Cleantech Market Intelligence
EU Tackles Smart Grid Cyber Security, Gradually
The European Union has intelligently chosen to start building smart grid cyber security from the ground up, looking first for smaller local successes rather than one EU-wide attempt to boil the ocean, security-wise. Where they can use existing documents, such as U.S. standards, they do so. One European utility voluntarily submitted itself to a NERC CIP audit and pronounced itself pleased with the resulting baseline: “It’s the best yardstick available,” An official told me at a recent workshop. Again the attitude of extreme pragmatism shines through.
The conference, the European Union workshop “Cyber Security Challenges of Smart Grids,” capped off a project launched last summer by the European Network and Information Security Agency, ENISA, that aimed to take stock of risks to smart grids, understand existing national initiatives, pilot projects, and standardization initiatives, and develop a set of recommendations for the 27 member nations of the European Union. Input has been drawn from a wide range of stakeholders, with over 50 responses received and 23 interviews performed. A number of sources from outside the European Union (including me) were asked to respond.
Seated at the round table in Brussels’ Centre Albert Borschette were security officers from European transmission and distribution operators, security product managers from control system vendors, systems integrators, ENISA personnel, and related EU agencies working on similar initiatives. There was a sense of urgency in the room; this was not a group of bureaucrats having a nice chat. One member of the EU’s Energy Directorate-General said bluntly, “The days of duplicated efforts are over. There are not the resources to do that anymore.” Those are words I’m more accustomed to hear in private industry.
ENISA has what might seem a Sisyphean task ahead. Not only must it coordinate the approach to smart grid cyber security across a domain of nearly 500 million people, but the agency also has to please (or placate) 27 sovereign governments. While the EU continues to express – as it did at this meeting – admiration for U.S. government deliverables such as the NERC CIP reliability standards and the NISTIR 7628 documents, we should recall that here in the United States we only have to deal with one sovereign government.
Roadblocks remain. The question of who is accountable for grid stability and security is thornier than you might imagine. Is it the grid operator (and if yes, which one), the local or national government, the military, or someone else altogether? And who gets to make that decision anyway? The few times that dates were mentioned at all at the forum, the timeframes suggested to complete activities such as “discuss this” or “foster that” were mind-boggling. With Stuxnet perhaps 4 years old, can a union of 27 nations create, agree, and implement a set of meaningful recommendations before the next Stuxnet? Or before the next five Stuxnets?