On Friday 4th May, the Florence School of Regulation hosted a policy workshop on The Economics of Cybersecurity for the Energy Sector: Towards Energy Regulation 4.0.
The event, directed by Alberto Pototschnig (ACER Director and FSR Senior Advisor), gathered renowned academics, delegates from FSR donor companies, national regulators, ACER and representatives of the European Commission, to develop a shared view on possible regulatory paths which can help the energy sector entering easily in the ‘Industry 4.0’ era.
Listen to the podcast: “A Regulatory Framework for Cybersecurity in Energy – the US Experience”
The first session reviewed the current state of thinking on the economics of cybersecurity for the energy sector and attempted to identify how cybersecurity investments should be evaluated. The difficulty of identifying effective metrics was largely recognised as one of the main challenges, as pinpointing metrics which are easy to measure is a good starting point but can be highly misleading. Indeed, functional and useful metrics should factor in the “economics” of continuous evolution of technology and cyber-threats as well as who carries out a cyberattack.
Despite the uncertainties, investing in cybersecurity remains essential to prevent and lower the probability of cyber-attacks and the damages they may inflict on both the energy system and the companies working within it. Preventive education of employees and information sharing among the various energy system actors are both crucial to reduce risks and their related costs. However, for several energy enterprises, especially the smaller ones, investing in cybersecurity may be economically and technically demanding. It should be responsibility of national regulators and policy-makers to provide an appropriate framework and ease access to financing, in order to ensure that cybersecurity standards are up-to-date among all energy stakeholders.
At the European level, current initiatives aim to develop specific guidance for the energy sector to ensure the implementation of the NIS Directive and enable information sharing and coordination among Member States.
Listen to the podcast: “Digitalisation of energy and the challenges of cybersecurity”
The second session of the workshop shifted the focus on the current approach to the economic regulation of the energy sector, to assess whether it is suitable for addressing cybersecurity and its costs, or whether a new regulatory paradigm is necessary. A comparison with the regulation of service quality took place, highlighting the similarities and the differences that regulators and regulated companies may have to deal with. Examples and experiences were considered both from Europe and the US.
The workshop’s concluding discussion showed how crucial additional theoretical analysis and practical experimentation on cybersecurity are. Participants agreed on the importance of sharing best practices and information on cyber-threats and solutions. Enhanced cooperation, not competition, should occur between regulatory authorities and energy companies (both regulated and not): given the strong interdependence and externalities of cybersecurity, it is essential that none is left behind.
Don’t miss the next workshop!