IEA (2020), Power Systems in Transition, IEA, Paris https://www.iea.org/reports/power-systems-in-transition
Emerging trends in the electricity sector – namely the energy transition, cyber threats and climate change – will require a rethinking of traditional frameworks for ensuring electricity security. The good news is that policy makers, regulators, system operators and industry have a solid basis from which to build. The basic tenets of electricity security, embodied in existing practices for achieving operational security, adequacy and system resilience, can evolve to adapt to the trends of the future. Moreover, new technologies expand the set of tools that they can use to maintain security of supply.
Many countries have already started to put in place policies, rules and practices that address these major trends affecting their power sectors, offering important lessons. While each trend or threat to the system might require a specific, tailored security response, several overarching action areas can serve as the basis for achieving more appropriate electricity security frameworks for the future. These are as follows: institutionalising responsibilities and incentives; identifying risks; managing and mitigating risks; monitoring progress; and responding to and recovering from disruptions.
Establishing clear responsibilities, incentives and rules across the electricity system is imperative for ensuring security in the face of shifting trends and threats. In the case of power supply disruptions, regardless of their cause, a clear framework for assessing threats, communicating risks, allocating accountability and responding to incidents is an essential first step for ensuring the security of the electricity system. To this end, an important element in institutionalising responsibilities entails co‑ordination and communication among all participants in the system, in particular to avoid overlapping responsibilities or actions. Relevant incentives need to be created for various actors throughout the electricity system to ensure compliance.
- Regulators in restructured markets: assess constantly the market to ensure the market design is bringing the adequacy, flexibility and stability services needed for the secure operation of the system.
- System operators: update constantly the interconnection standards of new technologies.
- Policy makers: provide enough forward visibility of the policies affecting the power sector – considering inputs from other authorities and stakeholders into the process.
- System operators in jurisdictions relying increasingly on gas-fired plants as a flexibility resource: include gas-related contingencies in their adequacy assessments.
- Regulators: provide a clear framework to provide every power sector stakeholder with a clear set of obligations to prevent threats and to react in exceptional circumstances.
- Regulators: assign responsibilities for co‑ordinated action between the operators of the transmission and distribution systems, including where systems are interconnected.
- Policy makers: designate responsible authorities to set objectives, give direction on measures and assess their implementation.
- Policy makers and regulators: implement co‑ordination mechanisms between responsible authorities (both within and outside the electricity sector) to avoid conflicts between various regulatory levels.
- Policy makers and regulators: incentivise or oblige regulated and non-regulated entities to implement cybersecurity safeguards. Measures should aim to improve outcomes, rather than relying only on compliance-based processes that risk becoming a box ticking exercise.The level of enforcement needs to relate to how critical the organisation is to wider system reliability. Positive incentives need to be considered to foster transparency, co‑operation and co‑ordination.
- Policy makers, regulators and industry: increase the level of awareness of the need for cyber resilience across the sector, including in electricity-related agencies and authorities.
- Policy makers: bring climate resilience into the mainstream as a core element of energy and climate plans and regulations.
- Policy makers and regulators, in collaboration with system operators: create long-term scenarios highlighting possible implications of changing weather patterns and extreme weather events for the security of electricity supply.
- Policy makers and regulators: create appropriate incentives for utilities to facilitate timely investment in resilient electricity systems.
Identifying risks to the electricity system will be a central element of minimising and responding to them. Ensuring that critical risks are known, assessed regularly, prioritised and communicated to relevant actors is essential. To this end, system-level risk analyses should be conducted regularly by designated organisations to identify key threat scenarios and system vulnerabilities. These organisations should communicate the risks they identify to system actors and those actors should implement security protocols based on the level of risk assessed.
- System operators: conduct regular adequacy-of-supply assessments, including appropriate methodologies adapted to new technologies, considering VRE variability and all system uncertainties.
- Regulators should ensure assessments cover the risks associated with dependence on specific fuel sources.
- Policy makers and regulators: ensure designated organisations regularly conduct system-level risk analyses to identify key threat scenarios and system vulnerabilities.
- Utilities and operators: identify and classify assets, systems and interfaces according to their risk level (likelihood and impact) and assign security measures according to level of system risk.
- Policy makers and industry: facilitate public–private cyber risk information sharing.
- Policy makers and system operators: assess climate risks and impacts based on strong scientific evidence.
Power systems need to improve preparedness against risks across the electricity supply chain. In this regard, system assessments in areas such as adequacy and cyber resilience, long-term planning exercises and the setting of standards and sharing of best practices all play important roles. To mitigate risk, policy makers also need to consider establishing market frameworks that provide appropriate investment signals to holders of assets that provide system security and flexibility. They also need to build capacity in new areas like cybersecurity.
- Policy makers: assess where increased diversity of the power mix could ensure resilience against social, geopolitical, market, technical and environmental risks.
- Regulators and system operators: consider all flexibility sources as options to satisfy adequacy in long-term planning.
- Regulators and system operators: set rules that reward energy sources for their actual contribution to secure operation, instead of an expected or average contribution.
- System operators: develop grid codes to future-proof connection requirements.
- Regulators: create investment frameworks to take advantage of smart grid infrastructure, enabling a higher degree of visibility and controllability of demand response, storage and VRE.
- System operators: review and adapt historic load-shedding plans in the context of embedded generation, digitalisation of the entire value chain and greater economically viable demand response.
- Policy makers and industry: provide accessible tools and guidance on cyber resilience best practices.
- Utilities: implement proper risk management strategies to identify capabilities and risks of their systems from both IT and OT perspectives. Establishing a clear risk management strategy can help prioritise areas of work and investment decisions to maximise benefits.
- Policy makers, standards bodies, industry and researchers: develop facilities to test and validate effective implementation of cybersecurity measures and controls.
- Policy makers and standards bodies: consider certification of products and services by carefully analysing criticality, enforcement options and market impact.
- Policy makers and industry: develop capacity building for cybersecurity to ensure skills and resources evolve appropriately. This involves achieving buy-in and a basic understanding across the entire organisation. Mandatory training and certification of critical staff should be considered.
- System operators and utilities: identify cost-effective resilience measures and check if they could have synergies with other business objectives or involve trade-offs.
- Policy makers and regulators: provide plans and guidelines to ensure decision makers have considered all potential risks and available measures over the entire life cycle of an asset.
- System operators: support physical system hardening of electricity systems, such as technical and structural improvements to power plants, or transmission and distribution networks.
- Regulators and system operators: enhance visibility and controllability in system operation with advanced weather forecasting, smart grid technologies, or application of islanding schemes.
Regulators need to ensure that mechanisms and tools to evaluate, monitor and track progress over time are made available. This is important at the operational level for individual utilities, as well as at the level of policy makers and regulatory authorities to understand if strategic objectives are being met. Monitoring mechanisms should include those that assess preparedness, build knowledge on emerging threats and share incident reporting.
- Regulators: keep track of power system reliability and perform resilience tests.
- Regulators: mandate common planning procedures and information-sharing tools in interconnected systems.
- Policy makers and regulators: develop or provide mechanisms and tools to continuously monitor preparedness.
- Policy makers and regulators: develop mechanisms to monitor and build knowledge around emerging threats. This is an area where partnerships and communication with the intelligence community is essential.
- Policy makers, the intelligence community and industry: develop and support active threat hunting and cyberthreat intelligence mechanisms to prevent or limit the damage from high-end attacks.
- Equipment providers and utilities: conduct active monitoring of the supply chain to detect vulnerabilities.
- Policy makers and industry: develop mechanisms to share incident reports and other information.
- Policy makers: adjust resilience measures based on an evaluation system and consultations with stakeholders to enable the constant improvement of adopted resilience measures.
Resilience of the electricity system needs to go beyond preventing incidents to also include mechanisms that effectively cope with outages or attacks. This includes comprehensive emergency response frameworks and clear delineation of responsibilities. Emergency response exercises have proven to be effective at boosting preparedness and response capability. Gathering data and lessons learned is also an important element in response and recovery to help prevent mitigate the impact of future events.
- Policy makers: review substantial events like outages to learn lessons and adapt policies.
- Regulators and system operators: assess and reform adequacy mechanisms when temporary or structural out-of-the-market measures are applied, to guarantee secure operation.
- Regulators and system operators: implement procedures to take advantage of new resources to support recovery, such as distributed generation.
- Utilities: implement robust response and recovery procedures that help maintain operations in the event of a cyberattack, with clearly allocated responsibilities to all main actors.
- Policy makers and utilities: execute regular response exercises and capture lessons learned and adapt practices.
- Policy makers, regulators and industry: stimulate information logging and sharing to facilitate analysis of actual incidents.
- Policy makers, regulators, and system operators: co‑ordinate recovery efforts among diverse actors.
- Policy makers, regulators, and system operators: support capacity building for a better response to and faster recovery from climate impacts.