版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
Networkcodeon
cybersecurity
aspectsofcross-
borderelectricity
lows
AEurelectricresponsepaper
November2023
EurelectricrepresentstheinterestsoftheelectricityindustryinEurope.Ourworkcoversallmajorissuesaffectingoursector.Ourmembersrepresenttheelectricityindustryinover30Europeancountries.
Wecovertheentireindustryfromelectricitygenerationandmarketstodistributionnetworksandcustomerissues.Wealsohaveaffiliatesactiveonseveralothercontinentsandbusinessassociatesfromawidevarietyofsectorswithadirectinterestintheelectricityindustry.
Westandfor
ThevisionoftheEuropeanpowersectoristoenableandsustain:
-AvibrantcompetitiveEuropeaneconomy,reliablypoweredbyclean,carbon-neutralenergy
-Asmart,energyefficientandtrulysustainablesocietyforallcitizensofEurope
Wearecommittedtoleadacost-effectiveenergytransitionby:
investingincleanpowergenerationandtransition-enablingsolutions,toreduceemissionsandactivelypursueeffortstobecomecarbon-neutralwellbeforemid-century,takingintoaccountdifferentstartingpointsandcommercialavailabilityofkeytransitiontechnologies;
transformingtheenergysystemtomakeitmoreresponsive,resilientandefficient.Thisincludesincreaseduseofrenewableenergy,digitalisation,demandsideresponseandreinforcementofgridssotheycanfunctionasplatformsandenablersforcustomers,citiesandcommunities;
acceleratingtheenergytransitioninothereconomicsectorsbyofferingcompetitiveelectricityasatransformationtoolfortransport,heatingandindustry;
embeddingsustainabilityinallpartsofourvaluechainandtakemeasurestosupportthetransformationofexistingassetstowardsazerocarbonsociety;
innovatingtodiscoverthecutting-edgebusinessmodelsanddevelopthebreakthroughtechnologiesthatareindispensabletoallowourindustrytoleadthistransition.
Dépôtlégal:D/2023/12.105/46
WGTechnology
WGThermal&Nuclear
SecretariatGroupDistributedFlexibilityandDatamanagement
WGMarketIntegration&NetworkCodes
WGRetailMarketDesign
WGCustomers&NewServices
Contact:
JessicaGARCIA,Advisor-Distribution&MarketFacilitationtit–
jgarcia@
1
Summaryforconsultation
EurelectricwelcomestheongoingeffortstoenhancecybersecurityandappreciatesthisopportunitytorespondtothedelegatedregulationoftheEuropeanCommission.
Implementationtimescales:
Overall,wefindtheimplementationhorizontoolong.Initscurrentversion,theNCCScouldtakebetween7to10yearsuntilitisfullyimplemented,leavingtheEuropeanelectricitygridmorevulnerabletocyber-attacksinthemeantime.Forinstance,inthescenariowherealldeadlinesaremet,acritical-impactentitywillonlybeobligedtodemonstratecompliancewiththecommonelectricitycybersecurityframework10yearsaftertheentryintoforceoftheNCCS.
.WewelcomeArticle33creatingamappingmatrixtoprovidetheinformationofwhichcontrolsinEuropeanandinternationalstandardswouldbeequivalenttothecontrolsproposedinArticle27.However,Itisunnecessarytowait36monthsfortheresultsanditshouldbechangesto6months.Inaddition,weproposeinArticle47toalsocreateaprovisionalmappingmatrixfortheprovisionalcybersecuritycontrols,insteadofonlyalistofEuropeanandinternationalstandardstoprovideguidance.
.Thetimelineincoherencebetweentwointerdependentrequirementsshouldberectified.Thefirstrequirementisfornationalentitiestocreatealistofnationallegislationforcybersecuritypurposes.ThesecondrequirementisforENTSO-EandEUDSOtodevelopaprovisionallistofEuropeanandinternationalstandardsandcontrolsneededfornationallegislation.Thesecondrequirementhasashorterdeadline,eventhoughitissecondarytothefirstrequirement.
Informationsharing:
.Article37(3)statesthat“Eachcritical-impactandhigh-impactentityshallsharerelevantinformationrelatedtoareportablecybersecurityincidentwithitsCSIRTanditscompetentauthority...”,whichstipulatesdoublereporting.CommunicationbetweenCSIRTsandnationalauthoritiesshouldbecoordinated,butthereportingatentitylevelshouldbeconcentratedinonecommonmechanismorreportingplatform.
.Article37(8)alsostipulatesthatthenotificationofasignificantincidentwithinthescopeofNIS2Directive“shallconstitutereportingofinformationunderparagraph3ofthisArticle.”,whichcontributestotheargumentthattheexistingreportinglinesshouldbeconsideredandavoidduplicationinthereportingprocess.
.ThereferencestotheNIS2Directiveareproblematicsincethedirectivehasnotbeenimplementedyetinthememberstateswhichcouldcauseseveraloverlaps.Therefore,NCCSshouldstressnationalcompetentauthoritiesandCSIRTStostreamlinetheregulatoryframeworks.Additionally,Tomanagecontrol,andcomplywithnewcybersecurityrequirements,coordinationmusttakeplacebetweenboththeEUandthenationalauthoritiesbyrequirementssuchastheupcomingNIS-2andCERDirectives,aswellasthisnewregulatoryframework.Wefeardoubleregulationandmorebureaucracy.
Cybersecurityriskassessmentmethodologies:
.InArticle17(2)thereisanobligationtoincludethreatscenarioslinkedtoattacksonthesupplychainintheriskmethodologyatUnionlevel.Perhapsothertypeofthreat,potentiallymoreserious,shouldalsobehighlighted.
2
.Therearenoreferencestointernationalstandardsintheareaofriskmanagement(e.g.ISO27005,ISO31000,NISTCSF,ENISArequirements).Itwouldbeusefultomakeitclearwhichguidelines,intermsofestablishedgoodpractices,youhavebasedyourriskmanagementproposalson.
Scope:
.ThereisanincoherencebetweentheArticle31(2)and25(3.a)andthereferralto“otherprocesses”isquitegenericandshouldbeeliminated.Entitiesshouldclearlyunderstandwhattheminimumscopeoftheircybersecuritymanagementsystemshallincludeandreferencestootherarticlesshouldbelimited.Moreover,thescopedependsonfurtherworkdeterminingthethresholds.
3
Consultationresponse
EurelectricwelcomestheongoingeffortstoenhancecybersecurityandappreciatesthisopportunitytorespondtothedelegatedregulationoftheEuropeanCommission.
Implementationtimescales:
.ForallentitiesinscopeofthenetworkcodeitwouldbeveryusefultoknowwhichcontrolsinEuropeanandinternationalstandardswouldbeequivalenttothecontrolsproposedinarticle27.Wethereforewelcomearticle33thatcreatesamappingmatrixtoprovidethisinformation.However,itcomesonlywithin36monthsafterthenotificationofthehigh-andcritical-impactentities.Itisunnecessarytowaitthreeyearsfortheresultsofanexercisethatcouldbecompletedin6months.Therefore,wewouldproposetwochanges:inarticle33wewouldproposetobringthe36monthstocreatethemappingmatrixbackto6months.Inaddition,tohelpentitiesevenmore,wewouldproposeinarticle47toalsocreateaprovisionalmappingmatrixfortheprovisionalcybersecuritycontrols,insteadofonlyalistofEuropeanandinternationalstandardstoprovideguidance.
.Thereisatimelineincoherenceregardingtwointerdependentrequirements:therequirementimposeduponthenationalentitiestodevelopalistofrelevantnationallegislationforthepurposesofcybersecurityaspectsofcross-borderelectricityflows,andthesubsidiaryrequirementimposeduponENTSO-EandEUDSOentitytodevelopaprovisionallistofEuropeanandInternationalstandardsandcontrolsrequiredbynationallegislation.Thelatterissecondarytotheformerandyet,ithasashorterdeadline.Oncedesignated,thecompetentnationalentitiesaregiven6monthstoproducethelistofrelevantlegislation,whichmeans9monthsaftertheRegulationhasenteredintoforce.However,thesecondrequirementaccordingisexpectedtobefulfilled6monthsaftertheRegulationhasenteredintoforce,whichamountstoanincoherence.
Scope:
.ThereisanincoherencebetweentheArticle31(2)and25(3.a)andthereferralto“otherprocesses”isquitegenericandshouldbeeliminated.Entitiesshouldclearlyunderstandwhattheminimumscopeoftheircybersecuritymanagementsystemshallincludeandreferencestootherarticlesshouldbelimited.
.Itwouldbemoreappropriatetoexplainthedefinitionsproperlyinsteadofgivingreferencestoalotofdifferentarticles.Moreover,thescopedependsonfurtherworkdeterminingthethresholds.
Informationsharing:
.AccordingArticle37(5),entitiesarenotobligedtoreportunpatchedactivelyexploitedvulnerabilities,which,bydefinition,alreadyconstitutecyber-attacks.Wenotonlydisagreewiththisvoluntary/non-mandatoryrequirement,butevenwiththisreactiveapproach.Cybersecuritydemandsamoreproactiveapproach,andthereforewesuggestthatanyunpatched0-dayvulnerabilitymustbeimmediatelyreported,evenbeforebeingexploited,toensuretheyaretimelyaddressed,avoidingexploitationofsaidvulnerabilitiesandtheconsequentoccurrenceofcyber-attacks.
.Article37(3)statesthat“Eachcritical-impactandhigh-impactentityshallsharerelevantinformationrelatedtoareportablecybersecurityincidentwithitsCSIRTanditscompetentauthority...”,whichstipulatesdoublereporting.CommunicationbetweenCSIRTsandnationalauthoritiesshouldbecoordinatedandstipulatedwithintheproposednetwork
4
code,butthereportingatentitylevelshouldbeconcentratedinonecommonmechanismorreportingplatform.
.Tomanagecontrol,andcomplywithnewcybersecurityrequirements,coordinationmusttakeplacebetweenboththeEUandthenationalauthoritiesbyrequirementssuchastheupcomingNIS-2andCERDirectives,aswellasthisnewregulatoryframework.Article37(8)alsostipulatesthatthenotificationofasignificantincidentwithinthescopeofNIS2Directive“shallconstitutereportingofinformationunderparagraph3ofthisArticle.”,whichcontributestotheargumentthattheexistingreportinglinesshouldbetakenintoaccountandavoidduplicationinthereportingprocess.Intheregulations,itisstatedthat“thegeneralrulesonthesecurityofnetworkandinformationsystemslaiddowninDirective(EU)2022/255511(NIS2Directive)arecomplementedbythenetworkcode.”NIS2hasnotbeenimplementedyetintheEUmemberstates.Thismayleadtoseveraloverlaps,andthisshouldbeconsideredintheimplementations.Therefore,NCCSshouldstressnationalcompetentauthoritiesandCSIRTstostreamlinetheregulatoryframeworks.
.Afinalremarkregardingbothofthesearticlesistheincoherencebetweenthereportingdeadlines–itisunclearhowthereportingofanentityunderNIS2DirectivecanconstituteareportingofinformationunderArticle37(3),ifArticle23(4.a)oftheNIS2Directivestipulatesa24-hourinitialreportdeadlinewhereasArticle37(3)oftheNCCSstipulatesa4-hourinitialreportdeadline.IftheNCCSintendstobemoredemandingthantheNIS2Directive,duetothecriticalityoftheelectricitysector,Article37(8)shouldincludethecaveatoftheNCCSmoredemandingdeadline.
.EurelectricalsosuggeststoprovideguidanceonInformationSharingproceduresregardingCyberThreats(whatkindofinformationaboutCyberThreats,whenismandatorynotify,howtonotify,etc.).
Cybersecurityriskassessmentmethodologies:
.InArticle17(2)thereisanobligationtoincludethreatscenarioslinkedtoattacksonthesupplychainintheriskmethodologyatUnionlevel.Perhapsothertypeofthreat,potentiallymoreserious,shouldalsobehighlighted.
.Therearenoreferencestointernationalstandardsintheareaofriskmanagement(e.g.ISO27005,ISO31000,NISTCSF,ENISArequirements).Itwouldbeusefultomakeitclearwhichguidelines,intermsofestablishedgoodpractices,youhavebasedyourriskmanagementproposalson.
.Itisnotveryclearwhattherolesandresponsibilitiesofthedifferententitiesinvolvedintheriskassessmentwere,includingtheoperators,theentitiesinvolvedintheriskassessmentandtheentitiesinvolvedintheriskassessment.
.Article17isveryimportantandthedevelopmentandimplementationofamethodologyforriskassessment.DefiningtheElectricityCybersecurityRiskIndex(ECRI)forhigh-impactandcritical-impactthresholdsiscrucial.AswellasdefiningalistofUnion-widehigh-impactandcritical-impactprocesses.Weareconcernedaboutthefulfillmentofrequirementsoftimelineshere,asthisworkmusthaveatoppriorityinordernottoplaceuncertaindemandsontheentities.
.Amethodforcybersecurityriskassessmentsmustbedevelopedbasedonclearinputvaluesandriskanalysisscenariostopromoteanappropriatelevelofanalysis.Thedemand
5
forincreasedresiliencehasshiftedtoarisk-basedapproachthatallowsresiliencetobeadjustedbasedontheactualriskprofile.Differentdevicesfacedifferentthreats,requiringtailoredlevelsofprotectiontopreventeitherover-orunder-protectionofcriticalsystems.Therefore,weseeadvantagesinthisadaptabilitytoconsidermethodologiesatdifferentlevelsdependingonthedegreeofimpactofcross-borderelectricityflows.
.Atthecurrentversion,theNetworkCodeisnotfullyharmonizedwiththeframeworkofEUandnationalregulationsinthefieldofCyberRiskmanagementontheelectricitysector.Toprovidesomeconcreteexamples,thereareNetworkCodemeasuresforentities,suchas(i)thoserelatedtotheimplementationoftheCyberRiskManagementprogram(art.33),(ii)ofminimumandadvancedmeasures(art.28),(iii)ofmeasuresonthesupplychain(art.32)and(iv)thedevelopmentofacybersecuritymanagementsystem(art.31)whichsignificantlyoverlapwithEU(NIS2.0inparticular)andNationalRegulations.TheriskistogeneratedifferentapproachestomitigatesimilarCyberRisksbycreatinganoverloadofcompliancetomanageforinvolvedentities,primarilyDSOandTSO.
Recoveryofcosts:
.WewelcometherecognitionthatthecostsincurredbyDSOswhichstemfromtheobligationsintheNCCSshouldbefullyrecoveredthroughnetworktariffsorotherappropriatemechanisms.
CommonApproach:
.InRecital18,asneighbourcountriesevolveatdifferentratesintheuseofcybersecurityrisksassessmentsystems,amentiontotheBenchmarking(Article13)shouldappearhere,settingareferenceforcomparisonandsystemsevolvementovertime.
Monitoring:
.Recital23ismissingthereferencetoforensicanalysisthatcanimprovethepreparednessofothergridoperatorsregardingsamecontextawareness.
Cooperationbetweenrelevantauthoritiesandbodiesatnationallevel:
.ConcerningArticle5,PublicandprivateR&Dentities,withexpertisein(cyber)securitysubject,shouldbeinvitedtoparticipateasobservers,helpingindebriefingsessionsandfurthergettinginsightsfortheirresearchandinnovationwork/activities.
Specificcomments
Legalelementsofthedelegatedact
Intheregulations,itisstatedthat“thegeneralrulesonthesecurityofnetworkandinformationsystemslaiddowninDirective(EU)2022/255511(NIS2Directive)arecomplementedbythenetworkcode.”NIS2hasnotbeenimplementedyetintheEU.Therefore,itishardtofollowandverifythereferralstoNIS2.Furthermore,inmanycountries,theprocessofnationalimplementationisongoingandmaypresentstricterimplementationsthanintheDirective.Thismayleadtoseveraloverlaps,andthisshouldbeconsideredintheimplementations.Therefore,NCCSshouldstressnationalcompetentauthoritiesandCSIRTStostreamlinetheregulatoryframeworks.Duetoredundancyandinsufficientdifferentiationfromongoinglegislativeprojects,e.g.theNIS2Directiveimplementation,thereisalsoaconsiderableriskofdoubleregulationandconsequently,bureaucraticoverburdening.
ThecycleforupdatingNIS2andCERDirectiveis4years,thereforethistimehorizonpreferablybeusedinNCCS.
Article38Detectionofcybersecurityincidentsandhandlingofrelatedinformation
6
Multinationalelectricitygridentitiesshouldnothavetoreporttoseveralnationalauthorities,andCSIRTs,toavoidduplicationsofobligationsastheproposaloverlapswithseveralexistingregulations.
Ascyberthreatsbecamemoresophisticatedandwidespreadmultinationaldistributionsystemoperators(DSOs)facedasignificantchallenge.Itisextremelyimportanttoensuremethodology,butaboveallthefeasibilityofreportingaswellasfollow-upandreport
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 有限空间作业安全培训
- 国家级检验检测机构资质认定评审员考试试题及答案(黄山2026年)
- 2026年检验职称考试临床医学检验技术士试题与答案
- 2026年心理咨询师基础考试试题与答案
- 初级养老护理员培训
- 2026年检验类之临床医学检验技术(师)真题附答案
- 第8课 我为班级作贡献 第一课时 课件(内嵌视频)2026-2027学年道德与法治二年级上册统编版
- 2026年湖北省咸宁市专业技术职称水平能力测试(公共基础知识)仿真试题及答案
- 2026年海南省国家级检验检测机构资质认定评审员考试试题及答案
- 2026年度湖北省建筑工程专业技术职务水平能力测试(工程造价)试题解析及核心考点
- 2026年高考冲刺作文审题立意训练:选择题32道(附深度解析+答案)
- 2026中国期货市场市场深度与流动性风险研究报告
- 《上海音乐学院硕博连读研究生培养工作办法(试行)》
- 2026年腐蚀监测技术及应用
- 材料员培训教材
- 统编版初中历史七年级下册《清朝的边疆治理》教案
- 潞安化工集团校招面笔试题及答案
- 2025城市体检基础指标体系(试行)
- 2026年广东省事业单位考试真题及答案
- 中医护理在疼痛管理中的应用
- 2025年技工事业编考试题目及答案
评论
0/150
提交评论