by Grigore Stamatescu, ICT Consultant, TUV Austria Romania (grigore.stamatescu@tuv.at)
Risk assessment and management is of paramount importance in critical infrastructures and especially in the power and energy systems since the transition to a decentralised energy system was accompanied by the exposure of the EPES to external threats such as worms, viruses, trojan horses, and data privacy breaches. We have observed a lack of common practices of how to effectively apply them and a lack of standardised and common used approachd to undertake the design, the implementation, and the maintenance of the energy-related devices, services, and processes. As a result, there is a need for integrating risk assessment with certification of products, devices, and services, where each EPES/ICS product, device, and service will be effectively and uninterruptedly authenticated and authorised before entering the grid, while supporting the manufacturers accountability and transparency.
It had been observed that, while many research efforts, EU and national projects, and enterprise-oriented group tasks are working on cybersecurity test cases and pilots, only few of them contribute to standards and policies for technical and business topics of electric power systems. A set of security procedures, in a well-organised way of deployment (e.g., institutions or authorities) is needed, which will capitalise the added-value of the ongoing test cases, simulations, pilots, use cases, and demonstrations across EU and worldwide in order to strengthen the standardisation and certification of the best-practices, effective validation and demonstration results, and the development and establishment of cybersecurity directives.
Finally we refer to several several applicable standards to the field of EPES cybersecurity:
- ISO/IEC 27001 – Information Security Management [2]
- ISO 31000 – Risk management [3]
- ISA/IEC 62443 – Series of standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS) [4]
- IEC 62351 – Series of standards include cyber security technologies for some communication protocols specifically : IEC 60870-5 protocols (including IEEE 1815 (DNP3) as a derivative standard), IEC 60870-6 (ICCP), IEC 61850 protocols (including client-server, GOOSE, and sample values), IEC 61970 and IEC 61968 (Common Information Model – CIM) [5]
[1] Winter, P.M., Eder, S., Weissenböck, J., Schwald, C., Doms, T., Vogt, T., Hochreiter, S. and Nessler, B., 2021. Trusted artificial intelligence: Towards certification of machine learning applications. arXiv preprint arXiv:2103.16910. Available on-line: https://arxiv.org/abs/2103.16910
[2] https://www.iso.org/isoiec-27001-information-security.html
[3] https://www.iso.org/iso-31000-risk-management.html
[4] https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards