WP-035-2020: Proposed strategy for OT component certification

The European Commission has made certification of products, services and processes one of the pillars of their cybersecurity strategy. In the 2019 Cybersecurity Act, ENISA was tasked with developing a cybersecurity certification framework. In a rolling work program ENISA will develop harmonized, European certification schemes for products, services, and processes. In 2020, the Joint Research Center (JRC) published requirements for an Industrial Automation & Control Systems Components Cybersecurity Certification Scheme (ICCS), which is also expected to be turned into a candidate scheme.

Given this development, ENCS recommends that its members prepare for a certification meeting the requirements in the JRC ICCS. This whitepaper outlines the proposed strategy.

WP-033-2020: Test results for OT security sensors monitoring inside substations

Many grid operators are using specialized security sensors to monitor their central OT networks. The sensors can automatically learn what normal network communication looks like, and then alert on deviations from normal to detect security incidents. ENCS evaluated such sensors in the 2017 member project on security monitoring . Since then, these sensors have become an important tool for most SOC and CSIRT teams working on OT systems.

Vendors of these sensors are also offering industrial PCs or embedded sensors that could be placed in field locations. The prices of such sensors have dropped considerably since 2017. So, it is becoming possible to deploy sensors in the internal networks of high voltage substations. ENCS has therefore started a project to evaluate the sensors for monitoring inside substations.

A market survey was conducted based on questionnaires to determine their capabilities. Unfortunately, it turns out the sensors are hard to evaluate on paper. Based on the questionnaires, they can all detect all vulnerabilities and all incidents. We found no real differences between sensors in the market survey.

This raises the question of how good the sensors are in practice. Can they detect all the vulnerabilities and incidents that vendors claim they do? And can they present these in a meaningful way to analysts?

To answer this questions, ENCS tested five sensors in our lab. The sensors were trained on substation traffic collected from members. Different test cases were injected in the traffic to see if the sensors detect them.

WP-034-2020: Update on the revised NIS directive

This whitepaper gives an update to ENCS members on the revised NIS directive. On 16 December 2020, the European Commission adopted a proposal for a revised NIS directive: the directive on measures for a high common level of cybersecurity across the Union. The directive is meant to repeal the directive concerning measures for a high common level of security of network and information systems across the Union from 2016, also known as the NIS directive . The goal of the revised NIS directive is to achieve a harmonized, high level of cybersecurity across the European Union by incorporating feedback from the most recent consultations and filling some gaps found in the NIS version from 2016. The new directive, which focuses on enabling resilient infrastructure and critical services, is a key component of the Union’s new Cybersecurity Strategy for the Digital Decade. It was released alongside a proposal for a Directive on the Resilience of Critical Entities, which is the successor of the 2008 European Critical Infrastructure Directive.

The most important changes for grid operators seem to be:

  • The scope was extended to include many parties important to grid stability
  • Supervision and enforcement of the implementation is made stricter
  • It may become mandatory to use of products, services, and processes certified under the Cybersecurity Act
  • Provisions are added to integrate the upcoming network code on cybersecurity

WP-030-2020: Distribution automation RTU hardware security test report

This test report gives the results of testing a distribution automation remote terminal unit (RTU) against the hardware security requirements that ENCS has developes in its member project on hardware security. See:

The report gives a good overview of how the requirements can be tested, what vulnerabilities are typically found when RTU vendors first implement them, and how these vulnerabilities can be mitigated.

The test report is classified as TLP:AMBER. It is only shared with employees at ENCS members that need to know its contents for their work on distribution automation security.

To request a copy of the report, please contact info@encs.eu

WP-031-2020: ENCS reply to the consultation on the revision of the NIS Directive

In October 2020, ENCS provided input to the European Commission’s NIS Directive Consultation. This paper provides a summary of the ENCS responses.

Since the entry into force of the NIS Directive in 2016, the cyber threat level has increased significantly. Yet, much remains to be done for companies in the EU to counter this development. ENCS emphasizes that it is vital to promote a culture of security across all sectors critical for our economy and society. As risks transcend national borders, cybersecurity measures need to be aligned at the Union level. To achieve this, both the capabilities of Member States and the level of cooperation among them needs to be improved.

WP-029-2020: Why DER cybersecurity is critical and how to protect DER systems

This paper asserts the need to consider distributed energy resources (DER) parties that remotely control hundreds of megawatts of electricity as critical, and to require these parties to take security measures like large grid operators or producers.

As alternative energy sources, such as wind, solar or heat, have become sustainable for small scale use, they are being placed in a wide variety of locations. These DER can be connected to high, medium, or low voltage grid, contributing significantly to the electricity mix. A large loss of DER generation can severely disrupt the electrical grid.

DER are exposed to significant cyber risks. Their operations and maintenance are supported by information systems. Many activities are executed through remote access, especially in larger DER systems. And grid operators are connecting to larger DER systems to monitor and control their generation. Advanced threats, especially nation states, can attack the systems or communications to cause black-out scenarios.

However, DER parties are often not ready to manage the societal risk of a cyberattack. They need to compete in the market and will be concerned about the business risks to themselves. They do not have a legal obligation to mitigate societal risks. Still, if they remotely control hundreds of megawatts of electricity, then their systems and operations are critical and they should be required to take the necessary security measures.

This document profiles critical DER parties and the threats to them. It recommends requiring these parties to protect their systems and processes against cyber-attacks. They are suggested setting up an information security management system to structurally manage the risks. With this approach, they would align with many grid operators, contributing to a harmonized, standards-based approach throughout the electricity sector.

WP-022-2020: Risk assessment of physical attacks against field devices

This report assesses the risk of physical attacks against field devices to be able to select the right hardware security measures.

Increasingly vendors are including hardware security measures in smart grid field devices. Some are encrypting the external flash modules on smart meters. Some are using hardware security modules on data concentrators to encrypt key databases. And others are implementing secure boot through specialized chips on IEDs. Implementing such measures on field devices appears to make sense, as they are exposed to physical attacks.

Grid operators now have a choice of procuring devices with these features or not. Before evaluating the efficacy of such measures on mitigating attacks, this report first assesses the possible risk of field equipment being compromised.

WP-028-2020: Market survey of OT security sensors for substations

This report contains the results of a market survey on OT security sensors for substations.

In 2017, the ENCS ran a project on security monitoring for Operational Technology (OT) systems. In this project, ENCS did a market survey on new products specifically designed for OT. It showed that there were several network-based sensors on the market offering similar functions. They combined the functions of an anomaly-based intrusion detection system with a passive vulnerability scanner.

Many ENCS members are now using such OT security sensors. Most deploy them in their control center networks. Although in 2017 some vendors were already offering industrial PCs or embedded sensors that could be placed in field locations, the costs of such sensors were then prohibitively high.

But recent procurement projects at members have shown however prices have gone down considerably. It is now becoming economically feasible to deploy sensors in the internal networks of high voltage substations.

This raises the question if and how these OT security sensors could be used to effectively monitor the security of substations. ENCS has started a member project to answer this question. As a first step, a market survey was conducted.

WP-027-2020: Security measures for grid operators connecting to DER

This reports recommends security measuers for grid operators connecting to distributed energy resources (DER).

As alternative energy sources, such have wind, solar or heat, have become sustainable for small scale use, they are being placed in a wide variety of locations. These DER can be connected to high, medium, or low voltage grid. They can however cause congestion or quality problems in the electrical grid. To solve these problems, grid operators are connecting to the DER control systems to monitor and control their generation.

The connections to DER create new cyber-security risks for grid operators. By compromising the connections, attackers could send unauthorized curtailment commands to DER locations. If they manage to switch off enough locations, they could disrupt the grid balance. Additionally, the connections could be used as an entry point into grid operator systems. By first compromising a DER system, attackers may get into critical grid operator control systems, such as SCADA systems or substation automation systems.

This document recommends security measures for grid operators to protect the digital connections to DER and mitigate these new risks. The measures cover:

  • threats to the connection and information passing through it;
  • threats to grid operator systems through the DER connection;
  • interests that come into play in the new relationship between the grid operator and DER operator.


WP-024-2020: The risk of using web interfaces remotely

ENCS recommends to avoid remotely managing field devices, such as RTUs, gateways, and data concentrators, through a web interface. Engineers commonly use a web interface to configure and maintain devices, as they provide easy access. But by using it they may inadvertently help to spread attacks.

Attackers can hop from one field device to many others through the engineer’s web browser. The attack would consist of two steps, explained in this whitepaper:

  1. Physically attack one field device to insert code into the web interface
  2. Trick the browser into making unwanted changes on other devices

This type of attack is hard to counter, as attackers have many options for each step. It can have large impact, as it scales a physical attack on one device to many other devices. Hence, ENCS recommends managing field devices through other means than web interfaces.