Trying to organize a security operations team raises many questions. What should the mission of the team be? What capabilities should the team have? Where should the team be placed in the organization? What work can or should be outsourced?
This document aims to answer these questions. They do not have one correct answer for all grid operators. Instead, the answer depends on factors such as the size of the grid operator, the relation between the IT and OT department, and the existing security organization. So, this document usually gives different options with the advantages and disadvantages.
The advice in this document is based on the experiences at different ENCS members. As part of the ENCS collaboration project on security monitoring, interviews were held with security officers at Alliander, EDP Distribuição, Enexis, E.ON, EVN, and Stedin. The interviews gathered the lessons learned from different pilot projects, in particular with monitoring. In this way, best practices were distilled.