In the 2020 security programs, ENCS produced 31 new documents on its portal and organized 19 community events. Below you will find an overview of the results from the program. ENCS is supporting its members to use and implement the recommendations and best practices from the programs.
Security policy program
The focus in 2020 has been on European regulation. ENCS has continued to support its members in understanding the fast-changing European regulatory landscape as well as providing updates on trends and developments. Several relevant consultations were launched by the European Commission in which ENCS has actively participated, for example on Network Codes and the revision of the NIS Directive.
A proposed NIS 2 Directive has since been adopted by the European Commission and ENCS has summarized the changes relevant to its members in a report.
In line with the increasing certification of ICT products, services and processes mandated by the 2019 Cybersecurity Act and due to the recently published requirements for an Industrial Automation & Control Systems Components Cybersecurity Certification Scheme (ICCS) by the Joint Research Center (JRC), ENCS has issued a recommendation that its members prepare for a certification meeting the requirements in the JRC ICCS.
Network code on cybersecurity
ENCS has continued the support of expert groups at EU level. ENTSO-E and the four DSO associations are tasked with writing the draft Network Code on Cybersecurity. ENCS is supporting the informal drafting team through its expertise. It is expected that after the second interim report has been updated, the formal network code process will begin.
E.DSO, ENCS and ENTSO-E joint event
Together with E.DSO and ENTSO-E, ENCS organized a joint cybersecurity event on data sharing. Due to the COVID 19 travel restrictions, the event was held as two webinars. Each webinars was attended by over 150 participants, including many EU policy makers.
E.DSO task force on cybersecurity
ENCS has continued its support of the E.DSO Task Force 4 on cybersecurity. The Task Force endorsed the security requirements for distribution automation RTUs.
Security architecture program
In 2020, ENCS has expanded the work on security requirements. New requirement sets have been developed to cover distributed energy resources and central systems. The approach developed for testing and certification has been improved and validated in projects. The existing requirement sets for field components have been updated.
Distributed Energy Resources (DER)
In 2020, ENCS completed a comprehensive project on DER security in cooperation with WindEurope and SolarPower Europe to work jointly towards a European grid with no weakest link in the chain. The project has produced a risk assessment for DER security, a set of recommended security measures for DER operators, a set of recommended security measures for grid operators connecting to DER, a set of procurement requirements for field devices to be used by the DER operator, and a position paper on DER security providing context on the subject and the main project results.
ENCS has worked on covering key central systems still missing from requirement sets. A security architecture and procurement requirements for SCADA/EMS/DMS systems were developed. In addition to the above-mentioned security architecture, ENCS has analyzed what would be needed to implement a zero-trust approach for a SCADA system in a whitepaper. Their criticality means that these systems would especially benefit from better resilience against cyber-attacks.
ENCS has developed a recommendation for access control in OT environments. Different technologies for centralized access control, such as LDAP, Active Directory, RADIUS and TACACS, have been compared and available solutions for managing remote access have been reviewed. Engineers commonly use a web interface to configure and maintain devices, as they provide easy access. But by using it they may inadvertently help to spread attacks. ENCS recommends managing field devices through other means than web interfaces and has published a whitepaper detailing the risks.
As engineers from grid operators or their vendors use engineering laptops in their daily work, these devices are exposed to a variety of threats and the impact of compromise is especially high. That is why ENCS has developed a security architecture to protect engineering laptops.
ENCS has also developed a recommended security architecture for sensor system, particularly those based on IoT technologies. It gives a set of technical measures that those designing and maintaining the systems can use to mitigate security risks by reducing the likelihoods. Further, ENCS provides a harmonized set of security requirements that grid operators can use directly in their procurement documents for sensors. The requirements have been reviewed by both grid operators and sensor vendors, and are designed to fit into existing processes and procedures.
In 2019, the member project on procuring secure equipment began o explore the opportunity of testing directly for equipment vendors instead of grid operators. Doing so allows more cost-effective testing, as the cost of testing can be shared between all users of a component. To be able to test against existing ENCS requirements, standardized test plans for different types of equipment have been developed including Electric vehicles (EV), smart meters and data concentrators.
ENCS has seen that vendors are increasingly including hardware security measures in smart grid field devices. However, some may not mitigate the real security risks. To get effective measures, grid operators should therefore include specific requirements in their procurement process. ENCS has assessed the physical risks to field devices and developed recommendations for such hardware security measures. A test report of evaluating a distribution automation (DA) RTU against the recommended ENCS requirements has been made available.
Further, ENCS has published strategy for grid operators to protect distribution automation systems against physical attacks on field locations. The focus is on how to harden the RTU itself as much as possible, while using the system architecture to limit the impact of determined attacks to a single location.
Security operations program
In the operations program, ENCS completed a member project for the evaluation of OT sensors placed directly in substations. An initial market survey revealed that the core functions of the majority of the sensors are the same as they were in the 2017 project. Also, on paper, all sensors could detect all vulnerabilities and all incidents. To evaluate them in practice, five sensors underwent extensive testing in the ENCS lab. The sensors were trained on substation traffic collected from members and different test cases were injected in the traffic to see if the sensors detect them. The test results can be found here.