Europe and US issue new cyber security resources

ENCS and E.DSO provide harmonised smart meter security requirements, while US regulators’ association offers guidelines for national regulators.
Published: Tue 23 Jul 2019

The European Network for Cyber Security and DSO association E.DSO have issued guidelines for smart meter cyber security requirements.

Smart meter security has become a priority as European countries work towards an EU goal of 80% smart meter penetration by 2020 where it is cost-effective to do so. But concerns have been raised about the opportunity for hacking created by allowing multiple low-security access points to the grid.   

Nuno Medeiros, chair of the E.DSO Cyber Security Task Force, said: “Utilities can use the requirements as a baseline tool for risk mitigation, supporting their risk management strategies.”

ENCS has been working on the guidelines for several years, and they are already being applied by Austrian, Bulgarian, Czech, Dutch, Estonian, Portuguese and Swedish DSOs for procurement and security testing purposes.

“With harmonisation of smart meter requirements we have moved away from the scattered approach that saw disparate security requirements spring up across Europe,” said Anjos Nijk, managing director of ENCS. “As more grid operators across Europe use these same requirements, it incentivises manufacturers to improve security. This then helps raise security standards across the industry. We aim to replicate this approach in other areas where the industry needs to structurally increase and harmonise security levels, such as in electric vehicle charging and distribution automation.”

 

Joachim Schneider, Chairman of the Technology Committee of E.DSO, said, “Traditionally, grid operators have looked to manufacturers to implement security measures in components, but manufacturers have waited for the operators to tell them what they needed rather than invest in the wrong technology. With these requirements, ENCS and E.DSO break the impasse, and we can all move forward as a more secure industry.”

NARUC issues cyber manual

Meanwhile in the US, regulators’ association the National Association of Regulatory Utility Commissioners (NARUC) has issued a cyber security manual to help public utility commissions (PUC) to monitor utility risk management practices.

The guidelines should help decision-making on prudent expenditures for cyber security measures.

“The threat posed by cyber security incidents is very real, and it is essential that regulators have a clear understanding of the work being done by our utilities to safeguard vital systems and address current and future cyber threats,” said Chairman Gladys Brown Dutrieuille, Pennsylvania PUC and Chair of the NARUC Critical Infrastructure Committee. “The more our PUCs are educated on these issues, the better we are able to evaluate current issues and target future enhancements.”

The manual includes the tool Understanding Cybersecurity Preparedness: Questions for Utilities. This provides a set of questions that PUCs can ask a utility to understand its cyber security risk management procedures. Another resource, Cybersecurity Preparedness Evaluation Tool (CPET), provides an assessment model to evaluate a utility’s cyber security risk management programme and set out capability improvements over time.

“Together, these tools will help state commissioners evaluate utility cyber preparedness more quickly and effectively. As regulators, we must assess utilities’ decisions to invest in risk-management tools and other protections for business and customer information, but we are not cyber security experts,” said Commissioner Ann Rendahl, Washington Utilities and Transportation Commission. “CPET will help us dive into risk management and cybersecurity topics without each commission reinventing the wheel.”