BSI ready to play a leading role in protecting the energy sector

26.05.2025

Source: E & M powernews

The Federal Office for Information Security refers to cyber threats to the energy industry and brings itself into play as a central element of the security architecture.

The Federal Office for Information Security has numerous points of contact with the energy industry. One of the authority's departments is even dedicated exclusively to cyber security for the digitalization of the energy transition and is a key authority when it comes to cyber security in smart metering. The BSI has now published a position paper entitled "Cybersecurity in the German energy sector".

And right at the beginning of the four-page document, the authors make it clear: "Energy security is a cornerstone of the national security architecture." The attack surface for cyber attacks is increasing. At the same time, the actual threat situation is also intensifying. The energy sector is a particular focus of state-supported operations, for example from Russia, China, Iran or North Korea. These are aimed at destabilization and espionage.

In addition, criminal groups are active that specifically blackmail energy companies with ransomware. Finally, hacktivists who carry out ideologically motivated cyberattacks against the energy industry are also a threat.
Uniform security requirements necessary

The threat situation is changing, particularly in the context of the energy transition with the increasing decentralization, digitalization and networking of systems and power grids. Increased systemic complexity and vulnerability - this is how the BSI sums it up.

Attacks on utilities and their software suppliers in recent months and years have shown that cyber criminals are increasingly targeting the industry's supply chains. At the same time, they are also increasingly trying to attack device manufacturers, such as inverters or smart meters.

The consequences of successful attacks can be serious, ranging from supply bottlenecks to total power outages. Not to mention the consequential damage and problems, including for public safety and the supply of basic goods.
Against this backdrop, the BSI is advertising on its own behalf. The authors emphasize that the authority's experts are ready to "assume the central management role for cyber security in the energy sector - as a guideline provider and coordination body". However, in order to be able to fulfill this task, the following requirements must be met:

• Uniform requirements in all critis sectors and clear specifications for all players in the energy system, regardless of the size of the company.
• Uniform, sector-specific safety standards for all players, from grid operators to decentralized plants.
• Extended regulatory powers of the BSI, including intervention powers in the event of cyber incidents.
• Outside the critical sectors, the cyber security of facilities must be ensured through preventive standards, sector-specific control layers and effective market surveillance.

The BSI emphasizes its expertise and willingness to participate in the development of technical standards. To ensure technical resilience, the authority advises a three-stage approach: firstly, basic protection of the entire supply infrastructure and secondly, the "hardening of central components", such as grid control technology or the smart meter gateway infrastructure. Finally, exposed systems must be "highly securely protected".

Three-stage approach for technical resilience

The authority reiterates its willingness to cooperate and share information several times. In addition to companies from the energy industry, the message is also aimed at other authorities at state and federal level as well as training institutions and research institutes.

"The energy sector is at the center of a strategic security turnaround," it concludes. A rethink on cyber security issues is necessary and Germany must invest in its protection. And the BSI is ready for "a leading role in securing the energy sector".

Author: Fritz Wilhelm