The policy program aims to develop and share knowledge to security officers responsible for organizational security measures. It covers security policies, regulation, and the development of information security management systems (ISMSs).
In 2025, we will work on supply chain security, and the security of high-power consumer IoT devices.
Supply chain security
Supply chain security is an important topic for many regulators under NIS2 and the Network code for cybersecurity. For many grid operators it will be demanded improving their supply chain security. ENCS has supported members and stakeholders in this area with security requirements for procuring components and systems, and through requirements-based testing.
But besides for components and systems, member also need to define and enforce security requirements for services. Service providers often are key to the cybersecurity of critical systems.
Requirements to service providers are however more difficult to standardise than for components and systems. Hence, the main goal will be to share information between our members.
Two webinars and an online workshop will be held where experts from members on supply chain security explain their approach, and also their challenges. The lessons learned from the workshops will be shared in a best practice paper.
Security of high-power consumer IoT devices
Work from the past few years has shown that high-power consumer IoT devices, such as solar inverters, EV charging stations, batteries, and heat pumps pose a serious security risk for the electricity system. Such devices control enormous amounts of power. If a large number of them is switched off at the same time, the resulting imbalance will cause a serious disruption of the electricity system.
But manufacturers and operators of such devices often do not treat them as critical. Tests of different devices show that they often contain serious vulnerabilities. And the central management systems are often an even greater risk.
There is currently no good way to regulate the devices. Manufacturers do not fall under the Network Code on Cybersecurity or the electricity sector in NIS2. The CRA does put requirements on manufacturers to build secure consumer equipment. But it does not require independent testing. Manufacturers can comply through a self-assessment. So, while the CRA will make good manufacturers improve their security, manufacturers with a lower security awareness probably will ignore it.
To better explain this problem to national and European policymakers, this activity will create a whitepaper describing the cybersecurity risks of consumer IoT equipment, and possible ways to address it.
Become an ENCS member
Are you interested in our cyber security programs? As an ENCS member, you can contribute to and learn from all our programs. Click below to learn more about our memberships.
