D.02.5. Evaluation tools for providers and policy paper on future and emerging threats

This report builds on the modelling validation work in Deliverable D2.4, CNI Model
validation, and presents in detail the work in the CNI case study in Year 3 of the
Within this report the four different stages of the SECONOMICS practice of exploitation
of the CNI toolkit are first defined. Following this, the 12 validation events/activities are
presented which clearly and successfully validate the CNI case study toolkit’s practice of
exploitation. These validation event attendees included the key members of the CNI
stakeholder panel, National Grid’s Digital Risk & Security leadership, the UK’s Centre for
the Protection of National Infrastructure and European Network of Transmission System
Operators for Electricity.
A key outcome of the validation activities was that the policies presented, as part of the
complete policy landscape presented, were considered applicable and relevant to the
CNI industry by the key stakeholders. In addition the terminology remains consistent to
that used within the CNI domain. However, it was identified and agreed that facilitated
interaction with experts provided a more suitable platform for communicating the key
concepts. In summary, any toolkit will be of limited use unless the academic & industry
experts behind the models are present to facilitate and provide interpretation of the
complex concepts.
The report then moves on to highlight the key policy outcomes in more detail for all the
work in the CNI case study in the third year of the project. For example:
· It was generally accepted that a CNI Operator is better placed, and thus more
effective, at mitigating security risks directly rather than through following rules
defined by a regulator.
· The effectiveness of a rules-based regulatory structure is dependent on how
informed the regulator (rules-setter) is of the security of key assets.
There are a number of significant policy insights presented which have been fed into a
number of separate policy papers focused on the CNI case study, principally the paper
titled ‘Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in
Critical Infrastructure Providers (Bulk Electricity Providers)’ which can be found in
Appendix E. Also, the CNI case study’s KPI assessment is presented in detail in Appendix

Evaluation tools for providers and policy paper on future and emerging threats