This report follows deliverable D2.3, National Grid Requirements, where the background
to National Grid’s UK Electricity Transmission network, as an example of Critical
National Infrastructure (CNI), were presented along with National Grid’s view of the
Current and Future States of electricity transmission in the UK. The different
information and cyber security regulatory structures that National Grid is subject to
were also introduced.
In this report we recap the details of those regulatory structures and motivate the key
question of Work Package 2 (WP2): Which type of regulatory structure would best
incentivise and equip CNI operators to be information and cyber secure?
We answer this question by assessing the effectiveness of the different regulatory
structures at incentivising CNI operators to be information and cyber secure. Rather than
taking a qualitative approach to assessing the effectiveness of the regulatory structures,
the report describes the analytical approaches that are being taken, by harnessing the
economic and systems models from Work Package 6 (WP6). The first modelling approach
takes a holistic view of the electricity transmission ecosystem and is referred to as the
Sustainability and Resilience model. The second approach looks in more detail at the
interactions of the CNI operator, in response to different regulatory systems being in
place and ongoing information or cyber security attacks, using a game-theoretic
approach. This model is referred to as the Agility model. This report demonstrates how
these models are being parameterised, calibrated and validated towards security
regulation in CNI, to answer the key question and objectives of WP2.
In addition, through collaboration with Work Package 4 (WP4), this report investigates
the social aspect to information and cyber security in CNI. As citizens are far less aware
of CNI that is relied upon by society, the approach taken was to look at cases where
information/cyber security issues in CNI have been noticed and discussed in wide scale
media. The specific case taken forward was the Stuxnet incident which was described,
in detail, in deliverable D2.3. A media comparative analysis on the different views
(societal and expert) of Stuxnet was performed using the methodologies described in
deliverables D4.2 and D4.3 and details are provided in this report.
These modelling approaches have been validated and calibrated by National Grid’s
Digital Risk & Security leadership team in a number of meetings. Whilst this is an
iterative process the next steps are, to build upon this validation and calibration at a
national level with the Centre for the Protection of National Infrastructure (CPNI) and at
a supranational level with the European Network of Transmission System Operators for
Electricity (ENTSO-E) Cyber Security Protection and Critical Infrastructure Protection
subgroups. The ENTSO-E also provides the forum for pan-European coordination with the
Electricity Transmission Service Operators across Europe. These different groups are the
key stakeholders for WP2 and form the CNI Stakeholder Panel.