Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Europe’s Cyber Security Agency Releases Framework For Protecting Smart Grids

Smart Grid Security

The European Union’s cyber-security agency outlined the challenges of protecting European power grids and released a framework to establish baseline standards to secure smart grids.

Smart Grid Security

The European Union’s cyber-security agency outlined the challenges of protecting European power grids and released a framework to establish baseline standards to secure smart grids.

Smart grids for distributed energy generation needs to be integrated into the EU’s overall energy infrastructure as safely, securely, and reliably as possible, the European Network and Information Security Agency (ENISA), wrote in its latest report, “Appropriate security measures for smart grids: Guidelines to assess the sophistication of security measures implementation,” released Wednesday. The framework proposed measurements and processes that will help establish bottom-line standards for securing all the systems within the EU energy ecosystem.

The EU member states collectively committed to use 20 percent renewable energy, slash carbon dioxide emissions by 20 percent, and increase energy efficiency by 20 percent as part of the EU2020 objectives. However, these goals won’t be unattainable unless Europe performs a major overhaul to its power grid, such as deploying secure smart grids, said Professor Udo Helmbrecht, the executive director of ENISA.

“A secure and robust energy network is essential for the continuous improvement and industrious operation of the European energy markets,” the report said.

Advertisement. Scroll to continue reading.

Protecting Smart Grid ENISA’s framework looks at the challenges of securing the smart grid from external attacks, configuration errors, and insider threats while proposing to set minimum standards for systems security and resilience. ENISA believes member states and smart grid operators should focus on compatibility and harmonization to keep costs of deployment and security down. The framework will create audit guidelines to measure how the standards are met, and ensure the stakeholders are all following the framework. With the framework, ENISA hopes to increase the level of transparency in the energy market.

The proposed framework proposed 39 security measures organized across three levels and ten domains—security governance and risk management; third-party management; secure lifecycle process for smart grid components/systems and operating procedures; personnel security, awareness and training; incident response and information sharing; audit and accountability; continuity of operations; physical security; information systems security; and network security.

“The development of a common approach to addressing smart grid cyber security measures will help not only regulators by harmonizing the complex smart grid’s environment but also by providing incentives to other involved stakeholders to continuously strive for the improvement of their cyber security,” the report said.

The framework is designed for legislators and regulators at the EU and for member states, distribution system operators, transmission system operators, third-party service and solutions providers, energy traders, third-party financial services, smart grid equipment manufacturers, and “bulk generation” (wind farms, for example) operators.

The 84-page report goes into great detail about how to measure the security controls for each proposed domain. For example, for the first domain, security governance and risk management, the ENISA recommends establishing an information security policy, an appropriate structure with defined security roles and responsibilities, a set of security procedures, a risk management framework, a risk assessment, and a risk treatment plan.

In the domain for personnel security, awareness and training, the report outlines screening all personnel (including employees, contractors, and third-party users) and conducting background checks, establishing proper change control when personnel leave or change their roles, maintaining a security awareness program, and setting up security training and certification for staff. ENISA’s framework allows a “certain degree of ‘freedom’” where the guidelines can be tailored and combined to fit the needs of the member states and grid operators, in contrast to the “strict regulatory path” in place for the U.S., ENISA said in its release accompanying the report.

A risk-based approach is a “pragmatic and realistic approach” to cyber-security, Kim Legelis, vice-president of Industrial Defender, told SecurityWeek.  Organizations can measure potential exposure and impact and adjust how they will respond. “Because it offers freedom in how cybersecurity exposures are handled, it is often favored over more prescriptive regulatory approaches,” Legelis said.

Many of the recent developments in power networks, such as allowing digital communication between supplier and consumer and intelligent metering and monitoring systems, will allow smart grids to substantially improve the control over consumption and distribution. Smart grid implementations also rely on advanced Information and Communication Technologies (ICT), industrial control systems (ICS), and operational technology (OT), which means they are vulnerable to malicious attacks over the Internet, the report noted.

“Vulnerabilities in smart grid related communication networks and information systems may be exploited for financial or political motivation to shut off power to large areas or directing cyber-attacks against power generation plants,” the report warned.

More information on the initiative is available here from the ENISA website.

Related: Digital Certificates and Encryption Play Key Role in Smart Grid Security

RelatedHow to Make the Smart Grid Smarter than Cyber Attackers

Related: Smart Power Grids a Prime Target in Cyber Warfare 

Related: The Increasing Importance of Securing The Smart Grid

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...