2022 – Year in Review

With the new year, the ENCS team would like to take the opportunity to look back at the highlights of last year and to wish you a happy new year!

Ukraine

The most important change in security was the war in Ukraine. There have not been any big cybersecurity incidents for European grid operators, although we did see a new variant of the Industroyer malware. But the Ukrainian power grid is now one of the main battlegrounds of the war, and there is a risk of attacks spilling over into the European grid. So, grid operators will need to closely monitor the new threat developments, as explained by Rob Lee in our joint event.

• Industroyer2 malware
• Interview with Rob Lee (CEO Dragos)

European cybersecurity regulation

In 2022, the European Commission introduced several cybersecurity regulations that grid operators will need to comply with in the coming years. The NIS 2 directive and the directive on the resilience of critical entities (CER directive) were both approved in November. ACER published their revision of the network code on cybersecurity, which should be approved in the first half of 2023.
We provided an update to our members on these development through a webinar and whitepaper:

• Webinar: update on the NIS2, CER, and network code on cybersecurity
• Whitepaper: Update on the CER directive, and the NIS 2 directive and the network code cybersecurity

Product certification

An important part of the European regulations is product certification. In 2019, the cybersecurity act set up a framework for European cybersecurity certification schemes for products, services and processes. The network code on cybersecurity tasks ENTSO-E and the EU DSO entity to provide guidance on such schemes for the electricity sector. The NIS2 directive allows member states or the Commission to make it mandatory to use certified products.
Additionally, the Commission launched a proposal for a Cyber Resilience Act. This act will set essential security requirements, including requirements for patching, for all products with digital elements. See our summary below.

• Update on the cyber resilience act

To prepare for the product certification legislation, we have been updating our requirements sets to be aligned with the IEC 62443 standard. In this way, it should be possible to certify against the requirements, when a European scheme for industrial products has been developed. See the webinar below for our strategy for product certification, and the draft requirements for substation and distribution automation for the new requirements format:

• Webinar: Towards product certification for OT products
• Draft substation automation requirements:
  • SA-111-2022: Security threat analysis for substation automation system
  • SA-211-2022: IEC 62443 Security requirements for substation automation systems
  • DA/SA-311-2022: IEC 62443 requirements for procuring RTUs and gateways
• Draft distribution automation requirements:
  • DA-111-2022: Security threat analysis for distribution automation systems
  • DA-211-2022: IEC 62443 Security requirements for distribution automation systems
  • DA/SA-311-2022: IEC 62443 requirements for procuring RTUs and gateways

OT SOC maturity model

A SOC is one of the most important organizational structures for cyber security. They provide the organization with visibility over security incidents and events and with at least the first response.
It is important to sustainably develop the SOC’s processes, technology and services towards the needed scope in alignment with the risk profile of the organization. There must be a fine balance between scope and resource availability, which can be difficult to achieve in OT due to the high security risk and general lack of resources. A SOC maturity model can help with this challenge.
In our attempt to find a SOC maturity model for OT, we found multiple models, but none of these were OT-specific. Of the ones we found, the one that is most used and well-known by our members is the SOC-CMM. By supporting a member to use it, we found it to be very comprehensive but lacking in coverage and guidance for OT. These observations were shared in an ENCS webinar:

• Webinar: towards an OT SOC maturity model – part 1

The attendants of the webinar agreed with the observations. Before looking into other models or developing a new model for OT, and because a few members already use the SOC-CMM, we tried to identify solutions for the missing elements ourselves. The initial conclusions of this exercise were shared in the ENCS webinar:

• Webinar: Towards an OT SOC maturity model – part 2

Of all the issues addressed in the webinar, the one specifically related with human resources had been previously addressed in the SOC security analysts’ roundtable, where the group drafted a few guidelines on the number of FTEs and outsourcing. The discussions during this roundtable covered further topics such as SIEM, automating incident response and joint security exercises:

• 2nd SOC roundtable – insights

What’s next?

Our programs for 2023 will be published at the beginning of the year.
Our event calendar for the 2023 in-person events is already on our website.