Network and Information Security (NIS) – EDSO recommendations on information sharing and risk management
Our society is highly dependent on a constant power supply, and Distribution System Operators (DSOs), in cooperation with Transmission System Operators (TSOs), are in charge of maintaining a high-level quality of service and guaranteeing the security of supply. Driven by significant changes in the production of energy across Europe, electricity grids are becoming increasingly dependent on information and communication technologies (ICT) for their operation. These systems offer numerous advantages for network management, but are increasingly coupled with the risk of malicious attack.
For these reasons, network and information security (NIS) is a high priority for DSOs. The European institutions are in the process of amending a Proposal for a Directive for a High common level of network and information security across the Union (NIS Directive). EDSO has prepared a recommendations paper, responding to a call by the Council earlier this year for the inclusion of practical guidance on the setting up of information sharing platforms and fostering a culture of risk management in companies managing critical infrastructure.
Based on experience from existing information sharing platforms, interviews with security experts and drawing on existing ENISA publications, please find below EDSO’s recommendations to member states:
Recommendations related to cyber risk management
- Promote the use of risk management methods and standards (examples listed in the paper)
- Promote certification schemes for organisations which comply with a set of standards for cyber security risk management
- Create guidelines that commit all organisations to nominate, and appropriately train, senior members of management teams to be responsible for cyber risk management.
Recommendations related to information sharing
- Limit the scope of each information sharing platform to one economic sector, better still, support the creation of European information sharing platforms, sector by sector
- Invite, where relevant, governments, service and technology providers to be directly involved in the platforms while at the same time limiting the number of participants and encouraging companies to, where possible, involve the same representatives over time in order to build trust among group members
- Encourage all participants to share accurate information, including threat, vulnerability, impact and risk assessments
- Set clear information sharing procedures (e.g. traffic light protocol) for disseminating information, taking into account their sensitivity
- Create tools to facilitate information sharing, e.g. an information hub, broadcast mechanisms, secure email, secure chat and discussion groups
- Ensure access to the platforms is free of charge
- Ensure the authority coordinating the platforms is a legal entity capable of taking disclosure responsibility for the information being shared, held and disseminated
- Invest in building the necessary expertise to analyse, coordinate, and act upon the data received.