WP2: Critical National
Infrastructure
Raminder Ruprai
Security Research Manager, National Grid
Seconomics Summit, Brussels
5th November 2014
Outline of Talk
1. Critical National Infrastructure (CNI) – Assuring
Security
2. Electricity Transmission – An example of CNI
3. Regulation – Assessing it’s effectiveness
4. Key stakeholders
5. Introducing the Panel members
2
Objectives of WP2
The high level objectives of this work package are:
• To assess and catalogue the interactions of security policy on the
operation of critical national infrastructure (CNI) and the interaction
with national and supra-national regulators and the wider European
public
• To identify and assess how various security concerns are viewed
from within a provider of CNI and from outside by its stakeholders
• To provide good practice guidance on how to implement security
policy for CNI, balance cost and risk and communicate these tradeoffs to the relevant stake holders (for instance government and
public).
3
Securing Critical National Infrastructure (CNI)
• In the UK CNI has been defined as “those facilities,
systems, sites and networks necessary for the
functioning of the country and the delivery of the
essential services upon which daily life in the UK
depends”.
• With many CNI industries privatised, how can
government be assured that the CNI operators are
appropriately securing their systems from
vulnerabilities and threats, that may be motivated to
exploit them?
• Another way to look at this: How can government
regulate the CNI operators to better incentivise them
to be information/cyber secure?
4
Electricity Delivery
• Electricity delivery is critical to any nation, its government and
citizens.
• A loss of electricity delivery impacts far beyond the CNI operators
responsible for providing the service.
• Therefore, the key components of electricity delivery are considered
CNI.
• Electricity delivery is made up of a number of components
– Generation
– Transmission
– Distribution
– End points (Industrial, Business and Residential consumers).
5
Electricity Scope – Transmission
• This picture shows
the different
components of
electricity delivery.
• The example of CNI
that is being used in
the SECONOMICS
project is Electricity
Transmission (dark
blue shading)
6
Electricity Transmission Operators – National Grid
• Many nations within the EU have large private organisations
that own and operate the Electricity Transmission networks in
those countries. E.g.
– Belgium: Elia System Operator SA
– France: Réseau de Transport d'Electricité (RTE)
– Germany:
•
•
•
•
50Hertz Transmission GmbH
Amprion GmbH
TenneT TSO GmbH
TransnetBW GmbH
– United Kingdom: National Grid.
• National Grid partnered with the SECONOMICS project to
provide their expertise in Electricity Transmission from a CNI
and security perspective.
7
Regulation: UK
• National Grid operates in both the UK and US and must adhere to a
variety of different security regulations in those jurisdictions.
• In the UK:
– National Grid is regulated by Department of Energy & Climate
Change (DECC) and has to uphold the following high level
principle: ‘It shall be the duty of the holder of a licence authorising
him to transmit electricity to develop and maintain an efficient, coordinated and economical system of electricity transmission…’.
– There are no specific requirements or standards on cyber security
but it can be argued that without the commensurate level of
security controls in place it would be difficult to maintain an
‘efficient, co-ordinated or economical system’.
– The Centre for Protection of National Infrastructure (CPNI) a gov.
agency provide advice and guidance to industry, specifically those
that operate CNI.
8
Regulation: US
• In the US, National Grid has to adhere to the North American
Electricity Reliability Corporation (NERC) Critical Infrastructure
Protection (CIP) standards around cyber security.
• There are 171 mandatory requirements within the CIP standards.
• Compliance with NERC CIP:
– To enforce the CIP standards, NERC utilises regional councils
(NPCC) that conduct a full external audit every 3 years.
– The NPCC interpret and assess compliance against these
standards using Compliance Applications Notices (CANs).
– Sometimes their interpretation is disproportionate against the
original aim of the requirement (security control).
9
Regulation: Risk vs. Rules
• We have summarised these different regulatory systems in the
following diagram.
UK
Regulators
DECC & Ofgem
US
CPNI
Regulators
DoE, FERC &
NERC
NERC – CIP
Standards
High-Level Regulation
Guidance
Mandatory Audits &
Fines
Risk/Principles Based
Rules Based
UK
National
Grid
US
10
SECONOMICS – Aim & Benefits
• Therefore, the focused aims of the CNI
Workstream are:
– To assess which type of regulatory structure
(risk-based or rules-based) better incentivises
CNI operators to be secure and when each
type of regulation should apply.
– To provide evidence-based recommendations
on the different regulatory systems to
UK/US/European regulators and stakeholders
about what type of regulation works best for
CNI operators.
11
Assessing the Effectiveness
• There are pros & cons to both types of regulatory systems
(Risk-based and Rules-Based).
• National Grid has been working with the academic partners
to assess the different regulatory structures’ attributes
analytically rather than anecdotally.
• To answer the key question, the project has looked at how
effective each regulatory system is at ensuring that the CNI
operator has the commensurate level of security.
• This has been achieved through building mathematical and
game-theoretic models with the academic partners that
internalise the regulatory system, the actions of the firm,
shocks, vulnerabilities etc. Then we validate/calibrate the
models through expert opinion.
12
Stakeholders & Engagement
• Building these models is only the first step.
• The models need to be calibrated and validated by
our key stakeholders internally, principally, but also
externally to gain acceptance.
• In this way the output of the models and general
outcomes will have value and credibility amongst the
key stakeholders.
• A key set of stakeholders has been established for
the CNI workstream, both for providing input into the
work but also for those that would get value from the
research outcomes and recommendations.
• A stakeholder map is presented on the next slide.
13
Stakeholder Map
DR&S
Future
Reqs
CNI
Networks
European
Co-ord
Group
European Commission
ENTSO-E
WG CSP
DG
Connect
DG
Energy
Regulators
Ofgem
Internal
NGRID UK
Regulators
DG
Justice
TNCEIP
DECC
Agencies
CPNI
Agencies
National
National
Grid
Ext. Group 2
Smart Grid
Taskforce
*In support of
DG Connect
ENISA
Smart
Grid WG
*Sponsored
by ENISA
SIGs
Energy
CISOs
Internal
NGRID US
SIGs
STEG
Supranational
ENISA
Vendors
SCSIE
ENA
DR&S
CNI
Networks
14
CNI Workstream Panellists
• David Willacy – Chair of the European Network
of Transmission System Operators – Electricity
(ENTSO-E) Cyber Group
• Richard Beckett – UK Cabinet Office
• Representative – Centre for the Protection of
National Infrastructure (CPNI)
15
Panel Structure
13:30 – 13:50 Raminder Ruprai
National Grid
WP2: Critical National Infrastructure
13:50 – 14:10 David Willacy
Chair ENTSO-E
Cyber Group
Cyber Security and Critical Asset
Protection
14:10 – 14:25 All
Q&A – Plenary Discussion
Initial opinion given by Richard Beckett,
UK Cabinet Office
Encouraging the Oil & Natural Gas
sector to secure their critical systems.
14:25 – 14:45 CPNI
14:45 – 15:00 All
Q&A – Plenary Discussion
Initial opinion given by Richard Beckett,
UK Cabinet Office
Thank you