Short description of the Public Consultation: As laid down by the Art. 56 of Regulation (EU) 2019/943, EU DSO ENTITY is entitled to conduct a public consultation. We’re inviting feedback on the Procurement Recommendations on Gateways used for Substation Automation set-up for providing recommendations that the entities under the NCCS scope may use as a basis for the procurement of gateways or remote terminal units (RTUs). Your input will help define a practical approach to the supply chain procurement process for gateways or remote terminal units used for substation automation in high-voltage electricity grids. By participating, you contribute to making our networks secure and more resilient.
The public consultation can be accessed here (ENTSO–E website).
Background information: Under Article 35 of the Network Code for Cybersecurity (NCCS), the European Network of Transmission System Operators for Electricity (ENTSO-E), in cooperation with the EU DSO entity (DSO Entity), has developed a proposal for the Procurement Recommendation for Substation Gateways.
This Methodology contains non-binding cybersecurity requirements that entities in the scope of the NCCS can use for the procurement of high-voltage substation gateways.
The document follows the rules of IEC 62443-1-5 for security profiles. It includes a description of the substation gateways and their operational environment. The document identifies the information assets that are relevant to the substation gateways and the threats to those assets that are considered under the scope of the NCCS. From the identified threats to the assets, a set of security objectives is derived. These objectives follow the ISO 27002 controls. This link is intended to support entities when linking these security requirements to their own ISMS. From the objectives, a set of technical requirements for the product are given following two standards: IEC 62442-4-1 and IEC 62443-4-2.
The first of these documents sets the recommendation for substation gateways and it is accompanied by its supporting document and the ANNEX, which contain both technical security requirements for the gateway and requirements for secure software development.
The recommendations provide a cybersecurity profile that the entities can use to procure substation gateways and RTUs. The profile sets several requirements that have been selected based on a threat analysis that identified common threats to a substation automation system. The requirements are meant to be used as cybersecurity specifications when entities procure new substation gateways.
In general, these documents – which are based on a selected series of standards – aim to identify the minimal security requirements for a family of products used in the electrical sector and therefore to ensure a higher level of resilience and security for the products and services’ procurement.
Next steps: The comments and feedback received during the public consultation will be analysed following the end of the public consultation, and a workshop will be held on November 12 from 2:00 pm to 3:00 pm to explain the methodology to stakeholders.
Results will be published after the approval of the proposal from the Competent Authorities.
Supporting documents
1. Substation automation recommendation (TCM)