WP-031-2020: ENCS reply to the consultation on the revision of the NIS Directive

In October 2020, ENCS provided input to the European Commission’s NIS Directive Consultation. This paper provides a summary of the ENCS responses.

Since the entry into force of the NIS Directive in 2016, the cyber threat level has increased significantly. Yet, much remains to be done for companies in the EU to counter this development. ENCS emphasizes that it is vital to promote a culture of security across all sectors critical for our economy and society. As risks transcend national borders, cybersecurity measures need to be aligned at the Union level. To achieve this, both the capabilities of Member States and the level of cooperation among them needs to be improved.

EECSP Report final

Strategic challenges and specific needs of the whole energy sector regarding cyber security from four key angles: threat and risk management, cyber defence, cyber resilience and required capacity and competences needed. They further analysed to which extent existing legislation at EU and national level is sufficient to tackle the specific needs of the energy sector and proposed a roadmap of ten action lines as a way forward, such as the identification of providers of essential services in energy, definition of the rules for a regional cooperation, set up the response framework and coordination.

Interim report SGTF EG2 Cybersecurity

Recommendations for the European Commission on Implementation of a Network Code on Cybersecurity

Risk Analysis Method Security Grid

PowerPoint describing the security risk analysis method used by Liander.

WP-010-2019: Security policy for substation automation

This document describes the recommended security policies for each of these roles. The policies cover:

  • Substation engineers configuring the equipment in the substation, including setting up the internal security measures
  • Other employees working at substations, but not configuring equipment
  • WAN network administrators configuring the perimeter firewalls
  • Team managers that need to enable the administrators and engineers to do their job securely
  • Security operations analysts responsible for coordinating vulnerability management and incident response
  • Procurement staff for buying new equipment with the right security capabilities

A concrete example policy is given aimed at each group. This policy is linked to the controls in ISO 27002. Guidance is given on implementing the example policy at a particular grid operator. The policies apply both to employees and contractors or service providers in the same role.