WP-042-2021: Response to the ACER consultation on the framework guidelines

On April 31, ACER published draft framework guidelines for the network code on cyber-security as part of a public consultation. The framework guidelines set the general principles the network code should meet. They build on the previous work from the Smart Grid Task Force Expert Group 2 and the informal drafting team from ENTSO-E and the four DSO associations (CEDEC, E.DSO, Eurelectric, and GEODE).

The framework guidelines help to clarify the governance for the network code and give some new ideas for its rules. But the guidelines makes different choices from the recommendations of the informal drafting team in several major areas. In some of these choices, we think that the framework guidelines are overlooking practical considerations of the informal drafting team. We think these choices will lead to substantial extra costs, not in proportion to the gains in security.

We therefore think the network code should aim for more rules that are more practical to implement. In particular, it should:

  • determine the scope of the advanced measures through processes
  • set lower minimum security requirements for important undertakings
  • require essential undertakings to have a management system
  • set the minimum requirements in terms of security controls
  • allow alternative assurance methods besides product certification
  • require SOC functions only for essential processes

SE-301-2020: Security requirements for procuring sensors

This document gives security requirements that grid operators can use directly in their procurement documents for new sensors, in particular sensors based on internet-of-things (IoT) technologies.

Grid operators depend on grid information for effective and efficient operation, maintenance and planning. This information is traditionally collected by the SCADA system through remote terminal units (RTUs) or gateways placed at substations.

But in this way grid operators are only monitoring part of the grid. For many use cases, information cannot be collected in the traditional way. Examples are oil quality monitoring in the transformers, hot spot temperature monitoring in transformers and lines, copper theft detection, and fault passage indication in overhead lines. Sensors collecting information for these cases can often not easily be connected to substation RTUs or gateways, because they are physically too far, or it is too costly to logically integrate them into the systems.

New sensors, often based on IoT technologies, are used to fill this gap. These sensors allow grid operators to get more data about the grid, at a lower cost.

But because of the goal of low cost, it is often not clear what security requirements can be set for the sensor systems. To keep the cost of sensors down, they have less computing power than RTUs or gateways. To reduce installation cost, the sensors are sometimes battery powered. So, some measures may not be feasible on the sensors. Also, to minimize the cost of installation and maintenance, security configuration and key management should take as little time as possible from engineers. So, these functions should be automated where possible.

This document provides a harmonized set of security requirements that grid operators use directly in their procurement documents for sensors. The requirements have been reviewed by both grid operators and sensor vendors. They are designed to fit into existing processes and procedures.


WP-029-2020: Why DER cybersecurity is critical and how to protect DER systems

This paper asserts the need to consider distributed energy resources (DER) parties that remotely control hundreds of megawatts of electricity as critical, and to require these parties to take security measures like large grid operators or producers.

As alternative energy sources, such as wind, solar or heat, have become sustainable for small scale use, they are being placed in a wide variety of locations. These DER can be connected to high, medium, or low voltage grid, contributing significantly to the electricity mix. A large loss of DER generation can severely disrupt the electrical grid.

DER are exposed to significant cyber risks. Their operations and maintenance are supported by information systems. Many activities are executed through remote access, especially in larger DER systems. And grid operators are connecting to larger DER systems to monitor and control their generation. Advanced threats, especially nation states, can attack the systems or communications to cause black-out scenarios.

However, DER parties are often not ready to manage the societal risk of a cyberattack. They need to compete in the market and will be concerned about the business risks to themselves. They do not have a legal obligation to mitigate societal risks. Still, if they remotely control hundreds of megawatts of electricity, then their systems and operations are critical and they should be required to take the necessary security measures.

This document profiles critical DER parties and the threats to them. It recommends requiring these parties to protect their systems and processes against cyber-attacks. They are suggested setting up an information security management system to structurally manage the risks. With this approach, they would align with many grid operators, contributing to a harmonized, standards-based approach throughout the electricity sector.


SC-301-2020: Security requirements for procuring SCADA applications

This document gives security requirements that grid operators can use directly in their procurement documents for SCADA application software.

The supervisory control and data acquisition (SCADA) system is the core of a grid operation infrastructure for both transmission system operators (TSOs) and distribution system operator (DSOs). The SCADA system is critical to the business continuity of grid operators.

At the same time, the SCADA system’s core position also makes it attractive to anyone trying to sabotage the electricity grid. Through the SCADA system, they can control thousands of field devices. So, SCADA systems should be strongly secured.

But securing these systems is becoming more difficult as they are becoming more connected. The time that SCADA systems were stand-alone, air-gapped systems has long passed. Most grid operators have now connected them to their enterprise IT systems to export data for grid planning and to import geographic information. The vendor of the SCADA system often has remote access for maintenance. Control center of other grid operators are connected. Field equipment from distributed energy resources (DER) or customer feeding in gas are being connected. And field engineers are getting remote access to get a better view of the system and give feedback about executing switching actions. Each connection creates a possibility for attackers to get into the SCADA system.

This document provides a harmonized set of security requirements that grid operators can use directly in their procurement documents. The requirements have been thoroughly reviewed by both grid operators and SCADA vendors. They are designed to fit into the processes and procedures already in place in the organizations, and to find a good balance between security and operational impact.


GO-201-2020: ENCS security program plans for 2020

This document describes the plan for the ENCS security programs for 2020. ENCS is running three long term programs on policy, architecture and operations. The programs gather, develop and share knowledge on common security problems that ENCS members face. They aim to address the needs of different groups of security experts working at grid operators.


EV-401-2019: Security test plan for EV charging stations

Plan to test an EV charging station against the ElaadNL and ENCS security requirements.

ElaadNL and ENCS have developed a set of security requirements for procuring electric vehicle (EV) charging stations . The requirements are based on a risk assessment and a security architecture for the whole EV charging infrastructure. The security requirements can be used directly in the procurement process.

This document provides a standardized test plan to evaluate the charging stations against the security requirements. By standardizing the test plan, the test results can be shared between charge point operators. The vendor of the charging station can order a security test according to the test plan. If the charging station passes the tests, the vendor can use the test report to show compliance in all tenders that use the security requirements. This reduces the cost of testing and can give charge point operators assurance in advance that there are charging stations meeting the requirements.

The test plan consists of three phases:

  1. Functional tests and a vulnerability assessment by the vendor, usually performed during development;
  2. A review of development processes and security design and OCPP security conformance testing by an external lab;
  3. A penetration test by an external lab.

DA-401-2019: Security test plan for distribution automation RTUs

Plan to test an distribution automation RTU against the ENCS security requirements.

ENCS has developed a set of security requirement for procuring distribution automation (DA) remote terminal units (RTUs). When the requirements are used, the need arises to evaluate the RTU against the requirements. This document provides a standardized test plan to do this.

By standardizing the test plan, the test results can be more easily shared between grid operators. The vendor of the RTU can perform security tests according to the test plan and then use the test report to show compliance in all tenders that use the security requirements. This reduces the cost of testing and can give grid operators assurance in advance that there are RTUs meeting the requirements.

The test plan consists of three phases:

  1. Functional tests and a vulnerability assessment by the vendor, usually performed during development;
  2. A review of development processes and security design by the grid operator, usually performed during selection;
  3. A penetration test by an external lab, usually performed after the RTU has been selected.

EV-301-2019: Security requirements for procuring EV charging stations

This document specifies security requirements that charge point operators can use when procuring charging stations. The requirements can be used directly in tender documents. They cover the technical security features that the charging station should have, and the measures vendors should take to ensure the correct implementation of these features.

The document is an update of the EV Charging Systems Security Requirements from 2016. ENCS has created this document together with ElaadNL.


EV-201-2019: Security architecture for EV charging infrastructure

This document describes a security architecture for electric vehicle charging infrastructure specifying the technical security measures charge poin operators can implement. The architecture can act as a blueprint for system integrators and the departments maintaining the system. The architecture is intended to be used together with an information security management system (ISMS) based on ISO 27001:2013 or similar.

ENCS is creating this document in collaboration with ElaadNL.


DA-301-2019: Security requirements for procuring DA RTUs

This document gives requirements for procuring secure RTUs for use in distribution automation systems, including:

  • medium to low voltage transformer substations;
  • medium voltage transport substations;
  • automatic circuit recloser controllers applied to overhead distribution lines.

The requirements concern the interfaces to the distribution automation system and the users on these interfaces. The measures are aligned with ISO/IEC 27001:2013. They are designed to fit as much as possible into the processes and procedures already in place in the organizations, and to find the needed balance between the assured security level, feasibility by vendors and the operational impact.

This harmonized set of requirements allows grid operators to get secure automation equipment more cost-effectively, saving their time and effort in developing requirements, as they are already freely available. It has been ensured that the requirements are feasible, as they have been tested in a market survey as well as in previous tenders by other operators. Lastly, these requirements save on implementation costs, as vendors get a common baseline to aim at, and only need to implement the security requirements once and then implement updates in their product roadmap.

The requirements are meant for procuring new RTUs, not for legacy systems, although grid operators may analyze which systems can be upgraded, updated or patched, once more, without disrupting the processes and procedures already in place.