Download - Cybersecurity Benchmark - CEER
Council of European Energy Regulators asbl Cours Saint-Michel 30a, Box F – 1040 Brussels, Belgium Arrondissement judiciaire de Bruxelles – RPM 0861.035.445
Cybersecurity Benchmark
Cybersecurity Work Stream
Ref: C19-CS-56-03 18 December 2019
Ref: C19-CS-56-03 Cybersecurity Benchmark
2/29
INFORMATION PAGE
Abstract
This document (C19-CS-56-03) provides an overview of the cybersecurity landscape in the CEER Member countries represented in the CEER Cybersecurity Work Stream (CS WS) for the year 2018*.
The table highlights the main jurisdictional aspects, as well as the status of cybersecurity in each national energy sector.
Target Audience European Commission, energy suppliers, traders, gas/electricity customers, gas/electricity industry, consumer representative groups, network operators, Member States, academics, national regulatory authorities (NRAs) and other interested parties.
Keywords Cybersecurity, Benchmark. * Disclaimer: Information contained in the following benchmark table is valid upon the date provided (unless otherwise specified), any further developments are not noted here. Not all CEER Members are represented in the CS WS. If you have any queries relating to this paper, please contact: CEER Secretariat Tel. +32 (0)2 788 73 30 Email: [email protected]
Ref: C19-CS-56-03
Cybersecurity Benchmark
3/29
Table 1 – CEER Cybersecurity Benchmark 2018
Legend: ✓– Yes; X – No; - – No answer provided; n.a. – NRA prefers not to / NRA cannot provide this information now / information not available due to confidentiality reasons; i.p. – in progress
Disclaimer: Information contained in the grey column of the benchmark table is valid upon the date provided (2018) and any further developments are not submitted.
Issue
Au
str
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
National Level
1. Planning: In which year was the last national
strategy on security of
network and information
systems approved?
20
13
(up
da
te o
f str
ate
gy in p
repa
ratio
n)
20151 2018 20152 2016 2018 2
01
3 N
atio
na
l C
yb
er
Se
cu
rity
Str
ate
gy
20
18
Str
ate
gy fo
r th
e s
ecu
rity
of
ne
two
rk
an
d in
form
atio
n s
yste
ms
3
nt
Th
e N
atio
nal cyb
er
Se
cu
rity
Str
ate
gy
20
19
-20
24
is c
urr
en
tly u
nd
er
de
velo
pm
ent
2017
20184
2018 2015 2019 2015 2016
Natio
nal C
yb
ers
ecu
rity
Str
ate
gy 2
01
9
1 Next strategy on security of network and information is going to be approved in 2020. 2 Reinforced by cyber defence strategic review of 2018 http://www.sgdsn.gouv.fr/evenement/revue-strategique-de-cyberdefense/ 3 https://hirlevel.egov.hu/2019/01/13/magyarorszag-halozati-es-informacios-rendszerek-biztonsagara-vonatkozo-strategiaja/ 4 Strategy was approved by Government resolution: https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/94365031a53411e8aa33fe8f0fea665f/asr
Ref: C19-CS-56-03
Cybersecurity Benchmark
4/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
2.
Planning: What is the
current status of the implementat
ion of the Directive on Security of Network
and Information
Systems (NIS)? (In terms of
existing or future
national laws)
Imp
lem
en
ted b
y la
w in
Dece
mb
er
201
8 a
nd
by-l
aw
in J
uly
20
19
Fu
lly im
ple
men
ted in
to C
ze
ch
la
w b
y T
he
Act
No
18
1/2
01
4 C
oll.
on
Cyb
er
Se
curi
ty.
Fu
lly im
ple
men
ted in
to D
anis
h la
w
Tra
nsp
ose
d b
y la
w #
20
18
-133
of
26
Fe
bru
ary
20
18
and
decre
e #
20
18
-38
4 o
f 23
Ma
y 2
018
Natio
nal cybe
rsecu
rity
la
w r
efe
rrin
g to
NIS
-Dir
ective
ne
eds a
lre
ady d
ecid
ed
up
on
an
d im
ple
men
ted
NIS
tra
nsp
ort
ed
by n
atio
na
l d
ecre
e #
32
18
of 7
Ju
ly
20
18
Fu
lly im
ple
men
ted in
Hun
ga
rian
le
gis
lative
, firs
t
revis
ion
to
be
dra
fted
202
0
Th
e N
IS D
ire
ctive
has b
ee
n t
ran
spo
sed
into
Irish
La
y u
nd
er
S.I
. 36
0, 2
01
8
Tra
nsp
ose
d in
to n
atio
nal le
gis
latio
n (
law
-de
cre
e
65
/201
8)
Th
e N
IS D
ire
ctive
wa
s im
ple
me
nte
d in
20
18,
bu
t
su
b s
tatu
tory
leg
al im
ple
me
nta
tio
n c
on
tin
ue
s in
20
19
5
Tra
nsp
ose
d in
to n
atio
nal la
w
on
Ma
y 2
8 2
01
9
Th
e N
IS w
as im
ple
men
ted 1
7 O
cto
be
r 2
01
8 a
nd
the
la
ws w
ere
in
fo
rce
9 N
ovem
be
r 2
01
8
Dra
ft la
w im
ple
me
ntin
g th
e d
ire
ctive
was s
ubm
itte
d
for
con
sulta
tio
n in
Decem
be
r 20
18
Natio
nal cybe
r secu
rity
la
w r
efe
rrin
g to
NIS
-
Dir
ective
is b
ein
g p
rep
are
d (
a d
raft
exis
ts)
Natio
nal In
form
ation
Secu
rity
la
w
NIS
Dir
ective t
ransp
ose
d b
y R
oya
l D
ecre
e-L
aw
12
/201
8,
on
the
se
cu
rity
of
ne
twork
s a
nd
info
rma
tio
n s
yste
ms
5 Main document, in which NIS Directive was transposed is the Cyber Security Law.
Ref: C19-CS-56-03
Cybersecurity Benchmark
5/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
3.
Governance Are there
any dedicated laws for different
subsectors of the energy
market? Specific
references on
electricity, gas, oil
RES, if they exist).
No
secto
r sp
ecific
la
ws, b
ut secto
r sp
ecific
ris
k
an
aly
sis
an
d C
ER
T
X ✓ - -
(EU
) R
eg
ula
tio
n N
o 9
94
/201
0 S
ecu
rity
of
su
pply
of
na
tura
l g
as 6
Ele
ctr
icity s
ecto
r E
S -
NIS
directive
in
teg
rate
d in
to C
IP
De
riva
tive
ene
rgy m
ark
ets
– info
rma
tio
n s
ecu
rity
7le
gis
lative
(C
obit b
ased
) 8
Th
e S
.I. 3
60
(20
18
) co
ve
rs a
ll se
cto
rs.
X n.a. X
Ye
s,
the
re is a
n E
lectr
icity la
w, G
as la
w
- - X
Th
ere
is o
nly
a g
en
era
l la
w R
oya
l D
ecre
e-L
aw
12
/201
8,
on
the
se
cu
rity
of
ne
twork
s a
nd
info
rma
tio
n s
yste
ms 9
6 Council Directive 2004/67/EC (3) Pres. Decree 39/2011 (adjustment of EU Directive EC 2008/114) regarding the definition of European Critical Infrastructure
Protection, currently in force – general, not energy specific 7 https://net.jogtar.hu/jogszabaly?docid=a1300360.kor 8 https://net.jogtar.hu/jogszabaly?docid=a1500042.kor 9 A Draft Royal Decree implementing Royal Decree 12/2018, of September 7, on the security of networks and information systems is under way.
Ref: C19-CS-56-03
Cybersecurity Benchmark
6/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
4.
Governance How many
and which are the national
competent authorities on security of network
and information
systems designated
in your country?
(references to any
specific tasks).
Fe
de
ral C
han
cella
ry (
str
ate
gic
ta
sks)
an
d M
inis
try o
f
Inte
rnal A
ffa
irs (
op
era
tio
na
l ta
sks)
Mo
re th
an
on
e
Mo
re th
an
on
e
On
e
Mo
re th
an
on
e
Mo
re th
an o
ne
no
t e
ne
rgy s
pe
cific
Institu
te fo
r C
yb
er
Defe
nce
10
Th
e N
atio
nal C
ybe
r S
ecu
rity
Ce
ntr
e is th
e d
esig
nate
d
au
tho
rity
Mo
re th
an
on
e. F
or
en
erg
y a
nd
te
lecom
, M
inis
try o
f
Eco
nom
ic D
eve
lop
men
t.
Mo
re th
an
on
e (
3 m
ain
institu
tio
ns: 1
.Natio
nal C
ybe
r
Se
cu
rity
Cen
tre
2.S
tate
da
ta p
rote
ctio
n insp
ecto
rate
3.
Po
lice
dep
art
me
nt)
11
"In
stitu
t L
uxe
mb
ou
rge
ois
de
Ré
gu
lation
" an
d
"Com
mis
sio
n d
e S
urv
eill
ance
du
Se
cte
ur
Fin
an
cie
r"
Mo
re th
an
on
e
Mo
re th
an
on
e
Na
tio
nal C
yb
er
Se
cu
rity
Cen
tre
Mo
re th
an
on
e
Art
icle
9.
(Ro
yal D
ecre
e-L
aw
12
/20
18
, o
n t
he s
ecu
rity
of
ne
two
rks a
nd
in
form
atio
n s
yste
ms) 1
2
10 https://nki.gov.hu/ 11 Article: https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/f6958c2085dd11e495dc9901227533ee/asr 12 The following are competent authorities for the security of networks and information systems: (a) For essential service operators: - In the event that they are also designated as critical operators in accordance with Law 8/2011 of 28 April and their implementing regulations, irrespective of the strategic sector in which such designation is made: the Secretariat of State for Security, the Ministry of the Interior, through the National Center for the Protection of Infrastructure and Cybersecurity (CNPIC). - In the event that they are not critical operators: the relevant sectoral authority on account of the subject matter, as determined by regulation. b) For digital service providers: the Secretary of State for Digital Advancement, Ministry of Economy and Business. c) For operators of essential services and digital service providers who are not critical operators falling within the scope of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector: the Ministry of Defense, through the National Cryptological Center. The National Security Council, through its specialized committee on cybersecurity, shall establish the necessary mechanisms for the coordination of the actions of the competent authorities.
Ref: C19-CS-56-03
Cybersecurity Benchmark
7/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
5.
Governance Is there an entity which serves as
the national single point of contact
appointed? If yes, which
is the designated Authority?
Min
istr
y o
f In
tern
al A
ffa
irs (
rece
ives
info
rma
tio
n a
bo
ut in
cid
en
ts b
y C
ER
T)
Natio
nal C
yb
er
an
d In
form
ation
Se
curi
ty
Ag
en
cy (
NÚ
KIB
)
Cen
ter
for
Cybe
rsik
ke
rhed
CF
CS
AN
SS
I
Bu
nd
esa
mt
für
Sic
he
rheit in
de
r
Info
rma
tio
nste
ch
nik
(B
SI)
n.a.
Institu
te fo
r C
yb
er
De
fence
13
Th
e C
SIR
T w
hic
h is p
art
of
the N
CS
C
is t
he
sin
gle
po
int o
f co
nta
ct fo
r
rep
ort
ing
NIS
in
cid
en
ts. 1
4
Natio
nal S
ecu
rity
Age
ncy
Natio
nal C
yb
er
Secu
rity
Cen
tre
15
Institu
t Lu
xe
mbo
urg
eo
is d
e R
ég
ula
tio
n
Min
iste
r van
Ve
iligh
eid
en
Justitie
(dra
ft)
n.a.
Natio
nal C
yb
er
Secu
rity
Cen
tre
SI-
CE
RT
Ye
s.
Natio
na
l C
en
ter
for
Infr
astr
uctu
re
Pro
tectio
n a
nd
Cyb
ers
ecu
rity
(C
NP
IC)
13 https://nki.gov.hu/ 14 There is a NIS Compliance team within the NCSC. While the Compliance Team and the CSIRT are both within the NCSC, they are separate teams. 15 Article 8: https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/f6958c2085dd11e495dc9901227533ee/asr
Ref: C19-CS-56-03
Cybersecurity Benchmark
8/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
6.
Awareness: Is a
periodic status report on the state
of cyber-security/IT-
security published
by the CERT/
CSIRT or a national agency?
✓ ✓
Ye
s,
Sem
i-ye
arly r
ep
ort
by C
FC
S
✓ ✓ X ✓
Th
e C
SIR
T r
ep
ort
a w
eekly
rep
ort
and
a
qu
art
erly T
hre
at
Inte
l La
ndscap
e r
epo
rt
✓ ✓16 ✓ ✓ ✓ ✓ ✓
AN
NU
AL R
EP
OR
T C
CN
-CE
RT
-
CIB
ER
SE
CU
RIT
Y (
rep
ort
20
18
)
7.
Governance Is a list of criteria to
define Operators of
Essential Services currently
available?
Y
es,
pu
blis
he
d in
a b
y-la
w in J
uly
20
19
✓17 ✓
(cf.
art
icle
2 o
f de
cre
e #
20
18
-
38
4 o
f 2
3th
ma
y 2
01
8)
✓ ✓ ✓
Cri
teri
a a
re d
efin
ed
bu
t no
t
pu
blis
he
d
Lis
t o
f O
ES
s e
xis
ts b
ut is
no
t
pu
blic
(S
tate
secre
t)
✓18
Cri
teri
a a
re d
efin
ed
bu
t n
ot
pub
lic.
✓ ✓ ✓
Decre
e d
ete
rmin
ing e
sse
ntial
se
rvic
es a
nd
th
e m
eth
od
olo
gy fo
r
de
term
inin
g O
ES
s
Rela
tio
nsh
ip o
f esse
ntia
l se
rvic
es
an
d n
um
be
r o
f O
pe
rato
rs o
f
Essen
tial S
erv
ice
s
16 Last one was published in 2019: https://www.nksc.lt/doc/NKSC_ataskaita_2018.pdf 17 The Decree No 437/2017 Coll. on the criteria for the determination of an operator of essential service. 18 List of criteria is publicly available. (in methodology): https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/94365031a53411e8aa33fe8f0fea665f/asr
Ref: C19-CS-56-03
Cybersecurity Benchmark
9/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
8.
Awareness: Are there specific
university educational programs,
or any other educational
tracks / cyber
exercises in your country
and by which
academic institutions
are organised/ conducted?
✓ ✓ X ✓ ✓
MS
c in
Cyb
ers
ecu
rity
(In
tern
atio
nal H
elle
nic
Univ
ers
ity)
MS
c S
pe
cia
lisa
tio
n in
Cyb
ers
ecu
rity
(U
niv
ers
ity o
f
We
ste
rn A
ttic
a)
19
✓ n.a.
AR
ER
A is n
ot in
vo
lve
d in
an
y e
du
ca
tion
al p
rog
ram
s
✓20 ✓ X ✓ ✓ ✓ n.a.
19 To be operating in academic year 2020-2021. 20 Kaunas University of Technology (KTU), Vilnius University (VU), Vilnius Gediminas Technical University (VGTU), Mykolas Romeris University MRU (only CS management level).
Ref: C19-CS-56-03
Cybersecurity Benchmark
10/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
9.
Control: Is a
certification according to any of the
ISO/IEC27000 series standards available?
✓ ✓ ✓ X ✓ X ✓
Th
e N
atio
nal S
tan
da
rds A
uth
ori
ty
of
Ire
lan
d (
NS
AI)
off
er
ISO
27
00
0
ce
rtific
ation
✓ ✓ ✓ ✓ ✓ ✓ ✓
13
/10
/16
Reso
lution
, S
ecre
tary
of
Sta
te f
or
Pu
blic
Ad
min
istr
atio
ns,
ap
pro
vin
g t
he T
ech
nic
al S
ecu
rity
Instr
uctio
n
Energy Sector Level
10.
Planning: Are
Operators of Essential
Services in the energy
sector identified?
In p
rin
cip
le d
ecid
ed
,
op
era
tors
re
ceiv
e f
orm
al
info
rma
tio
n in
Octo
be
r
20
19
✓ ✓ ✓ ✓ i.p. ✓ ✓ ✓ ✓ 21
Ba
se
d u
pon
pre
de
fin
ed
cri
teria
, th
e id
entifica
tio
n o
f
OE
S is o
ng
oin
g.
✓ X ✓ X ✓22
21 Critical infrastructure sectors (and Authorities/owners), including energy sector, are listed in appendix of critical infrastructure identification methodology:https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/e16e7761fc4b11e89b04a534c5aaf5ce?jfwid=q8i88m9wc. Detail list of critical infrastructure and owners is classified (restricted) information. 22 Recognised, by National Center for Infrastructure Protection and Cybersecurity (CNPIC).
Ref: C19-CS-56-03
Cybersecurity Benchmark
11/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
11.
Assessment How many
Operators of Essential
Services in the energy sector do
you expect to be
defined in your
country?
Ap
pro
xim
ate
ly 5
0 (
36
ele
ctr
icity,
7
ga
s, p
lus o
il)
Ap
pro
xim
ate
ly 1
5
Ba
se
d o
n m
etr
ics
20
info
rma
tio
n m
ay n
ot b
e a
ccu
rate
10
0
Info
rma
tio
n m
ay n
ot b
e a
ccu
rate
n.a.
Aro
un
d 1
0
Curr
en
tly t
he
re a
re 1
0 d
efin
ed
Aro
un
d 5
0
n.a.
Ba
se
d u
pon
pre
de
fin
ed
cri
teri
a,
the
id
en
tifica
tio
n o
f O
ES
is o
ng
oin
g.
10
en
titie
s, 1
7 d
esig
natio
ns
(7 D
SO
s d
o b
oth
gas a
nd
ele
ctr
icity).
23
n.a. 12 n.a.
Essen
tial se
rvic
e o
pe
rato
rs a
re 1
32
,
bu
t w
e d
o n
ot
kn
ow
the
dis
trib
utio
n
by s
ecto
r
23 The change from 11 to 10 is because of 1 DSO was bought by another.
Ref: C19-CS-56-03
Cybersecurity Benchmark
12/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
12.
Information Sharing and Emergency Response:
Are Operators of
Essential Services in the energy
sector obliged to
report critical
security of network and information
systems incidents? If
yes, to whom?
NR
A-E
ne
rgy-C
ontr
ol A
ustr
ia a
nd
Min
istr
y o
f In
terio
r as
SP
oC
✓T
he
y a
re o
blig
ed
to
rep
ort
to
go
v C
ER
T
En
erg
ine
t (D
an
ish
TS
O)
and
Ce
nte
r fo
r C
ybe
rsik
ke
rhed
thro
ugh
a w
eb
site
AN
SS
I
To
BS
I, a
nd
th
e B
SI h
as to
in
form
the
NR
A
Natio
nal C
ER
T o
ption
al
Institu
te fo
r C
yb
er
De
fence
24
With
in t
he
NC
SC
th
e C
SIR
T is t
he
sin
gle
po
int
of co
nta
ct
for
rep
ort
ing
NIS
in
cid
en
ts.
25
✓
Natio
nal C
yb
er
Secu
rity
Cen
tre
Institu
t Lu
xe
mbo
urg
eo
is d
e R
ég
ula
tio
n
✓
Th
e N
orw
egia
n W
ate
r R
eso
urc
es a
nd
En
erg
y D
irecto
rate
Natio
nal C
yb
er
Secu
rity
Cen
tre
SI-
CE
RT
Ye
s,
the
y s
ho
uld
re
port
to
th
e C
CN
-C
ER
T
(Art
. 1
9 R
oya
l-d
ecre
e la
w)
24 https://nki.gov.hu/ 25 Upon receipt of a NIS incident notification, the CSIRT will notify the NIS Compliance team. While the Compliance Team and the CSIRT are both within the NCSC,
they are separate teams.
Ref: C19-CS-56-03
Cybersecurity Benchmark
13/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
13.
Planning: Are Digital
Service Providers in the energy
sector identified?
n.a. X X X X i.p. X26 X27 n.a. n.a. n.a. X n.a. X
Exclu
siv
ely
cri
tical
Infr
astr
uctu
re
Pro
vid
ers
n.a.
14.
Planning: Does a
dedicated strategy on security of
network and information systems for the energy sector (or only for
electricity or gas
subsectors) exist?
Natio
nal str
ate
gy w
ith
en
erg
y a
s
su
bse
cto
r in
clu
ded
X ✓ X ✓ (E
U)
Reg
ula
tio
n N
o 9
94
/201
0
Se
cu
rity
of
su
pply
of
natu
ral g
as
28
✓
Th
e N
atio
nal C
ybe
r S
ecu
rity
Str
ate
gy
was p
ub
lish
ed
in 2
015
. 29
X
Th
e N
atio
nal C
ybe
r S
ecu
rity
Str
ate
gy
(NC
SS
) (p
ub
lish
ed
in
201
8. 3
0
X X X - X
Natio
nal E
ne
rgy S
ecu
rity
Str
ate
gy
26 Dgital service providers effecting energy sectors (cross-sectorial effects) are identified 27 Within the NIS directive a ‘digital service’ is defined as: An online marketplace - An online search engine - A Cloud computing service. 28 Council Directive 2004/67/EC (3) established a legal framework at Community level to safeguard security of gas supply in the case of supply disruptions. 29 This is a cross-sectoral strategy which encompasses energy, finance, telcos, etc. Strategy for 2019-2024 will be published soon and will also be cross-sectoral. 30 In 2019 was published inter-institutional action plan, which covers several sectors, including energy. NCSS: https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/94365031a53411e8aa33fe8f0fea665f/asr
Plan:https://eseimas.lrs.lt/portal/legalAct/lt/TAD/faeb5eb4a6c811e9aab6d8dd69c6da66?jfwid=dg8d31595
Ref: C19-CS-56-03
Cybersecurity Benchmark
14/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
15.
Assessment Has an energy
sector-wide security of
network and information
systems risk assessment
been performed at national
level?
Ye
s,
pe
rfo
rme
d in
a P
ub
lic P
riva
te
Dia
logu
e (
PP
D)
pro
cess
X ✓ ✓ ✓ ✓
A r
isk a
ssessm
en
t w
as c
ond
ucte
d in
20
19
by t
he
NR
A r
ega
rdin
g N
IS d
irective
A r
isk a
ssessm
en
t w
as c
ond
ucte
d in
20
14
acro
ss r
ele
van
t sta
ke
ho
lde
rs
Th
ere
is a
priva
te f
oru
m d
iscussin
g it
n.a. X X ✓ X X n.a.
Ref: C19-CS-56-03
Cybersecurity Benchmark
15/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
16.
Assessment If such a
risk assessment was made,
does it include
assessment of
dependencies from
surrounding countries, or
any scenario
which may derive from the existing market rules which would
involve Member States,
other than yours?
Ind
irectly y
es b
eca
use
IT
-com
pa
nie
s a
re in
volv
ed
n.a. X X n.a.
Reg
ula
tio
n (
EU
) N
o 9
94
/201
0,
Pro
vis
ion
s a
ime
d a
t safe
gua
rdin
g th
e s
ecu
rity
of g
as s
up
ply
31
Ye
s.
Ris
k a
sse
ssm
en
t e
nco
mp
asse
s d
epe
nde
ncie
s w
ith
EnC
CP
s
(Se
rbia
, U
kra
ine
)
Ye
s.
Ris
k a
sse
ssm
en
t e
nco
mp
asse
s d
epe
nde
ncie
s w
ith
Gre
at
Bri
tain
.
n.a. n.a. n.a. - X - n.a. n.a.
31 Designation of the "Competent Authority’ by each Member State to be responsible for ensuring the implementation of the measures set out in this Regulation RAE has been designated as the Competent Authority, (article 12 L.4001/2011 ,FEK Α’ 179, 22.08.2011) Elaboration of Risk Assessment Establishment of a Preventive Action Plan and an Emergency Plan, and the regular monitoring of security of gas supply at national level.
Ref: C19-CS-56-03
Cybersecurity Benchmark
16/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
17.
Governance Does the national
regulatory authority
have dedicated
and trained executive
officers, with expertise in security of
network and information
systems (any
foresight for that)?
bu
t lim
ite
d r
esou
rces
✓ ✓ X X i.p. ✓ ✓ X X ✓
It is p
art
of
the
NIS
im
ple
me
nta
tio
n
✓ ✓ X X
Ref: C19-CS-56-03
Cybersecurity Benchmark
17/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
18.
Information Sharing and Emergency Response:
Does a dedicated
sector-specific energy
CERT/CSIRT or
Essential Services
CERT covering the
energy sector exist?
✓
Cove
red b
y g
ovC
ER
T
X C
ove
red b
y C
ER
T-F
R
✓ X
Th
e n
ation
al C
SIR
T c
ove
rs a
ll se
cto
rs
Th
e n
ation
al C
SIR
T c
ove
rs a
ll se
cto
rs
X
Cove
red b
y N
ation
al C
yb
er
Secu
rity
Ce
ntr
e:
CE
RT
.lt 3
2
Cove
red b
y n
atio
na
l C
SIR
T n
etw
ork
✓ ✓ ✓ X ✓33
32 https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-inventory/certs-by-country-interactive-map#country=Lithuania 33 Article 11. Reference computer security incident response teams. (Royal Decree-Law 12/2018, on the security of networks and information systems) These are reference computer security incident response teams (CSIRTs) for network and information system security, as follows: (a) With regard to relations with essential service operators: The CCN-CERT, of the National Cytological Center, which corresponds to the reference community constituted by the entities of the subjective scope of application of Law 40/2015, of October 1. INCIBE-CERT, of the National Institute of Cybersecurity of Spain, which is the responsibility of the reference community constituted by those entities not included in the subjective scope of application of Law 40/2015, of October 1. INCIBE-CERT will be jointly operated by INCIBE and National Center for Infrastructure Protection and Cybersecurity in all matters relating to the management of incidents affecting critical operators.
Ref: C19-CS-56-03
Cybersecurity Benchmark
18/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
19.
Governance Is your
regulatory authority in charge of
any duty in relationship to the role of CSIRT/CER
T in the scope of the
energy sector?
✓ ✓ n.a. X ✓ X
E-I
SA
C.H
U,
NR
A is in c
ha
rge
n.a. X X ✓ X X X X
Natio
nal C
ente
r fo
r In
fra
str
uctu
re
Pro
tectio
n a
nd
Cyb
ers
ecu
rity
is in
ch
arg
e
Ref: C19-CS-56-03
Cybersecurity Benchmark
19/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
20.
Information Sharing and Emergency Response:
Are national
regulatory authorities informed in
a timely manner about
network security and information
systems incidents
through an institutional, even maybe
an automated, mechanism
?
✓ ✓ ✓ X ✓ X ✓ n.a. X X ✓ n.a X ✓ X ✓
Ref: C19-CS-56-03
Cybersecurity Benchmark
20/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
21.
Awareness: Have any security of
network and information
systems exercises
been performed
by the regulated
energy companies? If yes, are there any OSEs as
participants and who.
✓ ✓ X ✓ ✓
TS
Os -
DS
Os -
GR
ID O
pe
rato
rs
✓ n.a.
ma
in g
rid
ope
rato
rs
n.a. n.a. ✓ ✓ ✓ X n.a.
Ref: C19-CS-56-03
Cybersecurity Benchmark
21/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
22.
Governance Have the regulated
energy companies
– by requirement
or not – implemented baseline security of
network and information
systems standards?
Se
cto
r sp
ecific
secu
rity
sta
nd
ard
s a
re in
pre
pa
ration
by t
he s
ecto
r, t
o b
e f
inis
he
d till
en
d o
f 2
019
✓ X ✓ ✓ ✓
ma
in g
rid
ope
rato
rs
n.a.
ma
in g
rid
ope
rato
rs
n.a. ✓ ✓ ✓ ✓ ✓ n.a.
23
Control: Has security of network
and information
systems been
included in the audit plans of
regulated energy
companies (i.e. security
audits)?
Is a
n o
blig
ed
pa
rt o
f N
IS-D
ire
ctive
✓ ✓ ✓ ✓ ✓ ✓
Th
e N
CS
C w
ill b
e a
ud
itin
g d
esig
na
ted
en
erg
y c
om
pa
nie
s C
RU
ma
y a
lso
in
clu
de
su
ch
aud
its
n.a. n.a. n.a ✓ ✓ ✓
Cert
ifie
d s
take
ho
lde
rs (
limite
d s
cop
e)
n.a.
Ref: C19-CS-56-03
Cybersecurity Benchmark
22/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
24.
Governance Does an official
national emergency plan exist
that engages all stakeholder
s from private and
public sector, in case of a crisis? if
yes please refer to any designated
National laws.
Dep
en
din
g o
n th
e m
an
ne
r o
f cri
sis
: If
secto
r o
ve
rla
pp
ing
imp
acts
th
en
the
re is a
sta
te c
ata
str
op
he
and
crisis
pla
n
(SK
KM
), o
blig
ation
by la
w fo
r th
e M
inis
try o
f In
tern
al
Aff
air
s
✓ ✓ ✓ ✓
Reg
ula
tio
n (
EU
) N
o 9
94
/201
0 C
on
ce
rnin
g m
ea
su
res to
sa
feg
ua
rd s
ecu
rity
of
gas s
up
ply
34
✓ n.a. n.a. ✓35 ✓ X n.a. n.a.
Cri
tical In
fra
str
uctu
re A
ct
✓ 36
34 Aims at demonstrating all necessary measures are being taken to ensure continuous supply, in case of difficult climatic conditions, in the event of disruption
(EU) Regulation Competent Authority RAE (article 12 L.4001/2011, FEK Α’ 179, 22.08.2011). 35 https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/TAIS.384076/asr 36 National Center for Infrastructure Protection and Cybersecurity (PNPIC).
Ref: C19-CS-56-03
Cybersecurity Benchmark
23/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
25.
Awareness: Are there any cyber-
security awareness campaigns/ forums/work
shops, organised
by a National
Competent Authority or the Energy Regulator, engaging stakehol-
ders of the energy sector?
Ma
nifo
ld a
ctivitie
s,
secto
r sp
ecific
(o
rgan
ise
d b
y E
-
Con
tro
l) a
nd
va
rio
us p
latf
orm
s
Ma
ny a
ctivitie
s, fo
r exam
ple
Cyb
erC
on (
con
fere
nce
),
cybe
rsecu
rity
exe
rcis
e e
tc.
✓
in p
rep
ara
tio
n
✓
Helle
nic
Cen
ter
for
Secu
rity
Stu
die
s
Mili
tary
Cybe
r-In
cid
en
t R
esp
on
se
Cen
ter
(Cyb
er
Defe
nse
Dir
ecto
rate
)
EN
ISA
EC
SM
fro
m 2
01
6 e
ve
ry y
ea
r
X n.a.
in p
rep
ara
tio
n
✓ ✓ ✓ ✓ n.a.
Ref: C19-CS-56-03
Cybersecurity Benchmark
24/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
26
Control: Does a
national or private or
energy sector- specific
laboratory test exist to verify the
security and safety of software/ hardware
components?
Is in p
repa
ratio
n b
y th
e A
ustr
ian
En
erg
y C
ER
T
(AE
C,
is th
e s
ecto
r sp
ecific
CE
RT
)
X X ✓
in p
rep
ara
tio
n
X
in p
rep
ara
tio
n
n.a. n.a.
Pla
nn
ed
(R
&D
div
isio
n is e
sta
blis
he
d in
Natio
na
l
Cyb
er
Secu
rity
Cen
tre
it
will
cove
r all
Cri
tica
l
infr
astr
uctu
re (
ow
ne
rs)
X n.a X X
in p
rep
ara
tio
n (
na
tio
nal)
Th
ere
is n
o s
pecific
la
bo
rato
ry te
st
for
ene
rgy
se
cto
r 3
7
37 National Cryptological Center acts as a certification body for Evaluation and Certification of Information Technology Security, applicable to related products and
systems.
Ref: C19-CS-56-03
Cybersecurity Benchmark
25/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
27.
Information Sharing: Does a
voluntary collabor-
ative platform for companies
of the energy
sector and the public sector to facilitate
information sharing/best
practices exist?
Vo
lun
tary
in
form
atio
n o
f in
cid
en
ts is a
lso
possib
le
to t
he
CE
RT
✓ ✓ ✓ ✓
Ga
s C
oo
rdin
atio
n G
rou
p 3
8
✓39
Info
rma
l a
nd
vo
lun
tary
arr
an
gem
en
ts a
re in
pla
ce
for
info
rma
tion
sh
ari
ng
✓ n.a.
Reg
ula
r coo
pe
ration
in
div
ers
e w
ork
ing
gro
ups
✓ ✓ ✓ ✓
Fo
r th
e p
ublic
se
cto
r, N
atio
nal C
ryp
tolo
gic
al C
en
ter
sh
are
s g
uid
es a
nd
be
st p
ractice
s 4
0
38 A platform to exchange information between MSs, the Commission, the gas industry and consumers. 39 https://www.e-isac.hu/ 40 We don’t know if there is something similar specifically for energy sector.
Ref: C19-CS-56-03
Cybersecurity Benchmark
26/29
Issue A
ustr
ia
Cze
ch
Rep
ub
lic
Den
ma
rk
Fra
nce
Ge
rma
ny
Gre
ece
Hun
ga
ry
Ire
land
Ita
ly
Lith
ua
nia
Lu
xem
bou
rg
Neth
erl
an
ds
Norw
ay
Po
rtu
gal
Slo
ven
ia
Sp
ain
28.
Information Sharing:
How many security incidents
have been detected in the energy
sector during the
last 12 months?
n.a. n.a.
info
rma
tio
n n
ot
ava
ilable
du
e to
co
nfid
entialit
y r
easo
ns.
n.a. n.a. n.a.
ap
pro
x.
12
41
n.a.
11
% o
f to
tal nu
mbe
r o
f a
ttacks 4
2
n.a. n.a. n.a. n.a. n.a. n.a.
72
2 in
cid
en
ts o
ve
r o
pe
rato
rs o
f
Essen
tial S
erv
ice
s 4
3
41 Based on www.e-isac.hu anonymized data – official information not available due to confindentality reasons 42 Source: Report on CS, sent to the Parliament by the National Security Agency. 43 Data from national security annual report, but not only in the energy sector.
Ref: C19-CS-56-03
Cybersecurity Benchmark
27/29
Annex 1 - List of abbreviations
Term Definition
AMI Advanced Metering Infrastructure
ANSSI French Network and Information Security Agency
BATs Best Available Technics
BREF Best Available Technics reference document
CAPEX Capital expenditure
CEER Council of European Energy Regulators
CERT Computer Emergency Response Team
CS WS Cybersecurity Work Stream
CSIRT Computer Security Incident Response Team
DG Energy Directorate-General for Energy
DPA Data Protection Act
DPIA Data Protection Impact Assessment
DSO Distribution System Operator
EC SG TF EG European Commission Smart Grids Task Force Expert Group
EEA European Economic Area
EECSP European Energy Cyber Security Platform
EFTA European Free Trade Association
ENISA European Union Agency for Network and Information Security
EU European Union
Europol European Union Agency for Law Enforcement Cooperation
Exploit Software of set of commands taking advantage of a bug or vulnerability to cause unintended behaviour
GDPR General Data Protection Regulation
GGP Guidelines of Good Practice
Hack To break into computers and computer networks
ICT Information and Communications Technology
ID number Identity number
IoT Internet of Things
Malware Hostile or intrusive software
MO Metering Operator
MS Member State (of the European Union)
Nation-state Political entity on a territory coinciding with its citizens
NISD Directive concerning measures for a high common level of security of Network and Information Systems across the Union
NRA National Regulatory Authority
OES Operators of Essential Services
OPEX Operational expenditure
Ref: C19-CS-56-03
Cybersecurity Benchmark
28/29
Term Definition
REMIT Regulation (EU) No 1227/2011 of the European Parliament and of the Council on wholesale energy market integrity and transparency
SCADA Supervisory Control and Data Acquisition
SGO Smart Grid Operator
SO System Operator
Trojan Malicious computer program misleading users of its true intent
TSO Transmission System Operator
Wiper Malware with the aim to wipe the hard drive of the computer it infects
Worm Malicious computer program that replicates itself to spread to other computers
Ref: C19-CS-56-03
Cybersecurity Benchmark
29/29
Annex 2 – About CEER The Council of European Energy Regulators (CEER) is the voice of Europe's national energy regulators. CEER’s members and observers comprise 39 national energy regulatory authorities (NRAs) from across Europe. CEER is legally established as a not-for-profit association under Belgian law, with a small Secretariat based in Brussels to assist the organisation. CEER supports its NRA members/observers in their responsibilities, sharing experience and developing regulatory capacity and best practices. It does so by facilitating expert working group meetings, hosting workshops and events, supporting the development and publication of regulatory papers, and through an in-house Training Academy. Through CEER, European NRAs cooperate and develop common position papers, advice and forward-thinking recommendations to improve the electricity and gas markets for the benefit of consumers and businesses. In terms of policy, CEER actively promotes an investment friendly, harmonised regulatory environment and the consistent application of existing EU legislation. A key objective of CEER is to facilitate the creation of a single, competitive, efficient and sustainable Internal Energy Market in Europe that works in the consumer interest. Specifically, CEER deals with a range of energy regulatory issues including wholesale and retail markets; consumer issues; distribution networks; smart grids; flexibility; sustainability; and international cooperation. CEER wishes to thank in particular the following regulatory experts for their work in preparing this report: Leontini Kaffetzaki, Roman Picard, Stefano Bracco and special thanks to Liselotte Gijzemijter. More information is available at www.ceer.eu.