This list will be developed and maintained over time. Please let us know if there is a useful publication/information source that we should reference.
Industry Standards
ENA – Distributed Energy Resources – Cyber Security Connection Guidance
This guidance is a result of collaboration between BEIS, the ENA, Distributed Network Operators (DNOs) and DER operators who have provided industry insight, shared challenges and made suggestions to improve DER cyber security connections across the industry. The guidelines have been aligned to the four objectives and fourteen principles from the NCSC Cyber Assessment Framework (CAF), which is itself intended for use by organisations responsible for services and activities that are of vital importance such as those designated CNI.
ENA – Energy Delivery Systems (EDS) Cyber Security Procurement Language Guidance
The Procurement Language Guidance aims to support consistent and clear procurement tender development through delivering an effective approach to procurement by industry. The guidance contains a suite of procurement statements that can be incorporated into related documentation. This will enable users to effectively and consistently articulate and implement an industry baseline level of cyber security for the products and services used within their EDS.
IoT Security Foundation Guidance
The Internet of Things (IoT) is gaining increasing interest in the energy sector, both in the hands of consumers with smart energy consuming devices but also for distributed energy and extensions to established power networks and systems. The IoT Security Foundation is a not for profit organisation producing free to access security guidance for IoT as well as promoting certification and adoption of secure systems.
Please suggest other standards and guidance to be included.
General Reference
NIST – Framework for Improving Critical Infrastructure Cybersecurity (NIST-CSF 1.1)
The framework focuses on using business drivers to guide cyber security activities and considering cyber security risks as part of the organisation’s risk management processes. The framework provides a common organising structure for multiple approaches to cyber security by assembling standards, guidelines, and practices that are working effectively today.
The E3CC chose to use this framework to underpin the periodic risk assessment of UK electricity and gas cyber security which was last performed in 2017. We also took ideas from the C2M2 maturity work supported by the US Department of Energy.
The Weakest Link: Why Your Employees Might Be Your Biggest Cyber Risk
Cyber security is not just a technical issue. The E3CC facilitator has co-authored a book – arguably with a poor title (should have been The strongest link!) – which explores the psychology of what situations lead people to make the wrong security decisions and how to motivate and support them in becoming a positive asset for good cyber security. This is available on Amazon in various formats.
Please suggest additional materials