Cybersecurity is one of the key targets of the EU critical digital capacities that aims at developing and deploying ICTs in a secure way in critical sectors like the energy sector. In the recent past, issues of cybersecurity have been at the forefront of EU’s regulatory reform and have seen, among other things, the introduction of certification schemes for ICT products, services, and processes, as well as for data processing operation concerning personal data under the General Data Protection Regulation (GDPR).[1] These policies aim to provide an avenue for consumers to assess the compliance of products and services that include security functionality as well as personal data processing operations by data controllers. Certification also affords manufacturers, service providers and data controllers a way to demonstrate compliance in a verifiable manner through a third-party assessment.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Such certification schemes will undoubtedly have an impact on the Electric Power and Energy Sector (EPES), which has benefited immensely from the advances in ICT. Within the smart grid, for example, ICTs have enabled a bi-directional flow of electricity and data, self-healing, and much else, resulting not only in a more efficient way of analysing, reacting to and optimizing electricity demands, but also allowing electricity consumers to actively participate in the power supply system as prosumers.[1] In the power plants and substations, several ICT-enabled components are deployed to enable better performance and advanced capabilities through the Internet of Things (IoT), advanced metering infrastructure, industrial automation and control systems, networking systems, etc. Due to the critical nature of these components in the grid, they embed security functions, and these security features must be trustworthy and function as intended. Similarly, given that consumers’ data are processed in this bi-directional flow, the privacy of the data subjects is at stake throughout the data lifecycle. Thus, it is a welcome development that EU reforms have introduced these certification schemes through the GDPR and EU Cybersecurity Act (CSA)[2] as a way for users to assess the security assurance level of relevant ICT products and services as well as the data protection compliance.
The SDN-microSENSE project has investigated the current frameworks of cybersecurity and data protection certification in work package 6. Since their introduction, several developments have occurred towards rolling out the various schemes as envisaged in these regulations. In particular, responsible agencies such as the European Data Protection Board (EDPB), the national data protection supervisors, and ENISA have been setting up the frameworks for these schemes, and have published a series of relevant documents and guidelines. ENISA, for example, has published the first Common Criteria based European cybersecurity certification scheme (EUCC)[3] as well as the Methodology for a Sectoral Cybersecurity Assessment.[4] The EDPB for its part has issued two guidelines[5] and an addendum[6] relating to the data protection certification scheme.
The certification around the industrial environment is complex, due to the different aspects of the protocols, architecture and components used, such as between the IT and OT environment, as well as the many ICT products embedding security functionality in the same, including SCADA, RTU, PLC and more. In the light of this, the SDN-Microsense project has issued several recommendations and guidelines to the stakeholder on how to harmonise the certification schemes for easy implementation and reuse, and avoid a proliferation of certification in the industrial environment. Specific suggestions include:
- Developing a data protection pre-certification tool;
- Encouragement of a GDPR inspired standard and EPES sector-specific data protection certification schemes;
- Identify baseline standards for each candidate certification scheme for the cybersecurity certification;
- Concrete guidelines on the certification schemes;
- Alignment of new candidate cybersecurity certification schemes with existing national schemes;
- Emphasizing and encouraging the composition of certification.
Although the certification framework is a voluntary scheme, the adoption of these measures presents a huge opportunity for stakeholders in the energy sector to increase trust and security for European consumers.
References:
[1] https://www.i-scoop.eu/industry-4-0/smart-grids-electrical-grid/.
[2] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
[3] https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme/.
[4] https://www.enisa.europa.eu/publications/methodology-for-a-sectoral-cybersecurity-assessment
[5] https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12018-certification-and-identifying_en; https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42018-accreditation-certification-bodies-under_en.
[6] https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidance-certification-criteria-assessment_en.