Author: – Comune di Berchidda –
The small municipality of Berchidda, located in the north of Sardinia, is participating in the Cyberseas project to assess whether there are any risks and vulnerabilities present in its EPES. The specificity of the municipality concerns the fact that it is small and that it owns a large part of the electricity distribution network, which is quite unique. So, assessing risks and vulnerabilities on a municipality that owns and operates its own electricity grids means drawing a rather precise picture that can be transposed from a small and local situation to much larger scenarios.
If we consider that the European Union is pushing, in order to make the energy transition effective, for more and more energy communities, we quickly understand the importance of assessing ‘in the small’ to test and protect ‘in the big’.
The risks to be faced are basically related to the process of digitisation of infrastructures, required by the energy transition that will characterise the next decade. We refer, in particular, to plants of various sizes and distributed energy resources connected to medium and low voltage.
What would be the impact of a cyber incident in terms of megawatts not supplied to the electricity system or load not absorbed? How many and which users would suffer a prolonged disruption due to a sufficiently distributed cyber-attack?
The difficulty in approaching a serious risk assessment lies in the fact that EPES infrastructures are often characterized by a wide range of ICT and network asset dependencies, while multiple actors and stakeholders are engaged in the operation of the systems.
Another aspect of the assessment methodology for EPES is the consideration of power personnel and security awareness, as cyber security is not limited to the cyber dimension, but encompasses the people, processes, policies and technology that contribute to an organisation’s overall cyber security preparedness. Despite the presence of security standards, personnel have been identified as one of the aspects that can most benefit from enhanced cyber security in even small organisations, especially in the energy sector. The behaviour of staff and stakeholders is crucial to the security of the entire company. For this reason, staff interactions are considered when creating an assessment that improves the overall risk assessment process.
We can think of a methodology potentially based on the following 6 steps:
Step 0: Scope of Energy Chain Risk Assessment (ECRA)
Phase 1: EPES analysis
Stage 2: EPES cyber threat analysis
Step 3: Vulnerability Analysis
Step 4: Impact Analysis
Step 5: Risk assessment
Step 6: Risk mitigation: Selection of security controls
This methodology can help the standardisation phase of the process to identify risks and vulnerabilities on the EPES and put in place all measures to minimise the risk.
In this way, ‘Small is beautiful’ can also be safe!