2024

Simola, Jussi; Takala, Arttu; Lehkonen, Riku; Frantti, Tapio; Savola, Reijo

Securing electricity distribution is one of the most important principles of the EU cyber security strategy. For example, European cyber security regulations, such as NIS2 (Network and Information Security Directive), CER (Critical Entities Resilience Directive), and Cyber Resilience Act (CRA) together aim to create a foundation and guidelines for international standards in various industries and the operation of critical infrastructure. Securing critical infrastructure is a common goal for Western operators. The new European Union (EU) directives bring new requirements to critical infrastructure administrators, device manufacturers and operators. Previously, member states have had responsibility for compliance with the directives, but they have been given freedom in the method by which they approach the requirements. Currently, member states' solutions are not always uniform, which has led to increased difficulties in coordination on a multi-national level. This, in turn, may lead to difficulties in coordination when responding to cybersecurity threats and attacks on critical infrastructure. The new regulation focuses on unifying the reporting between member states, reporting requirements of severe critical infrastructure events, and creating cybersecurity risk management procedures. In this study, we will provide a novel solution on how critical infrastructure administrators, device manufacturers, and operators may respond and become compliant with the new EU directives. To reach compliance and to enable the responsibilities that are required by the directive, the critical infrastructure devices and environment must have the capability to enable the responsible parties to identify, protect, detect, respond, and report. This sequence of actions is cyclical in nature since the identification of threats and vulnerabilities requires reports, which in turn requires data and detection. Our study focuses on the hardware requirements this causes on the manufacturing specifications, such as data collection and detection capabilities. The research belongs to the CSG project, and the purpose is to develop a governance model to minimize Operational Technology related risks and create a new standardized operating environment for the seamless utilization of energy solutions and industrial environment. The results of the study will be used in the analysis of requirements definitions in the OT environment.