Documents and reports
Evaluating the prudency of cybersecurity investments: Guidelines for Energy Regulators
Energy regulators have a unique role to play in the field of cybersecurity. While the implementation of cybersecurity measures is typically the responsibility of power system operators, regulators have an obligation to ensure that investments made in the name of cybersecurity are reasonable, prudent, and effective. These guidelines are intended to assist regulators in defining tariffs by establishing a regulatory approach to enhance the cybersecurity stance of their power systems, and are based on literature and current practices. They attempt to answer the following questions:
- Which regulatory frameworks are best suited to evaluate the prudency of cybersecurity expenditures?
- How can regulators identify and benchmark cybersecurity costs?
- How can regulators identify good countermeasures for cybersecurity?
- How can regulators assess the reasonableness of the costs associated with these countermeasures?
- Is it possible to evaluate the effectiveness of cybersecurity investments?
- Who should identify, benchmark, measure and evaluate the countermeasures in different regulatory frameworks?
As power systems modernize, digitize, and integrate, they are increasingly exposed to additional vulnerabilities that can be exploited by cyberattacks. Attacks on the power grid can have devastating effects on a nation’s security, economy, and public welfare, and are a potent threat to all nations worldwide.
The guidelines are a first-of-their-kind resource to empower energy regulators to support and encourage grid resilience by ensuring prudent and effective investments in cybersecurity by their regulated entities. The guidelines, melting competencies and wisdom from different disciplines, strive to provide space for concepts, processes and methods rather than prescriptive lists or ready-to-use formulas.
These guidelines were developed by CNR-Ircres for the National Association of Regulatory Utility Commissioners (NARUC) with funding support from the United States Agency for International Development (USAID) as part of the Europe and Eurasia Cybersecurity Partnership.
Elena Ragazzi (ed.), Alberto Stefanini, Daniele Benintendi, Ugo Finardi, and Dennis K. Holstein (2020). Evaluating the prudency of cybersecurity investments: Guidelines for Energy Regulators, NARUC, Washington DC.
Elena Ragazzi (2020). Costs and benefits of cybersecurity regulation. The terms of a complex assessment, Appendix 1 to "Evaluating the prudency of cybersecurity investments: Guidelines for Energy Regulators" , NARUC, Washington DC.
Elena Ragazzi (ed), Ugo Finardi, Alberto Stefanini (2020) Summary of the main results of the ESSENCE project, Appendix 2 to "Evaluating the prudency of cybersecurity investments: Guidelines for Energy Regulators" , NARUC, Washington DC.
Ugo Finardi, Elena Ragazzi, Alberto Stefanini (2020) EPRI cybersecurity metrics, Appendix 3 to "Evaluating the prudency of cybersecurity investments: Guidelines for Energy Regulators" , NARUC, Washington DC.
Smart distribution system: promozione selettiva degli investimenti nei sistemi innovativi di distribuzione di energia elettrica
Essence participated to the consultation on the document 255/2015 “Smart distribution system: promozione selettiva degli investimenti nei sistemi innovativi di distribuzione di energia elettrica”.
(see also: http://www.autorita.energia.it/it/docs/dc/15/255-15.jsp )
This consultation document, starts from the results of smart grid pilot projects initiated by Resolution ARG / elt 39/10, and illustrates the possible mechanisms of incentive regulation - targeting distribution companies - for the transformation of distribution networks in Smart distribution systems. The document also contains proposals for further experimentations in technical areas not yet explored by the smart grid pilot project already carried out.
Appropriate security measures for smart grids
The European Commission, supported by ENISA, has decided to launch consultations on the minimum cyber security requirements for smart grids with EU national Network and Information Security competent authorities and the Energy and ICT industry, and possibly also selected non-EU partners. The basis for these consultations will be ENISA (http://www.enisa.europa.eu/)’s report which can be found at https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/smart-grids-and-smart-metering/appropriate-security-measures-for-smart-grids . In general Enisa pubblications can be found at http://www.enisa.europa.eu/publications#c2=publicationDate&reversed=on&c5=all&c0=10&b_start=0
Standard websites
- ISA 99 wiki
http://isa99.isa.org/ISA99%20Wiki/Home.aspx
- NERC CIP Standards
http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
Other projects related to critical infrastructure security
- ERNCIP (European Reference Network for Critical Infrastructure Protection) forms part of the European Programme for Critical Infrastructure Protection and aims at providing a framework within which experimental facilities and laboratories share knowledge and expertise in order to harmonise test protocols throughout Europe, leading to better protection of critical infrastructures against all types of threats and hazards.
https://erncip-project.jrc.ec.europa.eu/
- Precyse
https://www.precyse.eu