Minimum cybersecurity measures proposed for smart grids in Europe


Prof. Udo Helmbrecht,
Executive Director,
Heraklion, Greece — (METERING.COM) — January 9, 2013 – The European Union’s network and information security agency ENISA has set out in a report released in late December a set of security measures aimed to provide a minimum level of cybersecurity for smart grids in Europe.

The report proposes 39 security measures, organized into three sophistication levels and ten domains, as follows:

  1. Security governance and risk management
  2. Management of third parties
  3. Secure lifecycle process for smart grid components/systems and operating procedures
  4. Personnel security, awareness and training
  5. Incident response and information knowledge sharing
  6. Audit and accountability;
  7. Continuity of operations
  8. Physical security
  9. Information systems security
  10. Network security.

The three sophistication levels – decided on the basis of a risk assessment – are whether the security measure is implemented in an early stage, whether it is implemented according to industry standards across a large part of the organization and sometimes reviewed, or whether it is implemented in an advanced way and monitored and tested continuously.

According to the report, the European approach, in contrast to the strict regulatory path in the U.S., is to allow a certain degree of ‘freedom’ in which the guidelines can be tailored and combined for the needs of different actors, given the varied market.

“In order to reach the ambitious EU 2020 objectives of 20 percent of renewable energy, 20 percent of CO2 emissions reduction and 20 percent increase in energy efficiency, it is a key issue to ensure that the rollout of smart grids for distributed energy generation into future electricity grid is done in a secure way,” said ENISA executive director, Professor UdoHelmbrecht. “Both innovative technical solutions are required, along with new suitable EU regulatory and economic schemes.”

The report notes that the adoption of a minimum set of security measures needs the consensus and cooperation of various smart grid stakeholders. A coordination initiative could allow a common and generally accepted approach to smart grid security issues. Moreover, a common cybersecurity approach would help both regulators and stakeholders by harmonising the complex smart grid’s environment and by providing incentives to improve cybersecurity.

The report also includes a mapping of the security measures and the standards ISO/IEC-27002, NISTIR-7628 and ISO/IEC TR 27019.