Security Experts:

Europe's Cyber Security Agency Releases Framework For Protecting Smart Grids

Smart Grid Security

The European Union's cyber-security agency outlined the challenges of protecting European power grids and released a framework to establish baseline standards to secure smart grids.

Smart grids for distributed energy generation needs to be integrated into the EU's overall energy infrastructure as safely, securely, and reliably as possible, the European Network and Information Security Agency (ENISA), wrote in its latest report, "Appropriate security measures for smart grids: Guidelines to assess the sophistication of security measures implementation," released Wednesday. The framework proposed measurements and processes that will help establish bottom-line standards for securing all the systems within the EU energy ecosystem.

The EU member states collectively committed to use 20 percent renewable energy, slash carbon dioxide emissions by 20 percent, and increase energy efficiency by 20 percent as part of the EU2020 objectives. However, these goals won't be unattainable unless Europe performs a major overhaul to its power grid, such as deploying secure smart grids, said Professor Udo Helmbrecht, the executive director of ENISA.

"A secure and robust energy network is essential for the continuous improvement and industrious operation of the European energy markets," the report said.

Protecting Smart Grid ENISA's framework looks at the challenges of securing the smart grid from external attacks, configuration errors, and insider threats while proposing to set minimum standards for systems security and resilience. ENISA believes member states and smart grid operators should focus on compatibility and harmonization to keep costs of deployment and security down. The framework will create audit guidelines to measure how the standards are met, and ensure the stakeholders are all following the framework. With the framework, ENISA hopes to increase the level of transparency in the energy market.

The proposed framework proposed 39 security measures organized across three levels and ten domains—security governance and risk management; third-party management; secure lifecycle process for smart grid components/systems and operating procedures; personnel security, awareness and training; incident response and information sharing; audit and accountability; continuity of operations; physical security; information systems security; and network security.

"The development of a common approach to addressing smart grid cyber security measures will help not only regulators by harmonizing the complex smart grid’s environment but also by providing incentives to other involved stakeholders to continuously strive for the improvement of their cyber security," the report said.

The framework is designed for legislators and regulators at the EU and for member states, distribution system operators, transmission system operators, third-party service and solutions providers, energy traders, third-party financial services, smart grid equipment manufacturers, and "bulk generation" (wind farms, for example) operators.

The 84-page report goes into great detail about how to measure the security controls for each proposed domain. For example, for the first domain, security governance and risk management, the ENISA recommends establishing an information security policy, an appropriate structure with defined security roles and responsibilities, a set of security procedures, a risk management framework, a risk assessment, and a risk treatment plan.

In the domain for personnel security, awareness and training, the report outlines screening all personnel (including employees, contractors, and third-party users) and conducting background checks, establishing proper change control when personnel leave or change their roles, maintaining a security awareness program, and setting up security training and certification for staff. ENISA's framework allows a "certain degree of 'freedom'" where the guidelines can be tailored and combined to fit the needs of the member states and grid operators, in contrast to the "strict regulatory path" in place for the U.S., ENISA said in its release accompanying the report.

A risk-based approach is a "pragmatic and realistic approach" to cyber-security, Kim Legelis, vice-president of Industrial Defender, told SecurityWeek.  Organizations can measure potential exposure and impact and adjust how they will respond. "Because it offers freedom in how cybersecurity exposures are handled, it is often favored over more prescriptive regulatory approaches," Legelis said.

Many of the recent developments in power networks, such as allowing digital communication between supplier and consumer and intelligent metering and monitoring systems, will allow smart grids to substantially improve the control over consumption and distribution. Smart grid implementations also rely on advanced Information and Communication Technologies (ICT), industrial control systems (ICS), and operational technology (OT), which means they are vulnerable to malicious attacks over the Internet, the report noted.

"Vulnerabilities in smart grid related communication networks and information systems may be exploited for financial or political motivation to shut off power to large areas or directing cyber-attacks against power generation plants," the report warned.

More information on the initiative is available here from the ENISA website.

Related: Digital Certificates and Encryption Play Key Role in Smart Grid Security

RelatedHow to Make the Smart Grid Smarter than Cyber Attackers

Related: Smart Power Grids a Prime Target in Cyber Warfare 

Related: The Increasing Importance of Securing The Smart Grid

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.