With the new year, the ENCS team would like to take the opportunity to look back at the highlights of last year and to wish you a happy new year!
The most important change in security was the war in Ukraine. There have not been any big cybersecurity incidents for European grid operators, although we did see a new variant of the Industroyer malware. But the Ukrainian power grid is now one of the main battlegrounds of the war, and there is a risk of attacks spilling over into the European grid. So, grid operators will need to closely monitor the new threat developments, as explained by Rob Lee in our joint event.
European cybersecurity regulation
In 2022, the European Commission introduced several cybersecurity regulations that grid operators will need to comply with in the coming years. The NIS 2 directive and the directive on the resilience of critical entities (CER directive) were both approved in November. ACER published their revision of the network code on cybersecurity, which should be approved in the first half of 2023.
We provided an update to our members on these development through a webinar and whitepaper:
- Webinar: update on the NIS2, CER, and network code on cybersecurity
- Whitepaper: Update on the CER directive, and the NIS 2 directive and the network code cybersecurity
An important part of the European regulations is product certification. In 2019, the cybersecurity act set up a framework for European cybersecurity certification schemes for products, services and processes. The network code on cybersecurity tasks ENTSO-E and the EU DSO entity to provide guidance on such schemes for the electricity sector. The NIS2 directive allows member states or the Commission to make it mandatory to use certified products.
Additionally, the Commission launched a proposal for a Cyber Resilience Act. This act will set essential security requirements, including requirements for patching, for all products with digital elements. See our summary below.
To prepare for the product certification legislation, we have been updating our requirements sets to be aligned with the IEC 62443 standard. In this way, it should be possible to certify against the requirements, when a European scheme for industrial products has been developed. See the webinar below for our strategy for product certification, and the draft requirements for substation and distribution automation for the new requirements format:
- Webinar: Towards product certification for OT products
- Draft substation automation requirements:
- Draft distribution automation requirements:
OT SOC maturity model
A SOC is one of the most important organizational structures for cyber security. They provide the organization with visibility over security incidents and events and with at least the first response.
It is important to sustainably develop the SOC’s processes, technology and services towards the needed scope in alignment with the risk profile of the organization. There must be a fine balance between scope and resource availability, which can be difficult to achieve in OT due to the high security risk and general lack of resources. A SOC maturity model can help with this challenge.
In our attempt to find a SOC maturity model for OT, we found multiple models, but none of these were OT-specific. Of the ones we found, the one that is most used and well-known by our members is the SOC-CMM. By supporting a member to use it, we found it to be very comprehensive but lacking in coverage and guidance for OT. These observations were shared in an ENCS webinar:
The attendants of the webinar agreed with the observations. Before looking into other models or developing a new model for OT, and because a few members already use the SOC-CMM, we tried to identify solutions for the missing elements ourselves. The initial conclusions of this exercise were shared in the ENCS webinar:
Of all the issues addressed in the webinar, the one specifically related with human resources had been previously addressed in the SOC security analysts’ roundtable, where the group drafted a few guidelines on the number of FTEs and outsourcing. The discussions during this roundtable covered further topics such as SIEM, automating incident response and joint security exercises:
Our programs for 2023 will be published at the beginning of the year.
Our event calendar for the 2023 in-person events is already on our website.