The growing vulnerability of the European energy system
Almost ten years after 9/11, the EU has barely taken any steps to develop a common policy to protect its critical energy infrastructures. Responsibility for the security of the crucial energy infrastructure systems that our societies depends on continues to lie with the governments of member states, many of which do not give the matter much priority. At the same time, as the integration of the European energy market is proceeding apace, countries are becoming more and more dependent on each other's security systems. 'The chain is as strong as the weakest link.'
|'Few people realise that the electricity system has few back-up possibilities'|
Although he does not want to discuss specifics, Gregory, CEO and owner of security risk management consultancy Harnser Group, is apparently referring to a planned (but prevented) terrorist attack in London, aimed at the heart of the city's electrical power system. The "near disaster" prompted the British government to start a programme to look into detail at "critical (energy) infrastructure protection" or CIP as it is called nowadays. All this was before 9/11. It goes without saying that after 9/11, the importance of CIP has not diminished.
There is no question that modern society has become increasingly dependent on critical infrastructure, and in particular on power supply. Most people are aware of this. What few people realise, however, says Gregory, is that the electricity system has few back-up possibilities if certain critical components are knocked out. 'If you destroy a 400,000 Volt transformer, it could take between 6 and 12 months to build a new one. You cannot buy such components off the shelf. And they are not held in reserve.' Obviously, if the power supply were to be disrupted for such a long time, the consequences for society would be catastrophic.
Gregory notes that in the current situation there is no incentive for private operators to spend large sums of money on backup components that might never be used. 'There is a tension between societal needs and shareholder requirements. Companies have tight financial requirements. And reserve components and installations can be very costly.'
So who should take the responsibility to act, before disaster strikes us? First of all, national goverments, says Gregory. They should make sure that companies do what is necessary to protect critical infrastructure. They should also address the question of who is to pay the bill.
What is crucial in this respect, according to Gregory, is that the message gets through to the private sector at board level. 'At this moment, most CIP efforts take place at a lower management level. What is needed is that the responsibility for security is placed at the highest level within the company. It should be reported to the board, so that it can be monitored on a regular basis, and so that the board that can take the decisions that are needed to ensure that the networks and other installations remain safe.'
In his capacity as advisor to companies that are responsible for looking after critical assets, Gregory is well aware of the potential threats and risks. 'We recently audited a European transmission system operator that had a security system which worked like cameras in a supermarket. There was no information
|'We audited a transmission system operator that had a security system which worked like cameras in a supermarket'|
In another instance, Harnser was asked by a European gas transmission company to invesigate the vulnerability of the operations of a gas transmission system operator on the other end of a pipeline. 'We discovered that the other network was not very well protected, to say the least. This of course led to increased vulnerability to the network as a whole.'
International dependencies are a particularly complex issue when it comes to CIP. 'The continuing integration of the EU energy market is leading to growing interdependencies within Europe', says Gregory. 'A small failing somewhere in the system can have a cascading effect, which won't stop at the borders anymore. This means that any country these days is dependent on security measures taken in other countries. The chain is as strong as the weakest link.'
Given the continuing integration of the European energy market, the question is, how should responsibilities be divided between national governments and Brussels. Gregory believes that national governments are 'primarily responsible' for security issues. The European Commission does have a role to play, though. 'It has to ensure that member states do what is required.'
For example, Brussels has to continue to develop European regulation for the power and gas networks. Gregory notes that 'gas pipelines don't recognise national borders, but they are still mostly regulated on a national basis. So you get a complicated system of services over which no single operator or country has control. Incidentally, don't forget that gas supply is crucial to electricity production these days, as more and more power is produced in gas-fired power stations.'
So what has Brussels been doing in CIP since 9/11? So far, its actions look to have been fairly limited. In June 2004, the European Commission was asked by the European Council to prepare a 'strategy' to enhance CIP. In November 2005, it adopted a Green Paper, which led in 2007 to the adoption of a European Programme for Critical Infrastructure Protection (EPCIP). This resulted in December 2008 in the adoption of a 'Directive on the identification and designation of European critical infrastructures'.
|The protection of crucial energy infrastructure does not seem to be a high priority in the EU|
The Directive states that 'the primary and ultimate responsibility' for CIP rests on the member states. Their major obligation is to 'inform the other member states which may be significantly affected by a potential European Critical Infrastructure (ECI) about its identity and the reasons for designating it as a potential ECI'. Member states have to engage in 'discussions' with other member states that may be 'significantly affected' by the ECI. That's about as far as it goes.
For the Directorate-General of Energy, the Directive was a reason to set up a discussion group among energy infrastructure operators. This so-called 'Thematic Network on Critical Energy Infrastructure Protection' (or TNCEIP) is to meet every three months to exchange views. Its first meeting was held in December last year, the second one will take place on 14 April 2011.
According to José Antonio Hoyos Pérez, the Policy Officer at DG Energy responsible for this dossier, the TNCEIP network currently has some thirty members from across the EU. More would be welcome. He stresses that it is an 'informal talking group'. 'It is a purely voluntary platform to discuss CIP issues. We
|'There were widespread complaints that some European Union governments and private sector CEOs are not taking the issue seriously enough'|
The topic of the April meeting of the TNCEIP, says Hoyos Pérez, is threat assessment. The idea is that papers will be produced about this, but only for the network members. TNCEIP does not have a publicly available website. (For more information, see here)
Another action supported by the European Commission on CIP was the development of a risk management project in the form of the Euracom project, which was started in 2009. Euracom, which is funded under the 7th Framework Program (FP7) of the Commission, is a joint initiative of the the European Organisation for Security (EOS), three research centres - the Joint Research Council (JRC), the French Atomic Energy Commission (CEA), TNO of the Netherlands - and three private companies - Thales, Edisoft and Altran. Under the auspices of Euracom, several workshops were conducted last year which created a dialogue between operators, national governments and suppliers of security technologies ("the European Forum on Energy Infrastructures"). On 24 January 2011, a "final conference" was held, about which a report was published on 27 February.
At this conference, many of the same sentiments could be heard that are also voiced by Stephen Gregory. 'There were widespread complaints that some European Union governments and private sector CEOs are not taking the issue seriously enough, with many businesses viewing increased security measures as an unnecessary additional cost', notes the report on the conference.
Alexander Pschikal, Ministerial Counsellor in the Security Policy Department of Austria's Federal Chancellery, gave a strong warning that a number of European governments are not taking the
|'At least four member states did not identify any critical infrastructure in the energy sector'|
Luigi Rebuffi, Chief Executive Officer of EOS (European Organisation for Security), says in a telephone interview with EER that he is not happy with the progress that is being made on CIP in Europe. 'Many governments are lagging behind, and many companies are reluctant to share information, especially oil companies.' He notes that security of energy supply is a high priority for the European Commission, but the Commission only looks at the aspect of diversification of supplies, and pays little attention to the equally important issue of CIP.
According to Rebuffi, Euracom will come out with a final report by the end of March, after which the project will officially end. He says it is certain that it will be followed up, but not yet how this will be done. 'The use of the risk management methodology we developed for the implementation of the Directive, is already being considered by a few member states. But we are still finalising the results. We should come out with more details soon', he says.
One particular threat that was highlighted at the conference is the relatively new risk of cyberattacks. ‘The internet is a terrorist instrument’, said Fernando Sanchez Gomez, Director of the National Centre for the Protection of Critical Infrastructure at the Ministry of the Interior in Spain. ‘This is a real threat.’ Eric Luiijf, a CIP specialist at TNO, a leading Dutch research centre, concurred. He pointed out that ‘the increased divulgence of data being exchanged by companies as a result of the push for European energy market liberalisation was increasing their vulnerability to hackers’.
Joachim Vanzetta, Chairman of the Working Group on Critical System Protection at ENTSO-E (European Network of Transmission System Operators), made the interesting point that the advent of renewable energy is also having consequences for the vulnerability of the power system. ‘A big task for example in Germany is that we have to transport renewable energy from the northern part of Germany to the southern part … and therefore we need a lot of new transmission lines … Then comes that the problem that people do not want to have new lines. They want to have green energy, but they do not want to have transmission lines.’
Stephen Gregory notes that in addition to threats from terrorist attacks, energy companies should also be aware of the possibility of attacks from environmentalists. ‘They may have very different intentions, but they can still cause a lot of damage.’ In this respect, for an energy producer to reduce its CO2-emissions is also to lower the possibility of environmentalist threats, says Gregory.
But perhaps the most fundamental problem at the moment, according to Gregory, is that when it comes to CIP, ‘there are no generally accepted international standards’. There is no harmonisation. Both the
|'What is at stake is the very state of welfare and the daily lives of the citizens'|
Until such time, however, the reality is that our societies remain quite vulnerable. Even though, as Sanchez Gomez said at the Euracom conference, ‘what is at stake is the very state of welfare and the daily lives of the citizens. We are so dependent on these services that we simply cannot do without them … we would be paralyzed and we would be taken back to the Stone Age’.