(1/7/2016) – This document contains the results of an analysis on policies that relate to smartgrid security. A long list of policies were identified and part of those policies were analysed in more depth, using a analysis framework that is developed by SEGRID. The main observations are:
- At European level, a harmonised approach to smart grid security is clearly lacking. Only a limited set of countries have developed security requirements for energy smart grid equipment and devices.
- The understanding of smart grid security and other key terminology varies considerably from member state to member state. This influences the different approaches to smart grid security strategy among these member states.
- Four areas are identified, that were not properly addressed in the analysed smart grid security policies: Shift of responsibilities from the transmission to the distribution level and the re-definition of the roles of the actors involved, the definition of the interface between the public grid and the consumer/prosumer, responsibilities for (cyber) security by new actors in the combined ICT-energy sector chain of operations (e.g. metering operators, electronic vehicle infrastructure operators and related financial services), the role of (cyber) security policies.
- There exist many (security) directives, regulations, guidelines and standards which are applicable from a more generic point of view. This generic legislation, which addresses a wider domain, may apply to a specific area such as smart grid security as well. Implementation of generic legislation for the Smart Grid domain, however, requires interpretation.
- Specific (cyber) security requirements for smart grids may be mandated by national lawmakers in e.g. energy grid (operations) acts. For smart grids in general, currently very few technical laws have been identified. Several nations have made specific laws, however, these apply only to the smart meter domain.
- National law may mandate critical infrastructure operators to report cyber security breaches other than the data privacy affecting ones as well. However, it is unclear yet whether the lower distribution level parts of the smart grid will fall under the mandatory reporting mechanisms or not.
- Penalisation of cyber-attacks on information systems in general mandates EU member states to sanction attacks on information systems, which may impact requirements regarding sanctions in the area of cyber-attacks on smart grids.
- Current policies leave the impression that the lack of cyber security or the impact of cyber security vulnerabilities are confined only to the information communication systems of the Smart Grid. Potential cyber security vulnerabilities however, could apply to all areas of the Smart Grid, including the performance of physical equipment.
It can be concluded that this analysis is a solid base for further studies on how to ensure gaps within policies can be filled. In the follow-up work (D1.6), SEGRID will conduct a survey among European smart grid stakeholders, to investigate how they use the policies that are available, what they think of the effectiveness of these policies and what they see as gaps in this area. SEGRID will analyse the gaps in current policies and construct recommendations to policy-makers and makers of standards in the smart grid domain to fill these gaps.