LEGAL AND REGULATORY FRAMEWORK FOR ENSURING CYBERSECURITY IN THE ENERGY SECTOR
DOI:
https://doi.org/10.28925/2663-4023.2026.33.1289Keywords:
cybersecurity; energy sector; critical infrastructure; NIS2 Directive; ISA/IEC 62443; operational technology; nuclear safety; risk management; quantum resilience; artificial intelligence.Abstract
The article conducts a comprehensive study of modern regulatory and technical approaches to ensuring cybersecurity in the energy sector amidst large-scale digitalization and the rise of hybrid threats. The relevance of the research is driven by the active convergence of information technology (IT) and operational technology (OT), which opens new attack vectors against industrial automation and control systems (IACS), such as SCADA, DCS, and PLCs. Special attention is paid to the specifics of protecting Ukraine's critical infrastructure, whose power grids have already been targets of sophisticated attacks, such as CrashOverride/Industroyer, necessitating immediate system hardening in line with international standards.
The study provides a detailed overview of key international standards, including the ISA/IEC 62443 series, which implements the concept of zones, conduits, and security levels (SL 1–4) to minimize the risks of sabotage and interference in energy facility operations. The impact of the NIS2 Directive is analyzed, as it establishes mandatory requirements for risk management, supply chain security, and leadership accountability for entities of high criticality. The role of NERC CIP standards in ensuring the reliability of the bulk electric system and the flexible approach of NIST CSF 2.0 combined with the C2M2 maturity model are examined separately.
Significant attention is devoted to the protection of nuclear energy based on IAEA NSS-17-T and IEC 62645 standards, where the priority of integrity and availability over confidentiality is critical to preventing radiation incidents. The article analyzes the graded approach to protecting sensitive digital assets (SDA) and the deterministic isolation of critical systems as per the NEI 08-09 model.
The research results highlight future challenges, particularly the "quantum threat" and the "harvest now, decrypt later" (HNDL) adversary strategy, which requires a transition to post-quantum cryptography (PQC). The potential of artificial intelligence (tools like SecureAI) for automated anomaly detection in industrial protocols such as Modbus/TCP and OPC UA is highlighted, along with the need to integrate AI risk management through the NIST AI RMF. The conclusions emphasize that for Ukraine, the harmonization of national DSTU standards with European norms is a necessary condition for the cross-border synchronization of power grids and ensuring national resilience.
Downloads
References
Kreso Phd, Inda. (2025). Cybersecurity in the energy sector: an overview of defense strategies and best practices. 130-148.
Baseri, Yaser & Waller, Edward. (2026). Quantum Attacks Targeting Nuclear Power Plants: Threat Analysis, Defense and Mitigation Strategies. 10.48550/arXiv.2602.21524.
Bernard, Andreas & Pfister, Mathias. (2026). AI-Driven Risk Assessment for Critical Infrastructure Based on IEC 62443 Using Large Language Models. 10.21203/rs.3.rs-9050939/v1.
Heinl, Michael & Pursche, Maximilian & Puch, Nikolai & Peters, Sebastian & Giehl, Alexander. (2023). From Standard to Practice: Towards ISA/IEC 62443-Conform Public Key Infrastructures. 10.1007/978-3-031-40923-3_15.
Siivola, Jani & Paronen, Rami & Tariq, Uzair & Pham, Quyet & Villegas, Warren & Tikanmäki, Ilkka & Rajamäki, Jyri. (2026). Exploring NIS2 Compliance in the Energy Sector Using AI-Driven Cyber Threat Intelligence. International Conference on Cyber Warfare and Security. 21. 714-717. 10.34190/iccws.21.1.4482.
Chatterjee, Suchismita. (2021). A Comparative Study between NERC-CIP and NIST Compliance-Defining the Critical Framework for Building Cyberrisk Free Infrastructure. ESP Journal of Engineering & Technology Advancements. 1. 273-281. 10.56472/25832646/JETA-V1I1P129.
Mosharraf, Abu. (2026). Securing SCADA Communications Over OPGW And ADSS Fiber In U.S. Bulk Electric Systems: A NERC CIP-Aligned Engineering Framework. American Journal of Advanced Technology and Engineering Solutions. 06. 416-459. 10.63125/hn42nw39.
Jean, Guillaume & Smith, Hussein. (2026). NIST Cybersecurity Framework-Driven AI Threat Intelligence System for Real-Time Critical Infrastructure Protection.
Kate, Austin. (2026). Integrating the NIST AI Risk Management Framework with Cybersecurity Framework Profiles for Sector-Specific Critical Infrastructure (Energy, Water, Transportation).
Lamshöft, Kevin & Hildebrandt, Mario & Altschaffel, Robert & Keil, Oliver & Hempel, Ivo & Dittmann, Jana & Neubert, Tom & Vielhauer, Claus. (2022). Resilience Against and Detection of Information Hiding in Nuclear Instrumentation and Control Systems within the Scope of NSS 17-T.
Khalid Bennouk, Dorra Mahouachi, Nawal Ait Aali, Youness El Bouzekri El Idrissi, Bechir Sebai, Abou Zakaria Faroukhi (2026). From Standards to Regulation Compliance: Leveraging ISO/IEC 27001 to Apply the NIS2 Directive. 10.4018/979-8-2600-0888-1.ch009.
Alenezi, Ali. (2024). Securing OT Devices: A Comprehensive Journey from Zero to Compliance with ISO/IEC 27001 and ISA/IEC 62443. 10.13140/RG.2.2.17672.02560.
Gupta, Deeksha & Waedt, Karl & Gao, Yuan. (2018). Detective Application Security Controls for Nuclear Safety.
Dobrynchuk, O., & Lukashenko, V. (2025). Energy critical infrastructure under attack: incident analysis and implications for ICS/SCADA resilience. Ukrainian Scientific Journal of Information Security, 31(2), 112–129. https://doi.org/10.18372/2225-5036.31.20706
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Вікторія Лукашенко, Олександр Добринчук, Сергій Гричук
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
