The EU, with help from the European Commission and the EU Agency for Cybersecurity (ENISA), has published its first report on the cybersecurity and resilience of Europe’s telecommunications and electricity sectors.
Key Risks Identified
The report highlights several significant risks, including:
- Supply Chain Security: The main concern, especially for 5G and renewable energy projects.
- Lack of Cybersecurity Professionals: A shortage of skilled professionals increases vulnerability.
- Malicious Activities: Threats from cybercriminals and state-sponsored attacks.
The evaluation also detailed technical and non-technical risks. Here are some of the specific concerns:
Telecommunications Sector
- Supply Chain Risks: Particularly concerning with the rollout of 5G.
- Cyber Threats: Ransomware, data-wiping malware, and zero-day exploits are ongoing issues.
- Physical Threats: Attacks on cable infrastructure and satellite signal jamming are hard to prevent.
Electricity Sector
- Insider Threats: Difficulty in properly vetting new hires and attracting local talent.
- Cyber Threats: Similar to the telecommunications sector, with added concerns about operational technology.
Recommendations for Improvement
To address these risks, the report suggests several measures across four main areas:
Strengthen Resilience and Cybersecurity Posture
- Share best practices on handling ransomware and monitoring vulnerabilities.
- Improve human resource security and asset management.
- Increase cooperation with technical networks, law enforcement, and international partners.
- Conduct self-assessments as per the NIS2 and CER Directives.
Enhance Situational Awareness and Information Sharing
- Include geopolitical context, potential physical harm, and disinformation in assessments.
Improve Contingency Planning and Crisis Management
- Shorten communication lines between sectors and cybersecurity authorities.
Secure Supply Chains
- Assess dependencies on high-risk providers.
- Develop an EU framework for supply chain security.
Given the importance of these sectors and the evolving threats, the report encourages the rapid implementation of these recommendations. This work has already begun based on previous efforts.
For more details, you can download the full report.
Background
In May 2022, the EU Council requested a risk evaluation and the creation of risk scenarios for possible cyberattacks on member states or partner countries. In May 2023, the Council further emphasized the need to consider these risk scenarios when planning cybersecurity measures and exercises. This report builds on a February 2024 publication on the cybersecurity of EU communication infrastructures and networks.
For more information on EU cybersecurity policies, refer to the provided resources.
Downloads
This report is crucial for understanding and mitigating the risks to Europe’s vital telecommunications and electricity sectors.