SGTF EG2 Report On
Total Page:16
File Type:pdf, Size:1020Kb
SMART GRIDS TASK FORCE - EXPERT GROUP 2 - CYBERSECURITY Smart Grid Task Force Expert Group 2 Recommendations to the European Commission for the Implementation of Sector-Specific Rules for Cybersecurity Aspects of Cross-Border Electricity Flows, on Common Minimum Requirements, Planning, Monitoring, Reporting and Crisis Management. Final Report June 2019 The mission of the Smart Grid Task Force Expert Group 2 on cybersecurity is to prepare the ground for sector-specific rules for cyber security aspects of cross-border electricity flows, on common minimum requirements, planning, monitoring, reporting and crisis management for the electricity subsector. SGTF EG2 / Cybersecurity June 2019 1. Contents 1. Contents ........................................................................................................................................ 2 1. Introduction .................................................................................................................................. 5 1.1 Context .................................................................................................................................. 5 1.2 1st Interim Report .................................................................................................................. 5 1.3 2nd Interim Report ................................................................................................................. 5 1.4 Acknowledgements ............................................................................................................... 6 1.5 Disclaimer .............................................................................................................................. 6 2. Symbols and Abbreviations ........................................................................................................... 7 3. Executive Summary ....................................................................................................................... 9 4. Scope and Analysis Approach of SGTF EG2 ................................................................................. 12 5. Objectives for the Network Code on Cybersecurity ................................................................... 14 6. Recommended Structure for the Network Code on Cybersecurity ............................................ 15 6.1 Harmonized Cybersecurity Baseline across the European Union ....................................... 16 6.2 Advanced Cybersecurity Implementation for Operator of Essential Services .................... 16 6.3 Supportive Elements for the Network Code on Cybersecurity ........................................... 17 7. Baseline Cybersecurity Requirements for All Operators ............................................................ 19 7.1 Conformity to ISO/IEC 27001 .............................................................................................. 20 7.1.1 Scope of the Information Security Management System ........................................... 20 7.1.2 Risk Management ....................................................................................................... 22 7.1.3 Asset Management ..................................................................................................... 23 7.1.4 Application of Minimum Security Requirements ........................................................ 24 7.2 Minimum Security Requirements ....................................................................................... 25 7.2.1 International Standards used in the Electricity Subsector .......................................... 26 7.2.2 IEC 62351 Series – Communication Security in the Electricity Subsector .................. 27 7.2.3 EU Cybersecurity Act and Minimum Cybersecurity Requirements ............................ 30 7.2.4 Categorization of Products, Systems and Services ..................................................... 33 7.2.5 Holistic Approach to define Minimum Cybersecurity Requirements ......................... 35 7.2.6 Recommended Methodology for the Definition of Minimum Cybersecurity Requirements .............................................................................................................................. 36 7.2.7 Recommended for a Certification Scheme ................................................................. 40 7.2.8 Individual Certification Approaches ............................................................................ 46 7.2.9 Common Criteria ......................................................................................................... 48 7.2.10 New Legislative Framework ........................................................................................ 49 2 SGTF EG2 / Cybersecurity June 2019 7.3 Summary of Recommendations .......................................................................................... 50 8. Advanced Cybersecurity Requirements for Operators of Essential Services ............................. 53 8.1 Protection of Current Infrastructure ................................................................................... 53 8.2 Supply Chain Cybersecurity Risk Management................................................................... 54 8.3 Protection against Cross-Border and Cross-Organisational Risks ....................................... 56 8.3.1 Cyber Risk Methodology ............................................................................................. 57 8.3.2 Extreme Cyber Risk Scenarios ..................................................................................... 59 8.3.3 Recommendation for a Cyber Risk Management of Cross-Border and Cross- Organisational Risks .................................................................................................................... 68 8.4 Active Participation in the Early Warning System .............................................................. 70 8.4.1 Existing Information Sharing Requirements in the EU ................................................ 70 8.4.2 Threat Intelligence Layers and the Value of Information ........................................... 72 8.4.3 Complementing the NIS Directive with the Concept of Voluntary Information Sharing 74 8.4.4 Code of Conduct for an Early Warning System ........................................................... 75 8.4.5 Possible Participation of Operators that are not Operators of Essential Services ..... 75 8.4.6 Information Sharing Platform ..................................................................................... 75 8.4.7 Open Items for Setting-Up of an Early Warning System ............................................. 76 8.5 Summary of Recommendations .......................................................................................... 78 9. Supportive Elements for All Operators ....................................................................................... 80 9.1 Guidance on Crisis Management ........................................................................................ 80 9.2 Guidance on Supply Chain Security .................................................................................... 82 9.3 Energy Cybersecurity Maturity Framework ........................................................................ 84 9.3.1 Introduction of the Concept of Maturity Frameworks ............................................... 85 9.3.2 ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27019 in regard to Maturity Frameworks .... 86 9.3.3 Capability Models in Standards Relevant for the Electricity Subsector ...................... 87 9.3.4 National and International Cybersecurity Maturity Frameworks ............................... 90 9.3.5 Recommendation on a Cybersecurity Maturity Framework and Approach ............... 95 9.4 Summary of Recommendation ........................................................................................... 98 10. Conclusion ................................................................................................................................. 100 11. Annex ........................................................................................................................................ 101 11.1 Annex A-1: Smart Grids Task Force – Expert Group – Working Group on Cybersecurity . 101 11.2 Annex A-2: Editorial Team ................................................................................................ 102 11.3 Annex A-3: Working Groups on Key Areas Identified ....................................................... 103 3 SGTF EG2 / Cybersecurity June 2019 11.4 Annex A4: Risk-Impact Matrix - Template ........................................................................ 106 4 SGTF EG2 / Cybersecurity June 2019 1. Introduction 1.1 Context The ‘Clean Energy for all Europeans’-package acknowledges the importance of cybersecurity for the energy sector, and the need to duly assess cyber-risks and their possible impact on the security of supply. In particular, the Electricity Regulation1 proposes the adoption of sector-specific rules for cyber security aspects of cross-border electricity flows, on common minimum requirements, planning, monitoring, reporting and crisis management in the following referred to as “Network Code on cybersecurity”. The working group on cybersecurity originated from the Commission Communication ‘Clean Energy for All Europeans’ (COM/2016/0860 final) announcing the set-up of a group in spring 2017 and the delivery of final results by the end of 2018. This Communication emphasizes that ensuring