Data Protection and Cybersecurity Certification Activities and Schemes in the Energy Sector
Abstract
:1. Introduction
2. Related Work
3. Materials and Methods
4. Regulatory Context
5. Data Protection and Cybersecurity Certification Requirements
5.1. Requirements for Data Protection Certification under the GDPR
5.1.1. The Scope of Data Protection Certification
- Personal data (material scope of the GDPR);
- Technical systems—the infrastructure, such as hardware and software, used to process personal data;
- Processes and procedures related to the processing operation(s) [5].
5.1.2. Postcertification Compliance under the GDPR
5.2. Requirements for Cybersecurity Certification under the CSA
5.2.1. The Scope of Cybersecurity Certification
5.2.2. Postcertification Compliance under the CSA
6. Discussion: Impact of Data Protection and Cybersecurity Certifications in the EPES Domain
6.1. Current Certification Landscape
6.2. Application of Multiple Certification Schemes
6.3. Potential Complexity in the Constellations of Implementation Models
6.4. Cost of Updating Existing Components and Recognition of Certification beyond the EU
6.5. Building Trust in the Ecosystem
6.6. Protection of the Documents Relating to Certification
7. Recommendations
7.1. Recommendations Concerning GDPR-Focused Certification
7.1.1. Development of a Data Protection Precertification Tool
7.1.2. Encouragement of a GDPR-Inspired Standard and EPES Sector-Specific Data Protection Certification Schemes
7.1.3. Concretize Guidelines on the Certification Schemes
7.1.4. Protection of Certification Information
7.2. Recommendations Concerning CSA-Focused Certification
7.2.1. Adopt a Gradation Approach Concerning Certification of IACS Components and the Whole IACA System
7.2.2. Alignment of New Candidate Schemes with Existing National Schemes and to Make Room for Reuse of Certification
7.2.3. Identify Baseline Standards for Each Candidate Cybersecurity Certification Scheme
8. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Panagiotis, R.G.; Sarigiannidis, P.; Dalamagkas, C.; Spyridis, Y.; Lagkas, T.; Efstathopoulos, G.; Sesis, A.; Pavon, I.L.; Burgos, R.T.; Diaz, R.; et al. SDN-Based Resilient Smart Grid: The SDN-microSENSE Architecture. Digital 2021, 1, 173–187. [Google Scholar]
- European Parliament and Council of European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). 2016. Available online: https://eur-lex.europa.eu/eli/reg/2016/679/oj (accessed on 10 February 2022).
- European Parliament and Council of European Union. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No 526/2013 (Cybersecurity Act). 2019. Available online: https://eur-lex.europa.eu/eli/reg/2019/881/oj (accessed on 10 February 2022).
- European Data Protection Board. EDPB Document on the Procedure for the Approval of Certification Criteria by the EDPB Resulting in a Common Certification, the European Data Protection Seal. 2020. Available online: https://edpb.europa.eu/sites/default/files/files/file1/edpbprocedureforeudataprotectionseal_postplencheck_en.pdf (accessed on 10 February 2022).
- European Data Protection Board. Guidelines 1/2018 on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 of the Regulation—Version Adopted after Public Consultation. 2018. Available online: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12018-certification-and-identifying_en (accessed on 10 February 2022).
- Radoglou-Grammatikis, P.; Sarigiannidis, P.; Iturbe, E.; Rios, E.; Martinez, S.; Sarigiannidis, A.; Eftathopoulos, G.; Spyridis, Y.; Sesis, A.; Vakakis, N.; et al. SPEAR SIEM: A Security Information and Event Management system for the Smart Grid. Comput. Netw. 2021, 193, 108008. [Google Scholar] [CrossRef]
- Radoglou-Grammatikis, P.I.; Sarigiannidis, P.G. Securing the smart grid: A comprehensive compilation of intrusion detection and prevention systems. IEEE Access 2019, 7, 46595–46620. [Google Scholar] [CrossRef]
- Zhang, H.; Liu, B.; Wu, H. Smart grid cyber-physical attack and defense: A review. IEEE Access 2021, 9, 29641–29659. [Google Scholar] [CrossRef]
- Komninos, N.; Philippou, E.; Pitsillides, A. Survey in smart grid and smart home security: Issues, challenges and countermeasures. IEEE Commun. Surv. Tutor. 2014, 16, 1933–1954. [Google Scholar] [CrossRef]
- Ghosal, A.; Conti, M. Key management systems for smart grid advanced metering infrastructure: A survey. IEEE Commun. Surv. Tutor. 2019, 21, 2831–2848. [Google Scholar] [CrossRef] [Green Version]
- Kumar, P.; Lin, Y.; Bai, G.; Paverd, A.; Dong, J.S.; Martin, A. Smart grid metering networks: A survey on security, privacy and open research issues. IEEE Commun. Surv. Tutor. 2019, 21, 2886–2927. [Google Scholar] [CrossRef] [Green Version]
- Fan, Z.; Kulkarni, P.; Gormus, S.; Efthymiou, C.; Kalogridis, G.; Sooriyabandara, M.; Zhu, Z.; Lambotharan, S.; Chin, W.H. Smart grid communications: Overview of research challenges, solutions, and standardization activities. IEEE Commun. Surv. Tutor. 2012, 15, 21–38. [Google Scholar] [CrossRef] [Green Version]
- Tan, S.; De, D.; Song, W.Z.; Yang, J.; Das, S.K. Survey of security advances in smart grid: A data driven approach. IEEE Commun. Surv. Tutor. 2016, 19, 397–422. [Google Scholar] [CrossRef]
- Asghar, M.R.; Dán, G.; Miorandi, D.; Chlamtac, I. Smart meter data privacy: A survey. IEEE Commun. Surv. Tutor. 2017, 19, 2820–2835. [Google Scholar] [CrossRef]
- Moussa, B.; Debbabi, M.; Assi, C. Security assessment of time synchronization mechanisms for the smart grid. IEEE Commun. Surv. Tutor. 2016, 18, 1952–1973. [Google Scholar] [CrossRef]
- Le, T.N.; Chin, W.L.; Chen, H.H. Standardization and security for smart grid communications based on cognitive radio technologies—A comprehensive survey. IEEE Commun. Surv. Tutor. 2016, 19, 423–445. [Google Scholar]
- ENISA. Recommendations on European Data Protection Certification. 2017. Available online: https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification (accessed on 10 February 2022).
- ENISA. Smart Grid Security Certification in Europe. 2014. Available online: https://www.enisa.europa.eu/publications/smart-grid-security-certification-in-europe (accessed on 10 February 2022).
- ENISA. ENISA Smart Grid Security Recommendations. 2012. Available online: https://www.enisa.europa.eu/publications/ENISA-smart-grid-security-recommendations (accessed on 10 February 2022).
- ENISA. Cybersecurity Certification: Candidate EUCC Scheme. 2020. Available online: https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme (accessed on 10 February 2022).
- ENISA. EUCS—Cloud Services Scheme. 2020. Available online: https://www.enisa.europa.eu/publications/eucs-cloud-service-scheme (accessed on 10 February 2022).
- ENISA. Methodology for Sectoral Cybersecurity Assessments. 2021. Available online: https://www.enisa.europa.eu/publications/methodology-for-a-sectoral-cybersecurity-assessment (accessed on 10 February 2022).
- ENISA. EU Cybersecurity: A Newly-Formed Stakeholders Group Will Work on the Cybersecurity Certification Framework. 2020. Available online: https://www.enisa.europa.eu/news/enisa-news/first-meeting-of-the-stakeholders-cybersecurity-certification-group-sccg (accessed on 10 February 2022).
- Joint Interpretation Library. Composite Product Evaluation for Smart Cards and Similar Devices. 2018. Available online: https://www.sogis.eu/documents/cc/domains/sc/JIL-Composite-product-evaluation-for-Smart-Cards-and-similar-devices-v1.5.1.pdf (accessed on 10 February 2022).
- Paul, T. Introduction to the European IACS Components Cybersecurity Certification Framework (ICCF): Feasibility Study and Initial Recommendations for the European Commission and Professional Users; Technical Guidance KJ-01-17-099-EN-N; Joint Research Centre: Ispra, Italy, 2016. [Google Scholar] [CrossRef]
- Theron, P.; Lazari, A. The IACS Cybersecurity Certification Framework (ICCF). Lessons from the 2017 Study of the State of the Art; Technical Report KJ-NA-29237-EN-N; Joint Research Centre: Luxembourg, 2018. [Google Scholar] [CrossRef]
- Paul, T.; Francisco, R.G.J.; Tony, B.; Jean-Michel, B.; Roberto, C.; Luis, F.; Matthew, F.; Sergio, G.; Janusz, G.; Tiziano, I.; et al. Proposals from the ERNCIP Thematic Group, “Case Studies for the Cyber-Security of Industrial Automation and Control Systems”, for a European IACS Components Cyber-Security Compliance and Certification Scheme. 2020. Available online: https://erncip-project.jrc.ec.europa.eu/documents/proposals-erncip-thematic-group-case-studies-cyber-security-industrial-automation-and-0 (accessed on 10 February 2022).
- Hutchinson, T.; Duncan, N. Defining and describing what we do: Doctrinal legal research. Deakin L. Rev. 2012, 17, 83. [Google Scholar] [CrossRef] [Green Version]
- European Parliament and Council of European Union. Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 Setting out the Requirements for Accreditation and Market Surveillance Relating to the Marketing of Products and Repealing Regulation (EEC) No 339/93. 2008. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32008R0765 (accessed on 10 February 2022).
- European Parliament and Council of European Union. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union. 2016. Available online: https://eur-lex.europa.eu/eli/dir/2016/1148/oj (accessed on 10 February 2022).
- European Parliament and Council of European Union. Proposal for a Directive of the European Parliament and of the Council on Measures for a High Common Level of Cybersecurity across the Union, Repealing Directive (EU) 2016/1148. 2020. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2020%3A823%3AFIN (accessed on 10 February 2022).
- European Commission. New Legislative Framework. Available online: https://ec.europa.eu/growth/single-market/goods/new-legislative-framework_en (accessed on 10 February 2022).
- European Parliament and Council of European Union. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC. 2014. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG (accessed on 10 February 2022).
- European Parliament and Council of European Union. Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the Harmonisation of the Laws of the Member States Relating to the Making Available on the Market of Radio Equipment and Repealing Directive 1999/5/EC. 2014. Available online: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32014L0053 (accessed on 10 February 2022).
- European Parliament and Council of European Union. Commission Delegated Regulation (EU)…/…Supplementing Directive 2014/53/EU of the European Parliament and of the Council with Regard to the Application of the Essential Requirements Referred to in Article 3(3), Points (d), (e) and (f), of that Directive C/2021/7672 Final. 2021. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=PI_COM%3AC%282021%297672&qid=1638116539090 (accessed on 10 February 2022).
- European Parliament and Council of European Union. Proposal for a Directive of the European Parliament and of the Council on the Resilience of Critical Entities COM/2020/829 Final. 2020. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2020:829:FIN (accessed on 10 February 2022).
- Volkwyn, C. Europe: First Harmonised Approach for Security Certification of Smart Meters Has Been Formally Certified. 2019. Available online: https://www.smart-energy.com/industry-sectors/smart-meters/europe-first-harmonised-approach-for-security-certification-of-smart-meters-has-been-formally-certified/ (accessed on 10 February 2022).
- Commission Nationale de lÍnformatique et des Libertés. CNIL Certification Scheme of DPO Skills and Knowledge. 2019. Available online: https://www.cnil.fr/sites/default/files/atoms/files/cnil_certification-scheme-dpo-skills-and-knowledge.pdf (accessed on 10 February 2022).
- European Parliament and Council of European Union. Joint Communication to the European Parliament and the Council the EU’s Cybersecurity Strategy for the Digital Decade JOIN/2020/18 Final. 2020. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=JOIN:2020:18:FIN (accessed on 10 February 2022).
- European Parliament. The NIS2 Directive: A High Common Level of Cybersecurity in the EU. 2021. Available online: https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/689333/EPRS_BRI(2021)689333_EN.pdf (accessed on 10 February 2022).
- Matheu, S.N.; Hernández-Ramos, J.L.; Skarmeta, A.F.; Baldini, G. A survey of cybersecurity certification for the Internet of Things. ACM Comput. Surv. (CSUR) 2020, 53, 1–36. [Google Scholar] [CrossRef]
- Finster, S.; Baumgart, I. Privacy-aware smart metering: A survey. IEEE Commun. Surv. Tutor. 2015, 17, 1088–1101. [Google Scholar] [CrossRef]
- Commission Nationale pour la Protection des Données. GDPR-Certified Assurance Report Based Processing Activities Certification Criteria V1.0. 2018. Available online: https://cnpd.public.lu/dam-assets/fr/professionnels/certification/GDPR-CARPA-Criteria-for-certification-v10.pdf (accessed on 10 February 2022).
- UK Information Commissioner’s Office. ADISA ICT Asset Recovery Certification 8.0. 2021. Available online: https://ico.org.uk/for-organisations/adisa-ict-asset-recovery-certification-80 (accessed on 10 February 2022).
- UK Information Commissioner’s Office. Age Check Certification Scheme (ACCS). 2021. Available online: https://ico.org.uk/for-organisations/age-check-certification-scheme-accs/ (accessed on 10 February 2022).
- UK Information Commissioner’s Office. Age Appropriate Design Certification Scheme (AADCS). 2021. Available online: https://ico.org.uk/for-organisations/age-appropriate-design-certification-scheme-aadcs/ (accessed on 10 February 2022).
- ENISA. Standardisation in Support of the Cybersecurity Certification. 2020. Available online: https://www.enisa.europa.eu/publications/recommendations-for-european-standardisation-in-relation-to-csa-i (accessed on 10 February 2022).
- ENISA. Certification Schemes and CABs—FAQ. 2021. Available online: https://www.enisa.europa.eu/topics/standards/certification/certification-schemes-and-cabs (accessed on 10 February 2022).
- ENISA. Securing EU’s Vision on 5G: Cybersecurity Certification. 2021. Available online: https://www.enisa.europa.eu/news/enisa-news/securing_eu_vision_on_5g_cybersecurity_certification (accessed on 10 February 2022).
- König, L.; Korobeinikova, Y.; Tjoa, S.; Kieseberg, P. Comparing blockchain standards and recommendations. Future Internet 2020, 12, 222. [Google Scholar] [CrossRef]
- Theron, P.; Bologna, S. Case Studies for the Cyber-Security of Industrial Automation and Control Systems. 2014. Available online: https://erncip-project.jrc.ec.europa.eu/sites/default/files/2015_1441_src_en_pth-erncip-iacsreport-201411-at-accepted_pth2-op.pdf (accessed on 10 February 2022).
Scheme Nature | ICT Products | ICT Services | ICT Processes |
---|---|---|---|
Horizontal scheme | Lightweight evaluation methodology | - | Security lifecycle, security by design (incl. patch management) |
Horizontal scheme | Full evaluation of IT products | - | ISMS |
Horizontal scheme | Protection profiles evaluation | - | Supply chain security: vendor security assessments |
Horizontal scheme | Cryptographic evaluation | - | Secure software development (DevOps, Agile, waterfall products) |
Industrial components critical infrastructure | - | - | |
Horizontal scheme | Composed systems evaluation | - | - |
Technological scheme | 5G network components | Security incident detection services | Network Equipment security (vendor process security) |
Technological scheme | NESAS Products | Security incident response services | Assurance scheme (NESAS)) |
Technological scheme | 5G customer equipment | Security design services | Cryptographic module /Algorithm validation scheme |
Technological scheme | IoT (customer schemes and industrial scheme per sector for appliances, CCTV) | Security managed services | - |
Technological scheme | eIDAS | Security audit services | - |
Technological scheme | AI | eIDAS qualifies trust services | - |
Technological scheme | Blockchain | IoT Services | - |
Technological scheme | Consumer mobile device security evaluation | End-to-end evaluation related to end-user systems and services | - |
Technological scheme | Consumer mobile device security evaluation | 5G virtualisation services | - |
Sectoral scheme | Industrial and automation control systems (and components) | Telco services supporting critical infrastructure | Road vehicle processes |
Sectoral scheme | Road vehicle (transport: critical infrastructure) | - | - |
Sectoral scheme | Railway system (transport: critical infrastructure) | - | - |
Sectoral scheme | Areal and aviator systems (incl. drones) (transport: critical infrastructure) | - | - |
Sectoral scheme | Medical devices | - | - |
Sectoral scheme | Physical protection and fire protection installations | - | - |
Sectoral scheme | Smart meters | - | - |
Sectoral scheme | V2X communications | - | - |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Nwankwo, I.; Stauch, M.; Radoglou-Grammatikis, P.; Sarigiannidis, P.; Lazaridis, G.; Drosou, A.; Tzovaras, D. Data Protection and Cybersecurity Certification Activities and Schemes in the Energy Sector. Electronics 2022, 11, 965. https://doi.org/10.3390/electronics11060965
Nwankwo I, Stauch M, Radoglou-Grammatikis P, Sarigiannidis P, Lazaridis G, Drosou A, Tzovaras D. Data Protection and Cybersecurity Certification Activities and Schemes in the Energy Sector. Electronics. 2022; 11(6):965. https://doi.org/10.3390/electronics11060965
Chicago/Turabian StyleNwankwo, Iheanyi, Marc Stauch, Panagiotis Radoglou-Grammatikis, Panagiotis Sarigiannidis, George Lazaridis, Anastasios Drosou, and Dimitrios Tzovaras. 2022. "Data Protection and Cybersecurity Certification Activities and Schemes in the Energy Sector" Electronics 11, no. 6: 965. https://doi.org/10.3390/electronics11060965