Interviews

Energy strategy

by Mark Rowe

The European Union’s cyber security agency ENISA has reported on the challenges for baseline smart grids protection in Europe. Their December report seeks to assist smart grid providers to improve their cyber security and resilience of their infrastructures, with a set of minimum security measures.

In contrast to the US’ regulatory path, the European approach is to allow a degree of ‘freedom’, where these guidelines above can be tailored and combined for the needs of different actors, given the varied market. The Agency therefore proposes a scalability of 39 security measures which are organised into three levels of sophistication and ten domains:

Security governance and risk management;
Third parties management;
Secure lifecycle process for smart grid components/systems and operating procedures;
Personnel security, awareness and training;
Incident response and information sharing;
Audit and accountability;
Continuity of operations;
Physical security;
Information systems security; and
Network security.

The adoption of a minimum set of security measures needs the consensus among smart grid firms. According to the agency, a common cyber security approach would help regulators and others by harmonising. The Executive Director of ENISA, Professor Udo Helmbrecht, said: “In order to reach the ambitious EU2020 objectives: 20 per cent of renewable energy, 20pc of CO2 emissions reduction and 20pc increase in energy efficiency, it is a key issue to ensure that the roll-out of smart grids for distributed energy generation into future electricity grid is done in a secure way. Both innovative technical solutions are required, along with new suitable EU regulatory and economic schemes. We hope to see smart grids in the forthcoming Cyber Security Strategy of the EU.”

Commenting, Calum MacLeod, EMEA Director with Enterprise Key and Certificate Management (EKCM) product company Venafi, said that, while ENISA made reference to encryption, cryptographic controls and managing authentication, the agency has not adequately addressed the specifics on key and digital certificate management.

“This is a bit like the security experts suggesting you beef up the locks on your front door, and then failing to point out that installing a cheap £2.99 lock from an online auction house may not be the best security strategy. The bottom line with defending country CNIs is that you cannot control – and document – the use of encryption and strong authentication without effective key and certificate management,” he said.

ENISA, he said, is advising that smart grids need to build security in from the ground upwards, using encryption and strong authentication tools such as digital certificates to secure data and access.

For smart grid providers, he adds, the only way to control and document these critical security elements – as requested by the European agency – is to deploy effective key and certificate management as an integral feature of the security architecture.

“This is especially true in the UK, based on the CNI architectures we have encountered. Effective key and certificate management is a must – and I strongly suspect that the Information Commissioner’s Office will take the same view,” he added.

He went on to say that the UK’s data regulator will be looking to CNI security strategists to secure the UK’s energy, communications and allied infrastructure networks

“Energy companies have progressively been deploying the end-user building blocks in UK’s smart grid for several years now, as mandated by the Energy Act of 2008. The next few years will therefore set the pace for how the UK defends its CNI – installing the best security is a logical step towards this goal,” he said.

For more on Venafi: http://www.venafi.com

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing