Cyber security is widely discussed in the energy sector, but until now it has been rather unclear in many energy utilities how to start developing it in concrete business terms. This summer, two announcements in the EU provide guidance from the regulatory side and support in defining the direction of the next steps. For the daily management of information security, industry standards provide a practical framework.
The first piece of EU legislation on cybersecurity was passed by the European Parliament in early July: The Directive on Security of Network and Information Systems (NIS Directive) came into effect in August 2016, requiring Member States to transpose the Directive into their national laws within the next 21 months.
Following the legislation, certain energy utilities at the national level will be classified as ‘critical infrastructure operators’ and will be required to adopt risk management practices and report major incidents to the relevant national authority. The Directive requires that these operators are identified by the Member States within the next six months.
In parallel, the Smart Meter Co-ordination Group (SM-CG), established by the European Standardization Organizations, CEN, CENELEC and ETSI, passed a list of minimum security requirements for AMI components. The list, compiled together with ESMIG, the European association of smart energy solution providers, sets out nine minimum requirements for smart metering, covering all AMI components from smart meters to head-end systems, and was drawn-up following the review of 300 security requirements.
John Harris, Vice President and Head Governmental and Regulatory Affairs at Landis+Gyr says, “A high level of data protection and security is essential for the public acceptance of smart metering which often determines the success of a rollout. The SM-CG minimum security requirements, published by CEN-CENELEC and ETSI, are a prime example of successful cooperation between individual companies, an industry association and public bodies. They are an excellent reference for those EU Member States that have not yet set their own smart metering requirements and provide the security that utilities and their customers want and deserve.”
Whereas the EU Directive and the list of minimum security requirements provide the foundation for cyber security development in energy utilities, continuous work needs to be done at the organizational level. Industry standards help organizations to take a systematic approach to cybersecurity development; ISO/IEC 27001 provides requirements for an information security management system (ISMS) and helps to manage sensitive company information so that it remains secure.
Weaving AMI cybersecurity into the fabric of your organization
Within a utility, AMI cyber security development is a continuous process which begins by evaluating the company’s current security status, identifying weaknesses and creating an improvement plan. It’s essential to understand the vulnerabilities and to ensure appropriate mitigation actions. AMI cyber security is not just about the technical solution, it also includes people and processes as well as the utility’s overall IT infrastructure. Developments can be made in all these focus areas.