Cyber risk assessment methodologies for Europe proposed
Image: beebright © 123RF.com
Cyber risk assessment methodologies developed by European TSOs with the assistance of ENTSO-E and cooperation of the DSO Entity have been released for public consultation.
The methodologies are proposed for Union, regional and member state levels and specify how to perform cybersecurity risk assessments at these levels.
At each level the risk assessment only considers the consequences to the operational security of the grid including disruption of cross-border electricity flows, thus excluding legal, financial or reputational damages.
In addition the assessments consider only the consequences of cyber attacks with malicious intent, thus excluding cybersecurity incidents caused by threats with no malicious intent.
Have you read?
REEFLEX creates cybersecurity and privacy framework
Energy Transitions Podcast: Cybersecurity innovation at the core of digital transformation
Broadly the assessments are aimed to identify the processes that could affect the operational security of the electricity system and to assess the possible consequences of a cyber-attack compromising the confidentiality, integrity or availability of the information used in them.
Key is to identify processes that are ‘high impact’ and ‘critical impact’ according to determined thresholds.
The assessments at Union and regional levels will be conducted by ENTSO-E and the DSO Entity, the latter based on an aggregation of the member state assessments, which are performed by the local ‘competent authority’.
At this level, requirements include the implementation status of cybersecurity measures and records of cyber attacks and threats and recommendations made to mitigate the risks.
The background to the development of the risk assessment methodologies is the Network Code on Cyber Security, which lays down sector-specific rules for the cybersecurity aspects of cross-border electricity flows.
As such it is intended to ensure a unified approach to protecting Europe’s energy networks from cyber threats, enhancing resilience and maintaining the stability and security of critical energy infrastructure.
In addition it should help mitigate risk and ensure consistent cybersecurity practices across the EU.
With the proposed methodologies the aim is to ensure the consistent assessment of risk across the different levels.
No methodology is defined for risk assessments at the entity level, as these may choose their own methodology as long as it is compliant with the network code.
The public consultation runs for one month to 5 December 2024, with the results expected to be published in early January 2025.