Download latest Preliminary Conference Programme Guide for CIPRE

As someone responsible in your organisations for critical assets and/or infrastructure, Critical Infrastructure Protection and Resilience Europe is the leading conference that will keep you abreast of the changes in legislation, current threats and latest developments.

Download the Preliminary Conference Programme Guide at www.cipre-expo.com/guide.

What is the new directive on the Resilience of Critical Entities...

The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.

The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.

Are you up to date on this legislation, and do you know what you need to do to be compliant?

Get updated on the NIS2 Directive and what it means to you...

An important discussion will centre around the EU cybersecurity rules introduced in 2016 and updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape.

By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.

What will this mean for you and how can you meet the Directives goals?

Critical Infrastructure Protection and Resilience Europe is Europe's leading discussion that brings together leading stakeholders from industry, operators, agencies and governments to collaborate on securing Europe's critical infrastructures.
The conferences top quality programme looks at these developing themes and help create better understanding of the issues and the threats, to help facilitate the work to develop frameworks, good risk management, strategic planning and implementation.

The packed event themes include:

- Interdependencies and Cascading Effects
- Emerging Threats against CI
- Crisis Management, Coordination & Communication
- Power & Energy Sector Symposium
- Government, Defence & Space Sector Symposium
- Communications Sector Symposium
- Information Technology (CIIP) Sector Symposium
- Transport Sector Symposium
- CBRNE Sector Symposium
- Technologies to Detect and Protect
- Risk Mitigation and Management
- The Insider Threat
- Business Continuity Management
- EU Horizon Projects Overviews

You are invited to be a part of this program, where you can meet, network and learn from the experiences of over 40 expert international speakers, as well as industry colleagues who share the same challenges and goals.

Please join us and the CI industry in the beautiful city of Prague, on 3rd-5th October, for a great programme of discussions that can help you to deliver enhanced security and resilience for your organisation.

Visit www.cipre-expo.com for further details

 

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Please find here your downloadable copy of the Summer 2023 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- The CNI / Crowded Places Security Debate
- Beyond Physical Protection
- Hybrid Threats
– A Comprehensive Resilience Ecosystem
- Artificial Intelligence and Cybersecurity Research
- Resilience in action
- An Interview with EU-CIP Project
- IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs
- Using the EU Space Programme for disaster risk management in Hungary
- An Interview with TIEMS
- Critical Infrastructure Protection and Resilience Europe Preview
- Agency and Industry News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #cipre #resilience #cooperation #emergencymanagement #emergencyresponse #crisismanagement #businesscontinuity #crisisresponse #mitigation

Nuclear Security: DOE Should Take Actions to Fully Implement Insider Threat Program

The theft of nuclear material and the compromise of information could have devastating consequences. Threats can come from external adversaries or from "insiders," including employees or visitors with trusted access. In 2014, DOE established its Insider Threat Program to integrate its policies, procedures, and resources. The program also coordinates analysis, response, and mitigation actions among DOE organizations.

The House report accompanying a bill for the National Defense Authorization Act for fiscal year 2022 includes a provision for GAO to review DOE's efforts to address insider threats with respect to the nuclear security enterprise. This report examines (1) the extent to which DOE has implemented required standards to protect the nuclear security enterprise from insider threats and (2) the factors that have affected DOE's ability to fully implement its Insider Threat Program.

GAO reviewed the minimum standards and best practices for federal insider threat programs, DOE documentation, and four assessments by independent reviewers. GAO also interviewed DOE and National Nuclear Security Administration officials and contractors.

The Department of Energy has several programs to ensure proper access to and handling of the nation's nuclear weapons and related information. DOE started a program in 2014 to further protect against insider threats from employees, contractors, and trusted visitors.

But as of 2023, DOE hasn't fully implemented the program. For example, DOE doesn't ensure that employees are trained to identify and report potential insider threats. Also, the agency hasn't clearly defined contractors' responsibilities for this program.

DOE changed the program's leadership in February 2023, but there's more to do. We recommended ways to improve the program.

The Department of Energy (DOE) has not implemented all required measures for its Insider Threat Program more than 8 years after DOE established it in 2014, according to multiple independent assessments. Specifically, DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program (see fig. for examples). DOE does not formally track or report on its actions to implement them. Without tracking and reporting on its actions to address independent reviewers' findings and recommendations, DOE cannot ensure that it has fully addressed identified program deficiencies.

Examples of Selected Recommendations from Independent Assessments of DOE's Insider Threat Program

DOE has not fully implemented its Insider Threat Program due to multiple factors.

- DOE has not integrated program responsibilities. DOE has not effectively integrated Insider Threat Program responsibilities. Instead, DOE divided significant responsibilities for its program between two offices. Specifically, the program's senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence—a part of the organization with its own line of reporting to the Secretary of Energy. Without better integrating insider threat responsibilities between these offices, DOE's insider threat program will continue to face significant challenges that preclude it from having an effective or fully operational program.

- DOE has not identified and assessed resource needs. DOE has not identified and assessed the human, financial, and technical resources needed to fully implement its Insider Threat Program. Program funding identified in DOE's budget does not account for all program responsibilities. For example, DOE's budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program. Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.

NERC files report evaluating the CIP-014 Reliability Standard with FERC

The Commission directed NERC to evaluate whether the physical security protection requirements in NERC’s Reliability Standards are adequate to address the risks associated with physical attacks on BPS Facilities. Specifically, FERC directed NERC to conduct a study evaluating the following: (1) the adequacy of the Applicability criteria set forth in the Physical Security Reliability Standard; (2) the adequacy of the required risk assessment set forth in the Physical Security Reliability Standard; and (3) whether a minimum level of physical security protections should be required for all BPS substations and their associated primary control centers.

The purpose of the CIP-014 Reliability Standard is to “identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or Cascading within an Interconnection.”2 The standard requires applicable Transmission Owners (“TOs”) to perform periodic risk assessments of their applicable transmission stations and transmission substations (hereinafter collectively referred to as “substations”) to identify which of their applicable substations are “critical” to BPS reliability (which, for purposes of CIP-014, is whether instability, uncontrolled separation, or Cascading would result if the substation were damaged or rendered inoperable). The TO must then perform an evaluation of the potential physical security threats and vulnerabilities of a physical attack to each of their “critical” substations and develop and implement a documented physical security plan to address those threats and vulnerabilities. Additionally, for each primary control center that operationally controls an identified substation, the applicable Transmission Operator (“TOP”) must perform an evaluation of the potential physical security threats and vulnerabilities of a physical attack to that control center and develop and implement a documented physical security plan to address those threats and vulnerabilities.

As discussed within this report, NERC finds that the objective of CIP-014 appropriately focuses limited industry resources on risks to the reliable operation of the BPS associated with physical security incidents at the most critical facilities. Based on studies using available data, NERC finds that the CIP-014 Applicability criteria is meeting that objective and is broad enough to capture the subset of applicable facilities that TOs should identify as “critical” pursuant to the risks assessment mandated by Requirement R1. NERC did not find evidence that an expansion of the Applicability criteria would identify additional substations that would qualify as “critical” substations under the CIP- 014 Requirement R1 risk assessment. Accordingly, at this time, NERC is not recommending expansion of the CIP-014 Applicability criteria.

NERC acknowledges, however, that supplementary data3 could show that additional substation configurations would warrant assessment under CIP-014. Accordingly, NERC plans to continue evaluating the adequacy of the Applicability criteria in meeting the objective of CIP-014. Following issuance of this report, NERC will work with FERC staff to hold a technical conference to, among other things, identify the type of substation configurations that should be studied to determine whether any additional substations should be included in the Applicability criteria. The technical conference would also help establish data needs for conducting those studies

NERC finds, however, that the language in Requirement R1 of CIP-014 should be refined to ensure that entities conduct effective risk assessments of their applicable substations. Information from ERO Enterprise Compliance Monitoring and Enforcement Program (“CMEP”) activities indicates that while the overall objective of the CIP-014 Requirement R1 risk assessment is sound, there are inconsistent approaches to performing the risk assessment. The ERO Enterprise observed that, in certain instances, registered entities failed to provide sufficient technical studies or justification for study decisions resulting in noncompliance. NERC finds that the inconsistent approach to performing the risk assessment is largely due to a lack of specificity in the requirement language as to the nature and parameters of the risk assessment. Accordingly, NERC will initiate a Reliability Standards development project to evaluate changes to CIP-014 to provide additional clarity on the risk assessment.

As discussed further below, the objective of the Reliability Standards development project would be to:
• Clarify the risk assessment methods for studying instability, uncontrolled separation, and Cascading; such as the expectations of dynamic studies to evaluate for instability.
• Clarify the case(s) used for the assessment to be tailored to the Requirement R1 in-service window and correct any discrepancies between the study period, frequency of study, and the base case a TO uses.
• Clarify the documentation, posting, and usage of known criteria to identify instability, uncontrolled separation, or Cascading as part of the risk assessment. The criteria should also include defining “inoperable” or “damaged” substations such that the intent of the risk assessment is clear.
• Clarify the risk assessment to account for adjacent substations of differing ownership, and substations within line-of-sight to each other.

Finally, while NERC is not recommending an expansion of the CIP-014 Applicability criteria at this time, NERC finds that, given the increase in physical security attacks on BPS substations, there is a need to evaluate additional reliability, resiliency, and security measures designed to mitigate the risks associated with those physical security attacks. As discussed further below, establishing a uniform, bright line set of minimum physical security protections for all (or even an additional subset of) BPS substations and associated primary controls centers, is unlikely to be an effective approach to mitigating physical security risks and their potential impacts on the reliable operation of the BPS. While a uniform set of minimum level of protections could potentially prevent some forms of physical security threats, NERC finds that such a pursuit lacks the application of a risk-based approach to expending industry resources, fails to provide for a methodical approach necessary to address site-specific threats or objectives (as expected using a design basis threat process), and does not consider the need for other reliability, resiliency, and security measures to mitigate the impact of a physical attack. These combined measures provide increased operational and planning capability as well as improved effectiveness of local network restoration. NERC finds that this more holistic approach will provide greater long-term flexibility and minimize the impacts of physical attacks on BPS reliability.

 

Full report can be found here >>

Time Frames to Complete CISA Efforts Would Help Sector Risk Management Agencies Implement Statutory Responsibilities

Protecting critical infrastructure that helps provide necessities like water, electricity, and food is a national priority. Events like natural disasters or cyberattacks can disrupt services Americans need for daily life.

We testified that many federal agencies work to protect the nation's critical infrastructure and look to the Cybersecurity and Infrastructure Security Agency for leadership on how to do it.

A 2021 law expanded these agencies' responsibilities and added some new ones. CISA is working on guidance and more to help agencies implement these responsibilities. We've recommended that CISA set timelines for completing this work.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 expanded and added responsibilities for Sector Risk Management Agencies (SRMAs). These agencies engage with their public and private sector partners to promote security and resilience within their designated critical infrastructure sectors. Some officials from these agencies described to GAO new activities to address the responsibilities set forth in the act, and many reported having already conducted related activities. For example, the act added risk assessment and emergency preparedness as responsibilities not previously included in a key directive for SRMAs. New activities officials described to address these responsibilities included developing a communications risk register and developing emergency preparedness exercises.

The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has identified and undertaken efforts to help SRMAs implement their statutory responsibilities. For example, CISA officials stated they are updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector-specific guidance documents. CISA officials also described efforts underway to improve coordination with sector partners, such as reconvening a leadership council. SRMA officials for a majority of critical infrastructure sectors reported that additional guidance and improved coordination from CISA would help them implement their statutory responsibilities. However, CISA has not developed milestones and timelines to complete its efforts. Establishing milestones and timelines would help ensure CISA does so in a timely manner.
Why GAO Did This Study

Critical infrastructure provides essential functions––such as supplying water, generating energy, and producing food––that underpin American society. Disruption or destruction of the nation's critical infrastructure could have debilitating effects. CISA is the national coordinator for infrastructure protection.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to report on the effectiveness of SRMAs in carrying out responsibilities set forth in the act. This statement addresses (1) how the act changed agencies' responsibilities, and the actions agencies have reported taking to address them; and (2) the extent to which CISA identified and undertook efforts to help agencies implement their responsibilities set forth in the act.

This statement is based on GAO's February 2023 report on SRMA efforts to carry out critical infrastructure protection responsibilities and CISA's efforts to help SRMAs implement those responsibilities. For that report, GAO analyzed the act and relevant policy directives, collected written responses from all 16 sectors using a standardized information collection tool, reviewed other DHS documents, and interviewed CISA officials.

In its February 2023 report, GAO recommended that CISA establish milestones and timelines to complete its efforts to help sector risk management agencies carry out their responsibilities. DHS concurred with the recommendation. Additionally, GAO has made over 80 recommendations which, when fully implemented, could help agencies address their statutory responsibilities.

NATO and European Union launch task force on resilience of critical infrastructure

Senior officials from NATO and the European Union met to launch a new NATO-EU Task Force on Resilience of Critical Infrastructure. Cooperation to strengthen critical infrastructure has become even more important in light of the sabotage against the Nord Stream pipelines, and Russia’s weaponisation of energy as part of its war of aggression against Ukraine.

First announced by NATO Secretary General Jens Stoltenberg and European Commission President Ursula von der Leyen in January, the initiative brings together officials from both organisations to share best practices, share situational awareness, and develop principles to improve resilience. The Task Force will begin by focusing on four sectors: energy, transport, digital infrastructure, and space.

Announcing the initiative in January, Mr Stoltenberg said: "We want to look together at how to make our critical infrastructure, technology and supply chains more resilient to potential threats, and to take action to mitigate potential vulnerabilities. This will be an important step in making our societies stronger and safer."

NATO-EU cooperation has reached unprecedented levels in recent years, and particularly since the start of Russia’s war of aggression against Ukraine. In January, NATO and EU leaders signed a new joint declaration to take partnership between the organisations to a new level, including on emerging and disruptive technologies, space, and the security impact of climate change.

GAO Wants Time Frames to Complete DHS Efforts on Critical Infrastructure Security

Protecting critical infrastructure—like water supplies, electricity grids, and food production—is a national priority. Events like natural disasters or cyberattacks can disrupt services that Americans need for daily life.

Many federal agencies are tasked with protecting the nation's critical infrastructure and look to the Cybersecurity and Infrastructure Security Agency for leadership on how to do it.

A 2021 law expanded these agencies' responsibilities and added some new ones. CISA is working on guidance and more to help agencies implement these responsibilities. We recommended that CISA set timelines for completing this work.

GAO found that the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 expanded and added responsibilities for sector risk management agencies. These agencies engage with their public and private sector partners to promote security and resilience within their designated critical infrastructure sectors. Some officials from these agencies described new activities to address the responsibilities set forth in the act, and many reported having already conducted related activities. For example, the act added risk assessment and emergency preparedness as responsibilities not previously included in a key directive for sector risk management agencies. New activities officials described to address these responsibilities included developing a risk analysis capability and updating emergency preparedness products.

The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has identified and undertaken efforts to help sector risk management agencies implement their statutory responsibilities. For example, CISA officials stated they are updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector-specific guidance documents. CISA officials also described efforts underway to improve coordination with sector partners, such as reconvening a leadership council. Sector risk management agency officials for a majority of critical infrastructure sectors reported that additional guidance and improved coordination from CISA would help them implement their statutory responsibilities. However, CISA has not developed milestones and timelines to complete its efforts. Establishing milestones and timelines would help ensure CISA does so in a timely manner.

Why GAO Did This Study

Critical infrastructure provides essential functions––such as supplying water, generating energy, and producing food––that underpin American society. Disruption or destruction of the nation's critical infrastructure could have debilitating effects. CISA is the national coordinator for infrastructure protection.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to report on the effectiveness of sector risk management agencies in carrying out responsibilities set forth in the act. This report addresses (1) how the act changed agencies' responsibilities, and the actions agencies have reported taking to address them; and (2) the extent to which CISA has identified and undertaken efforts to help agencies implement their responsibilities set forth in the act.

GAO analyzed the act and relevant policy directives, collected written responses from all 16 sectors using a standardized information collection tool, reviewed other DHS documents, and interviewed CISA officials.

Recommendations

The Director of CISA should establish milestones and timelines to complete its efforts to help sector risk management agencies carry out their responsibilities. DHS concurred with the recommendation. Additionally, GAO has made over 80 recommendations which, when fully implemented, could help agencies address their statutory responsibilities.

Recommendations for Executive Action
Agency Affected
Cybersecurity and Infrastructure Security Agency

Recommendation
The Director of CISA should establish milestones and timelines for its efforts to provide guidance and improve coordination and information sharing that would help SRMAs implement their FY21 NDAA responsibilities, and ensure the milestones and timelines are updated through completion. (Recommendation 1)

Actions to satisfy the intent of the recommendation have not been taken or are being planned.

IRC warns damaged infrastructure is hampering critical aid supply to catastrophic disaster as it launches emergency response

As the full scale of the disaster in Syria and Turkey following the 7.8 magnitude earthquake becomes apparent, the International Rescue Committee (IRC) is warning of catastrophic humanitarian needs in both countries. Unfettered humanitarian access to those affected is now absolutely critical. As humanitarian needs soar during freezing temperatures, in both Turkey and Syria, the IRC is launching an integrated response to affected populations in both countries.

Tanya Evans, Syria Country Director for IRC said:

“The scale of the disaster is catastrophic. We are still in the first 36 hours of one of the largest earthquakes to hit the region this century. Multiple earthquakes and aftershocks yesterday and today have damaged roads, border crossings, and critical infrastructure, severely hampering aid efforts.

“IRC’s main priority is finding safe spaces for our staff to operate from in Gaziantep and across northwest Syria. Many buildings have been severely damaged in the earthquake, including at least one of our field offices in northwest Syria. It is almost impossible to know the full extent of the disaster right now but everything we are hearing from our teams suggests it is truly devastating.

“Electricity across the affected area remains intermittent. In Turkey we have seen improvements since the earthquake but in northern Syria there are still so many areas off the grid. This also includes mobile and internet outages making the response and coordination even more difficult. It is not just electricity and phone lines affected. Gas supplies, for which many rely on to heat their homes, have also been severely impacted meaning that even if people are able to return to their homes they will have to endure freezing temperatures.

“With the response in its infancy the need for humanitarian aid is stark. Roads and infrastructure, like bridges, have been damaged meaning it will likely prove challenging to get supplies to those who need it most. Even before the earthquake, humanitarian access was constrained in northwest Syria, with most aid coming in via one crossing point with Turkey. In this time of increased need it is critical that the levels of aid crossing also increase at pace too.”

The IRC’s response to the earthquake will be in both Turkey and northern Syria, and will include the provision of immediate cash, basic items such as household kits, dignity kits for women and girls and hygiene supplies. Through partners, the IRC will support essential health services in earthquake-affected areas, and set up safe spaces for women and children affected by the crisis.

In light of the catastrophic humanitarian needs emerging, the IRC is calling on the international community to urgently increase critical funding to both Syria and Turkey to ensure that those affected by this emergency get the lifesaving support they need before it is too late.

[image: DENIZ TEKIN/EPA-EFE/Shutterstock]

IOM joins Making Cities Resilient 2030 as supporting entity

The International Organization for Migration’s (IOM) Regional Office for the Middle East and North Africa (MENA) has joined the MCR2030 initiative as a supporting entity. MCR2030 is UNDRR’s flagship program, building on the achievement of the Making Cities Resilient Campaign that began in 2010. It welcomes cities, local governments, and all parties who wish to support cities along the resilience roadmap.

The IOM Regional Office for the MENA region has developed the Urban Diagnostic Toolkit to map gaps in migrants’ integration in urban settings, aimed at increasing urban resilience of migrants, refugees, displaced persons, host societies and local governments by strengthening migrants’ social cohesion in the spatial, institutional, economic, climate and resilience city systems.

Increasingly, IOM and UNDRR collaborate across a range of workstreams from high level policy engagement related to the Sendai Framework for DRR’s Midterm Review process, the Global Platform for DRR and Regional DRR Platforms, and more recently on the Early Warning for All Initiative, COP27 and the Center of Excellence for Disaster and Climate Resilience, which IOM recently joined as a member of the Steering Committee. Partnership also extends to technical cooperation on the implementation of the annual workplan of the Senior Leadership Group for DRR for Resilience inclusive of work to mainstream DRR into humanitarian action. IOM is also supporting UNDRR’s leadership on the development and roll out of Risk Information Exchange and the creation of a second-generation disaster loss accounting platform to replace DesInventar. The latter was recently dialogued under the leadership of UNDRR-UNDP-WMO at the Bonn Technical Expert Forum meeting in late November.

This is the beginning of a new collaboration between the two UN agencies. UNDRR warmly welcomes the new MCR partner to work jointly on paving the road for increasing migrants’ resilience in urban contexts.

MRC2030 is a unique cross-stakeholder initiative for improving local resilience through advocacy, sharing knowledge and experiences, establishing mutually reinforcing city-to-city learning networks, injecting technical expertise, connecting multiple layers of government, and building partnerships. Through delivering a clear roadmap to urban resilience, providing tools, access to knowledge, and monitoring and reporting tools, MCR2030 will support cities on their journey to reduce risk and build resilience.

The impact of cybersecurity in the energy industry

Cyber resilience is a challenge for organizations globally and for the electricity industry in particular. Power systems are among the most complex and critical of all infrastructure types and act as the backbone of economic activity.

Large-scale incidents such as blackouts can have socio-economic ramifications for households, businesses and vital institutions. For example, a six-hour winter blackout in mainland France could result in damages totalling over €1.5 billion ($1.7 billion).

In 2018, the World Economic Forum Centre for Cybersecurity and the Platform for Shaping the Future of Energy, Materials and Infrastructure launched the Cyber Resilience in the Electricity Industry initiative to improve the cyber resilience of global electricity infrastructure. This initiative brought together leaders from more than 50 businesses, governments, civil society and academia to collaborate and develop a clear and coherent cybersecurity vision for protecting the power infrastructure.

Building on the first phase of the initiative, the Forum is now developing a unique exchange platform for cybersecurity leaders across the electricity industry in collaboration with Dragos, EDP, Enel, Hitachi Energy, Iberdrola, Naturgy, Ørsted, Schneider Electric, Siemens Energy, Southern and Vestas. This new platform serves as a central hub where industry experts can exchange knowledge, ideas and best practices to improve cyber resilience as a whole.

By bringing together the leading minds in cybersecurity worldwide, the initiative is fostering collaboration and innovation in this critical field, with the ultimate goal of enhancing the security and reliability of the electricity infrastructure that powers the modern world.

What are the challenges of cybersecurity in the energy industry?

The unprecedented pace of technological change driven by the Fourth Industrial Revolution means that health, transport, communication, production and distribution systems will demand rapidly increasing energy resources to support global digitalization and the advancement of interconnected devices.

Digitalization is driving growth and innovation in the electricity industry and has tremendous potential to deliver shareholder, customer and environmental value. However, new technologies and business models affecting operating assets present both opportunities and risks.

In the past, managing these risks had only meant dealing with issues such as component failure or weather damages, while today’s resilience plans must consider cybersecurity-related threats.

Our approach to strengthening cybersecurity in the energy industry

The Cyber Resilience in the Electricity Industry programme focuses on three main pillars:

- Developing scenarios and use cases that industry executives and boards can use to create a culture of cyber resilience and good governance in the electricity sector.
- Improving the implementation of cyber resilience regulations by fostering dialogue between policy-makers and businesses.
- Improving supply chain resilience by establishing standards for cybersecurity roles and responsibilities across all stakeholders involved to ensure that every entity is taking appropriate steps to protect against cyberthreats.

The initiative has published a series of reports to guide chief executives and board members in meeting the unique challenges of managing cyber risks:

- Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards
- Cyber Resilience in the Electricity Ecosystem: Playbook for Boards and Cybersecurity Officers
- Cyber Resilience in the Electricity Ecosystem: Securing the Value Chain

In 2021, following a request from the European Commission (EC) Energy Directorate, the initiative also developed a collection of 15 lessons learned and recommendations for improvement on the new EC Cybersecurity Directive considering the implications of supply chain attacks and other systemic risks for cybersecurity in the energy industry.

1 2 3 10