ENCS, the European Network for Cyber Security, and E.DSO, the European Distribution System Operators’ Association, announced the launch of security requirements for Distribution Automation (DA) of Remote Terminal Units (RTUs). This is the third in a series of security guidelines for a smarter and more secure energy network, after ENCS and E.DSO previously released security requirements for electric vehicle charging points and smart metres. These requirements are an important tool in improving and harmonising the security of data collection and analysis for utilities across Europe, helping to build a more resilient network. Practical considerations The requirements provide European distribution system operators (DSOs) with a defined set of practical considerations for procuring secure RTUs and are a significant step forward to industry wide requirements. These requirements have been split into various parts: DA-201-2019: Security architecture for distribution automation systems (for ENCS members only) DA-301-2019: Security requirements for procuring DA RTUs (Public) DA-401-2019: Security test plan for distribution automation RTUs (Public) ENCS has been active in Distribution Automation security since 2015, where it started analysing vulnerabilities in architectures and systems. Smoother procurement process This would be a huge step forward to ensuring security of critical European energy grids and infrastructure" The DA requirements were developed for all members and used first by Enexis, where they allowed for a secure DA system and a smoother procurement process, delivered at only a marginal extra cost. ENCS also developed a test plan to verify the correct implementation of the security requirements in a standardised manner. By standardising the test plan, test results can be more easily shared between grid operators. Roberto Zangrandi, Secretary General of E.DSO, stated: “These requirements are not only key to the long-term vision of our work with ENCS, but lay a strong foundation for an industry-wide set of recommendations. This would be a huge step forward to ensuring security of critical European energy grids and infrastructure, which can only really be achieved through a collaborative effort between DSOs and cybersecurity experts.” Harmonised and synchronised set of requirements Anjos Nijk, Managing Director of ENCS, stated: “Up until now, Europe has had disparate security requirements due to a scattered approach. However, this work we are doing with E.DSO has allowed for a harmonised and synchronised set of requirements, which will enable manufacturers to implement security cost effectively.” “If these are used by DSOs across Europe it incentivises manufacturers to respond adequately and improve security proactively. This then helps raise security standards across the industry. We aim to replicate this approach in other areas where the industry needs to structurally increase and harmonise security levels.” The new requirements build on ENCS and EDSO’s memorandum of understanding signed in 2016.
The increasing cyber security threat and COVID-19 are causing challenges everywhere, including in the energy sector. The European Network for Cyber Security (ENCS), the Association of European Distribution System Operators (E.DSO), and the European Network of Transmission System Operators for Electricity (ENTSO-E), hosted the first of two webinars to discuss some of these challenges. ‘Cybersecurity: Data Sharing’ webinar Renowned cyber security experts from the grid operator community, public organisations and industry discussed actual and emerging threats, the most recent regulatory developments, and the main challenges connected to data sharing. It was concluded that only with harmonisation of efforts in the areas of security requirements, scoping for information security management systems and knowledge sharing, the rapidly increasing challenges can be managed. Access, trust and interoperability for data In the opening keynote session, Ms. Catharina Sikow, Director Internal Energy Market, DG ENER, highlighted European Commission's growing commitment to strengthen EU's leadership on digitalisation and cyber security, especially in the light of the energy transition and EU recovery, stating that “Access, trust and interoperability for data are the three pillars for information to flow in Europe. Cyber security is essential for a strong & sustainable energy system in Europe.” Saad Kadhi, Head of CERT-EU, European Commission, highlighted that “The threat landscape is continuously evolving and the attack surface is growing. Several nation-state threat actors are very well resourced and some criminal groups are adopting their playbooks.” Need to share threat data more efficiently Targeted intrusions, ransom-ware attacks and other types of breaches are now customary" Saad adds, “Targeted intrusions, ransom-ware attacks and other types of breaches are now customary. To keep them at bay, we have no choice but to share threat data, more efficiently and at a bigger scale, by building bridges across cyber security communities.” Nicolas Richet, Head of Digital Section, ENTSO-E Secretariat, said “This third edition of our joint cyber security events with E.DSO and ENCS has allowed us to demonstrate the grid operators’ commitment and continued efforts to enhance the reliability of the European power network.” Deterring security incidents at DER installations Maarten Hoeve, Technology Director at the European Network for Cyber Security (ENCS), presented how vulnerabilities in DER infrastructure can be exploited to disrupt electricity supply. He said, “The stability of the electricity grid is becoming dependent on distributed energy resources (DER), such as solar panels and windmills. Security incidents at DER installations could lead to large disruptions of the electricity grid, even to the extent of a European black-out.” Concluding the event, Roberto Zangrandi, Secretary General of the Association of European Distribution System Operators (E.DSO), said “After 3 years now, our joint update with key stakeholders on Cybersecurity has become a beacon for the electricity grid operators. This meeting in particular, and the next one, proves that only through joint efforts hacking dangers can be and will be tackled.” The event highlighted the importance of security across critical business processes, harmonisation of the approaches throughout Europe and the need to act now.