Here's how the European Network and Information Security Agency put it a few weeks ago:
We are happy to inform you that ENISA has recently published a new study on smart grids’ security. This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing. This guidance is based on the results of a thorough analysis of the opinions of the experts who participated in the study.
Couldn't possibly be softer, gentler, or less threatening, I'd say. Sort of like what some of the North America utilities wish they had to deal with instead of the teethy and time consuming NERC CIPs. Certainly this ENISA stuff is much higher level, earlier stage guidance than the NISTIR 7628 which has now been available in some form for over 2 years.
But I note that we're hearing of no more significant cybersecurity breaches in the European electric sector than we are at utilities in the US. Maybe what some say, that expensive and time consuming compliance burdens and activities cut into the utilities' own cybersecurity efforts. The argument goes that if it weren't for the NERC CIPs, utilities might be able to better secure themselves.
At this point, it's hard to discern a difference in effectiveness between the European laissez faire approach to setting electric sector security rules and the more prescriptive North American one. Maybe the pluses and minuses of each roughly cancel out and for the moment, both are in reasonably good shape.
Although I bet that's a message you're not going to hear at the ICS CyberSecurity Conference coming up in October.
You can download the ENISA document HERE.
Europa Image credit: Wikipedia Commons
But I note that we're hearing of no more significant cybersecurity breaches in the European electric sector than we are at utilities in the US. Maybe what some say, that expensive and time consuming compliance burdens and activities cut into the utilities' own cybersecurity efforts. The argument goes that if it weren't for the NERC CIPs, utilities might be able to better secure themselves.
At this point, it's hard to discern a difference in effectiveness between the European laissez faire approach to setting electric sector security rules and the more prescriptive North American one. Maybe the pluses and minuses of each roughly cancel out and for the moment, both are in reasonably good shape.
Although I bet that's a message you're not going to hear at the ICS CyberSecurity Conference coming up in October.
You can download the ENISA document HERE.
Europa Image credit: Wikipedia Commons