Tuesday, August 28, 2012

ENISA Again: 3rd Time's the Charm re European Grid and Smart Grid Security Policy

8/29 Update:

You still have a few days to register and get your plane or train tickets to Amsterdam. In one fell swoop, the existence of this 10/15 workshop, in itself, fully refutes charges of lack of US-European cooperation, as well as claims that control system security is ignored. Go HERE to learn more and register.


While of monologues many great political speech or play are constructed, it's through dialogue we reach understanding and consensus. Wait, who said that?

This blog first posted on the European Network and Information Security Agency (ENISA) and its recent recommendations for EU energy sector security earlier this month.

Since then I've received a good deal of reader feedback, some of it supporting statements made in that post and some refuting. The most definitive and best of the latter, I believe, comes from the organization

Here then, are 2 of the original critiques, followed by ENISA's detailed responses, just in:

1. "It contains no call for cooperation with US-CERT, FERC or equivalent body on problems that are clearly of interest to both sides. Compare with various DHS initiatives (such as DHS ICSJWG) which have included foreign participants."
ENISA responds: On moves towards EU-US cooperation, and concerns that the report does not explicitly call for this, to allay any concerns, we would point out that the European Union, including ENISA, is already working closely with the US government on cyber security issues through the Joint EU-US Working Group on Cyber-Security and Cyber-Crime (EU-US WG). As such, not only does it encourage but also promotes cooperation between the US bodies and the relevant European ones. 
Looking specifically at smart grids, an example of this cooperation is ENISA's support for the forthcoming Joint EU-US Open Workshop on the Cyber Security of ICS and Smart Grids. Our smart grids security report reflects the views of the experts who participated in the study, and while there is support for closer cooperation and sharing of information, there is not as yet a consensus on how a workable framework could be established.  (For details of the survey process, go HERE.)

2. "ENISA reports do not adequately address control systems."
ENISA responds: We'd like to set the record straight by pointing your readers towards an ENISA report published last year that is exclusively about control systems. This gives recommendations on ICS security for the European Union Member States and bodies. The report can be found HERE.
I am satisfied. Actually more than satisfied and happy to have seen this discussion all the way through, and I've added ENISA to the "Key Players - Gov" group on the blog's right side bar.

However, if you remain peeved or perturbed, then by all means please contact ENISA yourself with your certain-to-be-constructive comments and criticisms.

Mr. Graeme Cooper is the man you want to speak with and his sig block looks like this:

Graeme Cooper
Head of Public Affairs Unit
European Network and Information Security Agency (ENISA)
email: graeme.cooper@enisa.europa.eu

OK?  Gut. Bueno. Bien. Etc.