On April 31, ACER published draft framework guidelines for the network code on cyber-security as part of a public consultation. The framework guidelines set the general principles the network code should meet. They build on the previous work from the Smart Grid Task Force Expert Group 2 and the informal drafting team from ENTSO-E and the four DSO associations (CEDEC, E.DSO, Eurelectric, and GEODE).
The framework guidelines help to clarify the governance for the network code and give some new ideas for its rules. But the guidelines makes different choices from the recommendations of the informal drafting team in several major areas. In some of these choices, we think that the framework guidelines are overlooking practical considerations of the informal drafting team. We think these choices will lead to substantial extra costs, not in proportion to the gains in security.
We therefore think the network code should aim for more rules that are more practical to implement. In particular, it should:
• set lower minimum security requirements for important undertakings
• determine the scope of the advanced measures through processes
• require essential undertakings to have a management system
• set the minimum requirements in terms of security controls
• allow alternative assurance methods besides product certification
• require SOC functions only for essential processes