members, ENCS offers accessible expertise through testing, training, and consulting services tailored to their needs. By fostering collaboration and knowledge exchange, ENCS plays a vital role in strengthening the cybersecurity resilience of Europe’s critical infrastructure.
With Anjos Nijk, Managing Director of the European Network for Cyber security (ENCS), we discussed the efforts to enhance cybersecurity in Europe’s critical energy infrastructure, tackling regulatory challenges, supply chain vulnerabilities, and future threats, while advocating risk-based, expert-driven, and collaborative approaches. In addition to his duties with ENCS, Anjos is a member of the Steering Committee of the Smart Grids Task Force of the European Commission Directorate-General for Energy, member of the Cyber Security Expert Group and ENCS liaison with European associations including EDSO, ENTSO-E and EUTC.
ENCS has been at the forefront of cybersecurity for critical infrastructure since its founding in 2012. For those who may not be familiar, can you give us an overview of ENCS’s mission and how it has evolved over the years to address the growing cybersecurity challenges in Europe’s energy sector?
ENCS’s mission from the outset has been to enhance the cybersecurity of Europe’s critical infrastructures through collaboration and knowledge sharing. Building a pool of cybersecurity experts to work with specialists and stakeholders of member organisations has been central to ENCS’s efforts, enabling the development and implementation of good practices and state-of-the-art security services.
Our initial focus areas included addressing smart meter cybersecurity and establishing cybersecurity awareness trainings. This comprised realistic Red Team/Blue Team training using real operational technology (OT) and business IT systems, allowing participants to experience how real-life cyber-attacks could impact grid operations and services.
With a focus on risk assessments to establish security requirements sets for grid equipment to be used in procurement, and by developing associated cybersecurity testing capabilities, ENCS also started to address supply chain issues. This work involved closely collaborating with European grid operator associations and laid the foundation for ENCS‘s contributions to European cybersecurity working groups and standardisation committees. Additionally, ENCS has engaged with stakeholder groups such as charge point operators (CPOs) and operators of other IoT systems, to address the evolving risks of connected infrastructures.
The 7th Cybersecurity Forum highlighted the challenge of implementing new regulations like NIS2, NCCS, and the CRA. From your perspective, what are the key roadblocks for DSOs and TSOs in translating these regulations into actionable, practical steps?
The most significant roadblock is the uncertainty surrounding what exactly is going to be required from the CRA and NIS2 transposed national laws, as well as when these requirements will come into effect. Different national authorities may be appointed to oversee governance tasks for various legislations, each requiring distinct processes, information and reporting according to different timescales.
The deadline for transposing NIS2 into national law was missed by almost all EU member states. While NIS2 mandates that risk assessments and reporting are conducted, it does not specify how or when these should be done. For NCCS, it will take several years (until 2028) to complete the cycle of risk assessments needed to develop the common minimum requirements that will deliver the actionable, practical steps to the involved entities.
For CRA, there is still uncertainty regarding which products will fall into what category of criticality and what standards will be used for the harmonised standard. Many regulations mandate the implementation of an Information Security Management System (ISMS). ENCS has been proactive in creating good practices and helping members to implement ISMSs in a way that ensures compliance with the requirements of multiple regulations.
In your view, how can the European cybersecurity community strike the right balance between the evolving cybersecurity threats and the need to remain cost-effective?
Expert insight and involvement are crucial in achieving this balance. Evolving cybersecurity threats often trigger regulators and authorities to introduce more controls and security measures, which can easily result in an overload of checklists and simplified generic solutions that fail to address the underlying issues. We need to avoid this kind of unnecessary overhead costs.
This can be achieved by basing measures on thorough risk assessments and adopting a defence-in-depth approach. This approach ensures that not every product has to meet the highest requirement, focusing resources where they are most effective. However, this can fail or even produce adverse results without the appropriate level of expertise.
To build the required level of expertise, it is essential to pool the best experts, enabling collaboration with domain specialists to develop and share tailored content and solutions. By doing so, the cybersecurity community can maximise the value of this extremely scarce expertise while effectively addressing both threats and cost considerations.
As supply chains become longer and more complex, managing cybersecurity risks in this area becomes increasingly critical. What strategies or methodologies is ENCS advocating for to mitigate supply chain vulnerabilities effectively?
Supply chain security is a complex issue because multiple techniques – such as exploiting configuration and software vulnerabilities – can be used to create big impacts and it is impossible to assure that no backdoors are present in components making up the grid. But there is a lot you can do to manage these risks.
It starts with analysing the risks in the architecture where the component sits in and deriving security requirements for those components to mitigate the identified risks. These security requirements must then be integrated into the procurement process as selection criterium, ensuring that only fully compliant products are accepted.
As a next step, security testing is required to validate that the requirements have been implemented correctly, combined with contractual sanctions if this is not the case. Independent penetration testing should also form part of the testing process. The testing process needs to be structural and repetitive, involving experts with in-depth knowledge of grid operations, technology, and evolving threats. Without this level of expertise, the risk of introducing “false security” is high, meaning that components with security flaws will be marked as being secure. Addressing this issue is crucial for the successful implementation of the European cybersecurity certification programme.
The need for a more practical approach to risk management was a key discussion at the Forum. What role is ENCS playing in developing methodologies that are adaptable to the diverse needs of energy grids across Europe?
Before you can manage risk, you first need to understand it and its potential impact. This requires OT security experts, grid operations experts, and grid technology experts to conduct risk assessments, identify and qualify the risks, and determine the risk owners. This approach forms the core principle of the Network Code for Cybersecurity (NCCS).
Under Article 18 of the NCCS, the European Network of Transmission System Operators for Electricity (ENTSO-E), in cooperation with the EU DSO Entity will develop a proposal for methodologies for cybersecurity risk assessment. The document outlines methodologies for risk assessments at three levels: the Union-wide risk assessment, the regional risk assessment, and the risk assessment at member state level. No methodology is prescribed for risk assessments at entity level, as entities may choose their own.
ENCS supports ENTSO-E and DSO Entity in drafting these methodologies and assists its members with their implementation.
There is a call for the inclusion of DER, aggregators, and EV charging operators into risk management strategies. How can stakeholders in these sectors better align with the energy sector’s cybersecurity goals, and what role should ENCS play in facilitating this collaboration?
Operators of such infrastructures would benefit from applying the NCCS principles and participating in the risk assessment cycle at association level. Many parties accountable for these infrastructures – such as charge point operators (CPOs), municipalities, provinces or newly established private entities – often lack in-house cybersecurity expertise or a deep understanding of chain risks, including the risks they impose on connected infrastructures.
By joining ENCS as members, these stakeholders would gain access to essential expertise. ENCS could help them with cybersecurity education, training, and security testing. Additionally, ENCS can collaborate with relevant associations to develop security requirements for use in procurement processes and conduct security testing to ensure compliance. This approach would help align these stakeholders with the energy sector’s cybersecurity goals while enhancing the overall resilience of the interconnected infrastructure.
Given ENCS’s role in applied research and testing, how is your organization helping its members, particularly DSOs and TSOs, to build the capacity required to meet both the new regulatory demands and the sophisticated nature of emerging cyberattacks?
ENCS drives three security programmes to develop good practices and training in the areas of security policy, security architecture, and security operations, all funded by membership fees. Information and knowledge sharing is a core part of these programmes, facilitated through regular security roundtables addressing threat developments and incidents, as well as workshops and webinars.
ENCS supports its members in implementing these good practices by applying security requirements in procurement processes and performing security tests on both components (lab tests) and systems (on-site tests). Additionally, ENCS has developed a dedicated OT security training programme, developed by ENCS and delivered in collaboration with grid operator associations, to systematically level up security awareness and skills.
Through close collaboration with European TSO and DSO organisations, as well as the European Commission, on the development of regulations, ENCS ensures its members are informed at an early stage. This enables proactive implementation of upcoming requirements, helping members avoid excessive costs while meeting new regulatory demands.
With the increasing pace of digitalization and electrification in Europe’s energy grids, what future challenges do you foresee for the cybersecurity of critical energy infrastructure, and how is ENCS preparing to tackle them?
The biggest challenge is the growing threat of nation-state activity aimed at sabotage. While criminal activity will undoubtedly continue to grow, the level of expertise and investment required to enter the OT domain and execute sabotage operations is something that only nation states can achieve.
To stay ahead, it is essential to understand the complex attack scenarios that can make a real impact on the grid. ENCS is heavily focused on this, but authorities remain reluctant to share threat intelligence and analysis. Early detection of attacks, particularly advanced persistent threats (APTs), is crucial. ENCS has developed a dedicated security operations programme to build this expertise and test the effectiveness of cutting-edge OT intrusion detection systems. The results of these efforts are shared with all members, alongside the establishment of a security analyst community where members exchange events and create and exchange good practices.
Additionally, there is a pressing need to clarify roles and responsibilities between national authorities, the military and grid operators in the event of a major black-out. This requires multi-level exercises at European, national and entity levels. ENCS’s Red Team/Blue Team training has set the standard for the grid sector in Europe for many years and is continuously improving this training, drawing on insights from European H2020 research projects, amongst other sources.
What lessons from the 7th Cybersecurity Forum do you believe are most crucial for ensuring that Europe sets a global benchmark for grid security, and how can ENCS contribute to realizing this vision?
In my view, the key lesson is very much about prioritising result-oriented approaches over process-oriented ones. Instead of seeking a “silver bullet” solution to address all issues, we should focus on implementing security through the defence-in-depth principle, leveraging the right level of (high) expertise. Collaboration and the development of standards that effectively address real issues are essential.
This is precisely where ENCS adds value to the stakeholder community. ENCS provides expertise in areas such as risk assessment, supply chain management, testing and training, which are reflected in NCCS. Moreover, global organisations like World Bank have started to engage with ENCS to foster implementation of these approaches with their clients, helping to set a global benchmark for grid security.