Kiisa is a small town in Estonia that hosts one of the largest battery parks in Continental Europe. Completed this year at a cost of 85 million euros, it is an ultra‑modern facility located right next to emergency power plant.

Like other modern systems, it is connected to the internet — a gateway through which hostile actors constantly attempt to attack it. To mitigate risks, the park's operator, Evecon, has made significant investments.

"Here in the battery park alone, we have implemented three different communication solutions so that if something happens to one, the others remain available. said Evecon CEO Karl‑Joonatan Kvell. "We have both physical cable connections and wireless ones. We have also duplicated transformers."

Strengthening solar security

Another local energy company Sunly has built a state‑of‑the‑art solar park in Risti, Estonia. The 350,000 solar panels — costing 120 million euros — will begin operating at full capacity this summer, producing up to 244 megawatts. But malicious actors from the east are constantly trying to find weak points there as well.

"Sunly has significantly increased its cybersecurity capabilities over the past two years," explained the company's IT director Paul Post. "At the moment, this doesn't mean anything unexpected for us. We are investing further in our systems to ensure we can meet continuity obligations, and of course in training our people and conducting exercises to play through different scenarios in case a real incident occurs."

New obligations for operators

Although both Evecon and Sunly are newcomers to the electricity market, the rules for them will soon become even stricter. Estonian government is amending the Electricity Market Act, which would classify them as providers of vital services (ETOs). In simple terms, this means they would no longer be generating electricity just for their own business interests — they would become essential to the functioning of the national electricity system. This applies to all operators with a capacity of 90 megawatts or more.

"For a provider of vital services, this primarily means increased obligations in risk assessment and ensuring continuity," Paul Post said. "For example, we must additionally train our employees and conduct various exercises. Naturally, we must also invest in digital infrastructure so that it meets continuity requirements."

Sunly had assumed it would become a vital service provider (ETO) in any case, because the Risti park and its other production units are large enough under the current law. But for Evecon, this is an rather unpleasant surprise, and according to the company's CEO, additional requirements should come with state support.

"If we start imposing these requirements, then the state must also be able to give something in return," Karl-Joonatan Kvell said.

Lessons from the Ukrainian front

In light of recent drone incidents, the government is planning an amendment to the Law Enforcement Act. This would allow owners of critical infrastructure to procure their own drone technology to defend against potential attacks.

"The war in Ukraine has shown quite clearly that even partially damaged solar or wind parks can continue operating after an attack," Post noted. "Elering [Estonia's national transmission system operator] has done excellent work mapping these risks. Protecting substations is a vital step based on the Ukrainian experience, as these are often the primary targets alongside production facilities."

However, Post clarified that while they are responsible for risk mitigation, they aren't looking to become a private militia: "In terms of active drone defense, we trust the Defence Forces and relevant state agencies. We do not wish to build those specific military-grade capabilities ourselves."

--

Follow ERR News on Facebook and X and never miss an update!