Øyvind Toftegaard , Guro Grøtterud , Bernhard Hämmerli
{"title":"Operational Technology resilience in the 2023 draft delegated act on cybersecurity for the power sector—An EU policy process analysis","authors":"Øyvind Toftegaard , Guro Grøtterud , Bernhard Hämmerli","doi":"10.1016/j.clsr.2024.106034","DOIUrl":null,"url":null,"abstract":"<div><p>The EU’s 2020 Cybersecurity Strategy promotes cybersecurity as essential for building a resilient, green, and digital Europe. Cleaner energy sources such as wind and solar are more volatile and thus need digital integration with Industrial Control Systems (ICS) for grid balancing. However, the digitization and the properties of cyberspace provide the ability to coordinate disruptive cyberattacks against power grid infrastructures. Digital weapons may be launched against ICS to start multiple cascading outages with a keystroke, causing large-scale blackouts we have never seen before. To reduce risk, the EU’s Strategy describes three objectives for ICS: Secure-by-design, resilient, and timely patched. In the strategy, the European Commission suggests a ”network code,” i.e. a delegated act for the electric power sector, setting rules for cybersecurity in cross-border electricity flows. The draft delegated act of November 2023 presents security requirements for Information and Communication Technology (ICT) and Network and Information Systems (NIS). Although ICS systems are used directly to manage electricity flows, ICS is only mentioned in one of the delegated act’s recitals as a subcategory of ICT products. Suppose Information Technology (IT) rather than Operational Technology (OT) is the focus of the delegated act. In that case, policymakers may not fulfill the EU cybersecurity strategy’s ICS objectives, thus failing to improve the resilience of power grid infrastructures and cross-border electricity flows. This study is a policy process analysis, and its contribution is threefold. First, a literature review is conducted to understand the extent to which the delegated act covers OT. Second, a framework condition analysis is applied to understand why the delegated act lacks OT-specific security requirements. Third, the analysis is extended to understand whether OT is sufficiently covered to achieve the EU strategy’s ICS objectives. In conclusion, our analysis shows a strong intention to include OT-specific security in the preparatory work of the delegated act, but that a stronger position of the IT communities forced OT onto the sideline. Further, the study shows weak fulfillment of general secure-by-design principles and security patch management. These results indicate that OT coverage in the delegated act is not in line with the expectations of the EU’s cybersecurity strategy and the delegated act’s early preparatory work. Therefore, we have suggested three measures to increase OT resilience focus in the act: (a) Define the expressions NIS, ICT services, ICT processes, and ICT in general as umbrella terms that include OT, (b) The foreseen minimum and advanced cybersecurity controls should require OT-specific measures, including holistic secure-by-design principles and patch management covering all patching phases, (c) Develop an OT implementation guide for the delegated act. Our work can be used by policymakers to optimize cybersecurity policy processes and by researchers studying socio-technical gaps in the cybersecurity domain.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106034"},"PeriodicalIF":3.3000,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924001006/pdfft?md5=5e0c64e3d85ae578ddac4e98056a92a3&pid=1-s2.0-S0267364924001006-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364924001006","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}
引用次数: 0
Abstract
The EU’s 2020 Cybersecurity Strategy promotes cybersecurity as essential for building a resilient, green, and digital Europe. Cleaner energy sources such as wind and solar are more volatile and thus need digital integration with Industrial Control Systems (ICS) for grid balancing. However, the digitization and the properties of cyberspace provide the ability to coordinate disruptive cyberattacks against power grid infrastructures. Digital weapons may be launched against ICS to start multiple cascading outages with a keystroke, causing large-scale blackouts we have never seen before. To reduce risk, the EU’s Strategy describes three objectives for ICS: Secure-by-design, resilient, and timely patched. In the strategy, the European Commission suggests a ”network code,” i.e. a delegated act for the electric power sector, setting rules for cybersecurity in cross-border electricity flows. The draft delegated act of November 2023 presents security requirements for Information and Communication Technology (ICT) and Network and Information Systems (NIS). Although ICS systems are used directly to manage electricity flows, ICS is only mentioned in one of the delegated act’s recitals as a subcategory of ICT products. Suppose Information Technology (IT) rather than Operational Technology (OT) is the focus of the delegated act. In that case, policymakers may not fulfill the EU cybersecurity strategy’s ICS objectives, thus failing to improve the resilience of power grid infrastructures and cross-border electricity flows. This study is a policy process analysis, and its contribution is threefold. First, a literature review is conducted to understand the extent to which the delegated act covers OT. Second, a framework condition analysis is applied to understand why the delegated act lacks OT-specific security requirements. Third, the analysis is extended to understand whether OT is sufficiently covered to achieve the EU strategy’s ICS objectives. In conclusion, our analysis shows a strong intention to include OT-specific security in the preparatory work of the delegated act, but that a stronger position of the IT communities forced OT onto the sideline. Further, the study shows weak fulfillment of general secure-by-design principles and security patch management. These results indicate that OT coverage in the delegated act is not in line with the expectations of the EU’s cybersecurity strategy and the delegated act’s early preparatory work. Therefore, we have suggested three measures to increase OT resilience focus in the act: (a) Define the expressions NIS, ICT services, ICT processes, and ICT in general as umbrella terms that include OT, (b) The foreseen minimum and advanced cybersecurity controls should require OT-specific measures, including holistic secure-by-design principles and patch management covering all patching phases, (c) Develop an OT implementation guide for the delegated act. Our work can be used by policymakers to optimize cybersecurity policy processes and by researchers studying socio-technical gaps in the cybersecurity domain.
期刊介绍:
CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
