Abstract
Electricity is an integral part of all modern economies, supporting a range of critical services including health care, the internet and transportation. The secure supply of electricity is thus of paramount importance. Digitalisation is rapidly transforming the electricity system, bringing many benefits for businesses and consumers. At the same time, increased connectivity and automation could raise risks to
cybersecurity and the threat of cyberattacks. A successful cyberattack could trigger the loss of control over devices and processes in electricity systems, in turn causing physical damage and widespread service disruption. Using real-world examples, this report offers guidance to policy makers, electric utilities and other stakeholders on how policies and actions could enhance the cyber resilience of electricity systems.

Executive summary
Digitalisation offers many benefits both for electricity systems and clean energy transitions. At the same time, the rapid growth of connected energy resources and devices is expanding the potential cyberattack surface, while increased connectivity and automation throughout the system are raising cybersecurity risks.
The threat of cyberattacks on electricity systems is substantial and growing.
Threat actors are becoming increasingly sophisticated at carrying out attacks. A successful cyberattack could trigger the loss of control over devices and processes, in turn causing physical damage and widespread service disruption.
While the full prevention of cyberattacks is not possible, electricity systems can become more cyber resilient – to withstand, adapt to and rapidly recover from incidents and attacks, while preserving the continuity of critical infrastructure operations. Policy makers, regulators, utilities and equipment providers have key roles to play in ensuring the cyber resilience of the entire electricity value chain.
Policy makers are central to enhancing the cyber resilience of electricity systems, beginning with raising awareness and working with stakeholders to continuously identify, manage and communicate emerging vulnerabilities and risks. Policy makers are also ideally placed to facilitate partnerships and sectorwide collaboration, develop information exchange programmes and support research initiatives across the electricity sector and beyond. Ecosystem-wide collaboration can help to improve understanding of the risks that each stakeholder poses to the ecosystem and vice-versa.
Information sharing can enhance cyber resilience across the system for all electricity sector stakeholders. Stakeholders should be encouraged to share information on vulnerabilities and actual incidents, be transparent on implemented policies, and share information and best practices at national and international levels.
A wealth of existing risk management tools, security frameworks, technical measures and self-assessment approaches are available. Policy makers and industry need to apply what is relevant in their context and approach resilience as a continuous process rather than a one-time milestone. Policy makers and the
industry should both commit to an approach based on ongoing collaborative dialogue.

Governments around the world can enhance cyber resilience through a range of policy and regulatory approaches, ranging from highly prescriptive approaches to framework-oriented, performance-based approaches. Approaches that are more prescriptive have the advantage of allowing for more streamlined
compliance monitoring, but they could face challenges in keeping pace with evolving cyber risks. Less prescriptive, framework-based approaches allow for different approaches and implementation speeds across jurisdictions, but they raise questions around how to establish a coherent and robust cross-country
approach to cybersecurity with tangible and effective impact. Implementation strategies should be tailored to national contexts while considering the global nature of risks.
Cyber resilience policies need continuous review and adaptation. Further decentralisation and digitalisation of the electricity sector – especially at the distribution level (smart meters, connected consumer devices) – shifts the risk exposure to the grid edge. Effective policies need to look beyond bulk utilities and consider the entire electricity chain, including supply chains.
Supply chain security is an international issue. To demonstrate security preparedness, certification or other similar mechanisms based upon existing international standards need to be institutionalised and interoperable at the global level, where deemed appropriate.