世界經(jīng)濟(jì)論壇-促進(jìn)電力行業(yè)網(wǎng)絡(luò)法規(guī)的全球互操作性（英）

Facilitating

GlobalInteroperability

ofCyber

Regulations

inthe

Electricity

SectorSYS

T

E

M

S

O

F

CY

B

E

R

R

E

S

I

L

I

E

N

C

E

:E

L

E

C

T

R

I

C

I

T

Y

I

N

I

T

I

A

T

I

V

EP

O

S

I

T

I

O

N

P

A

PE

RN

OV

E

M

B

E

R

20

23Images:GettyImagesContentsIntroduction341

Currentstateofaffairs2

Importanceofglobalregulatoryinteroperability3

10keythemesforglobalregulatoryinteroperability4

CommunitypositiononthekeythemesConclusion5678Contributors9Annex1:Relatedpublications11DisclaimerThisdocumentispublishedbytheWorldEconomicForumasacontributiontoaproject,insightareaorinteraction.The?ndings,interpretationsandconclusionsexpressedhereinarearesultofacollaborativeprocessfacilitatedandendorsedbytheWorldEconomicForumbutwhoseresultsdonotnecessarilyrepresenttheviewsoftheWorldEconomicForum,northeentiretyofitsMembers,Partnersorotherstakeholders.?2023WorldEconomicForum.Allrightsreserved.Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,includingphotocopyingandrecording,orbyanyinformationstorageandretrievalsystem.FacilitatingGlobalInteroperabilityofCyberRegulationsintheElectricitySector2November2023FacilitatingGlobalInteroperabilityofCyberRegulationsintheElectricitySectorIntroductionIntoday’s

interconnectedworld,theelectricitysectorstandsasacornerstoneofsocietalfunctioning,poweringindustries,homesandcriticalinfrastructure.Aspowersystemsgothroughrapiddigitaltransformation,thecriticallinkbetweencybersecurityandtheenergylandscapebecomesincreasinglyevident.Theneedforglobalinteroperabilityincyberregulationsintheelectricitysectorhasbecomeparamount.ThispositionpaperfromtheSystemsofCyberResilience:Electricity(SCRE)initiativeaimstoconsolidateacohesivestancefromtheelectricitysectoroncybersecurity.Itadvocatesforinteroperabilityamongnationstocultivateacybersecure,resilientandstandardizedapproacharoundtheworld.Byscrutinizingthecurrentlandscapeofcyberregulations,thepaperendeavourstotackleexistinggapsandcomplexitieswhileproposingcollectivepositionstostandardizecybersecuritypracticesacrossdiverseregulatoryenvironments.Itsobjectiveistochampioninternationalcooperation,mutualunderstandingandtheadoptionofcommonstandardstofortifytheelectricitysectoragainstemergingcyberthreatswhileencouraginginnovationandgrowth.Theevolutionoftechnologyhassigni?cantlyreshaped

theelectricityindustry,usheringinsmartergrids,integrationofrenewable

energyandimproved

operationalef?ciencies.

However,thisevolutionpresents

a

newsetofchallenges,particularlyinsafeguarding

theseintricatesystemsfrom

cyberthreats.

Theincreasinginterdependencies

amongpowersystemsacross

borders

andthegrowing

sophisticationofcyberattacksunderscore

theimportanceofaharmonized,globalapproach

tocybersecurityregulations

intheelectricitysector.Ultimately,thispositionpaperstrivestocontributetotheongoingdiscourseonharmonizationofregulationstonurtureasecure,interoperableandresilientglobalelectricityecosystem,ensuringareliableandsafeenergysupplyfortheworld’spopulationinanincreasinglydigitalizedworld.TheSystemsofCyberResilience:ElectricityInitiativeSince2018,theWorldEconomicForum’s

SystemsofCyberResilience:Electricity(SCRE)initiativehasbroughttogetherrepresentativesofover60electricityutilities,energyserviceproviders,regulatorybodiesandotherpertinentorganizationsworldwide.Theireffortsaimtoachievecooperationandfortifyacyberresilientelectricityecosystem.TheSCREstandsoutastheonlyglobalpublic-privatepartnershiptailoredfortheelectricityindustry,wherecybersecurityexpertscollaboratetoenhanceresilienceacrosstheelectricityecosystem.Itis

a

great

opportunityto

createa

collaborativeenvironment,focused

onincreasing

globalcyberresilience,

basedonthe

sharingof

information,on

thedevelopment

of

commoninitiatives,

onthede?nitionof

principles

andthe

alignmentaround

them

bythe

mainactorsof

our

industry.Jesús

Sánchez,

Headof

Global

Cybersecurity,NaturgyTheGlobalRegulationsWorkingGroupInSeptember2022,theSCREcommunityhadidenti?edglobalregulatoryinteroperabilityintheelectricitysectorasoneofitskeyfocusareas,andhadsetuptheGlobalRegulationsworkinggrouptowardsthisend.electricitysector,

markedbyfragmentation,inconsistencyandsporadiccon?icts.Theseregulatorybarriersimpedetheattainmentofglobalinteroperability,resultinginincreasedcosts,inef?cienciesandmissedopportunities.Resourcesaredivertedtoresolveregulatoryissuesratherthanimprovingcybersecurityposturesspeci?ctothesectoranditsvariousorganizations.TheworkinggroupaddressestheintricateglobalregulatorychallengesprevalentthroughouttheFacilitatingGlobalInteroperabilityofCyberRegulationsintheElectricitySector3Current

stateofaffairs1Regulatorsandgovernmentagenciesresponsibleforestablishingcybersecurityrequirements

invariousindustriesworldwideoftenadoptdifferentapproaches

totacklesimilarcybersecuritychallengesduetothelackofa

globalconsensus.Thisresults

incomplex,industry-agnostic,fragmented,inconsistentandoccasionallycon?ictingsetsofregulations.

Theseregulationsnotonlylackmutualinteroperability

butactivelyhinderit.Thedynamicnature

ofcybersecuritythreats

furthercompoundstheproblem

asregulators

frequently

tightenregulations

inresponse.

Thisforces

organizationstoallocatetheirlimitedresources

towards

complianceratherthanconcentratingonbolsteringtheircybersecuritydefences.Moreover,

there

isa

pressing

concerntoensure

thatregulatory

interoperability

doesnotcompromise

nationalsecurity.Nationsmuststrikea

balancebetweentheneedfora

collectivecybersecurityfront

andtheneedtoprotect

theirindividualinterests

andsecurity.Despitetheobstacles,solutionscanbefound.Initiativessuchasworkinggroups,internationalforumsandcollaborativeagreementscanplayapivotalroleinpromotingdialogueandestablishingrobustsystemstomonitor,

evaluateandupdateregulatoryframeworks.Thesemechanismsnotonlycontributetoamoresecureandresilientdigitallandscapebutalsofosterinnovationandgrowth.Manyregulatorsandgovernmentagencieshavebeguntorecognizetheneedforregulatoryharmonizationandmultipleeffortshavebeenputintopractice,suchastheEuropeanCommission’sCyberResilienceAct(CRA)andtheWhiteHouseOf?ceoftheNationalCyberDirector(ONCD)’srequestforinformation(RFI)oncybersecurityregulatoryharmonization.Achievingregulatory

interoperabilitymaypresentchallenges.Differencesincybersecuritystandards,legalsystemsandnationalprioritiesamongvariousjurisdictions

can

lead

to

con?icts

and

inconsistencies,makingitdif?culttoestablishandmaintaininteroperabilityovertime.Onenotablechallengeistheissueofdataprivacylaws,asdifferentcountrieshaveuniquedataprotection

regulations

tailoredtotheircultural,economicandpoliticallandscapes.Simultaneously,severalinternationaldialoguesaregoingonbetweenstates,suchastheEU-USCyberDialogue,US-JapanCyberDialogueandFrance-UnitedKingdomCyberDialogue,inadditiontoregulatoryreciprocityschemessuchastheEU-USDataPrivacyFramework,SingaporeCybersecurityLabellingSchemeandAPECCross-BorderPrivacyRules(CBPR)system.Asimilarchallengearisesinincidentreportinglaws.Forinstance,somecountriesmandatethereportingofalldatabreaches,regardlessoftheirseverity,whileothershavethresholdsforreportingbasedonthenumberofaffectedindividualsorthelevelofharm.Thesedifferencescancreatedif?cultiesinincidentresponseandinformationsharing,particularlyincaseswhereabreachspansmultiplejurisdictions.Creatingsynergyamongthesediverseregulationsisacomplexandintricateprocess,especiallygiventherapidpaceofdigitalinnovation.Thisdynamicenvironmentnecessitatesconstantupdatesandrevisionstoensuretheregulationsremainrelevantandeffective.Whiletheseeffortsareintherightdirection,theyarefarfromachievingglobalinteroperabilityandmuchworkremainstobedonebyboththepublicandprivatesectorstobuildamorecyberresilientelectricityecosystem.FacilitatingGlobalInteroperabilityofCyberRegulationsintheElectricitySector4Importanceofglobalregulatoryinteroperability2Aligningcybersecurityregulationsgloballyensuresuniformcybersecuritypractices,enablingcompaniesoperatingacrossmultipleregionstoadheretoconsistentstandards.Harmonizationreducescomplexityandconfusion,simplifyingcomplianceefforts.

Moreover,

interoperabilityfostersenhancedcollaborationandinformationsharingamongvariousentitiesglobally,facilitatingjointeffortstocombatcyberthreatsandexchangebestpractices.bolsteringoverallcyberresilience.Aharmonizedregulatorylandscapefostersafairplaying?eld,encouraginginnovationandthedevelopmentofnewcybersecuritytechnologies,freefromvaryingcompliancerequirements.Inacyberincidentwithglobalimplications,uniformregulationsenableacoordinatedandef?cientresponseacrossmultiplejurisdictions,signi?cantlymitigatingtheimpactofsuchincidents.Giventheglobalspreadofsupplychains,beingabletorelyonsharedprevention,mitigation,informationsharingandincidentresponsepracticeswillleadtoamoresustainable,cyberresilientecosystemworldwide.Ultimately,regulatoryinteroperabilityforcybersecurityaroundtheworldisimperativetofosteramoresecuredigitalandphysicalenvironment.Itcanalignstandards,promotecollaboration,reducecostsandeffectivelymanageandrespondtocyberthreatsworldwide.Auni?edapproachtocybersecurityregulationsallowsforacomprehensiveunderstandingandmanagementofrisks,transcendingdifferentregionsintheelectricityindustry.Standardizingregulationsminimizesthecomplexityandcostsofcomplianceforglobalcorporations,eliminatingtheneedtonavigateamultitudeofdivergentregulations.Globalinteroperabilityalsoleadstomorerobustdefencemechanismsagainstcyberthreatsbyenablingstandardizedcybersecuritypractices,510keythemesforglobalregulatoryinteroperability3Afteranalysingmultipleregulations,thecommunityhasidenti?ed10keyglobalregulatorythemesforregulatorstoconsider.FIGURE1

KeythemesforfacilitatingglobalinteroperabilityofcyberregulationsComplianceandenforcementAdoptionofexistinginternationalstandardsDataprotectionandprivacy10keythemesforfacilitatingglobalinteroperabilityThird-partyriskmanagementInformationsharingofcyberregulationsRiskassessmentandmanagementIncidentresponseandreportingVulnerabilitydisclosureandmanagementInternalpoliciesandproceduresforcybersecurityhygienePenetrationtestingSource:SCREGlobalRegulationsworkinggroup.FacilitatingGlobalInteroperabilityofCyberRegulationsintheElectricitySector6Communitypositiononthekeythemes4TheSCREGlobalRegulationsworkinggrouphasadoptedthefollowingpositionsonthe10keyglobalregulatorythemes:6.

Penetrationtesting:Globalcommitmenttoregularinternalpenetrationtesting,whichincludesoperationaltechnology(OT)penetrationtesting.Thisallowsforidentifyingandaddressingpotentialweaknessesinsystemsandinfrastructure,fortifyingdefencesagainstcyberthreats.1.

Complianceandenforcement:

Globalcommitmenttoprioritizecybersecuritybestpracticesovercompliance.Thisimpliesa

shiftinmindset.Insteadofmerely

meetingregulatoryrequirements,

thefocusisonprioritizing7.

Vulnerabilitydisclosureandmanagement:Globalcommitmenttosectorialvulnerabilitydisclosureamongclosedgroupsofsector-speci?c,pre-authorizedentities.Thiswouldfosterasecureenvironmentforinformationsharingwithinclosedgroups,allowingforproactiveresolutionofvulnerabilitieswithoutriskingwidespreadexposure.cybersecuritymeasures

andprotocols,

sometimesbeyondwhatismandated.Thisapproachemphasizesa

proactive

stanceinensuringa

highlevelofcybersecurityratherthanjustcheckingtheboxestocomplywithregulations.2.

Dataprotectionandprivacy:GlobalcommitmenttosupportdataprotectionandprivacyregulationssuchastheGeneralDataProtectionRegulation(GDPR)oftheEuropeanUnion(EU).Thiscommitmentindicatesarecognitionoftheimportanceofsafeguardingsensitiveinformation.Itsambitincludesdataprivacy,ensuringthecon?dentiality,integrityandavailabilityofdatawhilealigningwiththeprinciplesofprivacybydesignanddefault.8.

Riskassessmentandmanagement:Globalcommitmenttoapplyingriskassessmentmethodologyconsistentlyacrossinformationtechnologyandoperationaltechnologyenvironments.ApplyingconsistentriskassessmentmethodologyacrossITandOTenvironmentsensuresacomprehensiveunderstandingofpotentialrisks,allowingforbetter-informedandtimelydecision-makingregardingcybersecuritymatters.3.

Informationsharing:Globalcommitmenttocreateanduseacommoninformation-sharingprotocolandtaxonomyworldwide,andtosupporttherespectiveelectricityinformationsharingandanalysiscentres(ISACs).9.

Third-partyriskmanagement:

Globalcommitmentthateveryorganizationinthesupplychainmustconsiderandberesponsibleforthecybersecurityofitsscopeofwork.Thiswouldensure

a

comprehensive

approachtomanagingandmitigatingrisksassociatedwiththird-party

involvement,securingandembracingecosystem-wideresilience

intheelectricitysector.Establishingacommoninformation-sharingprotocolandtaxonomygloballyisvital.Itallowsforconsistentcommunicationandcollaborationamongvariousstakeholdersintheelectricitysector,

enhancingtheabilitytopromptlyidentifyandrespondtothreats.ThiscommitmentextendstosupportingISACs.10.

Adoptionofexistinginternationalstandardsversuscreationofunique,national(orregional)standards:

GlobalcommitmenttoadoptionofmatureexistinginternationalstandardssuchasISO27001andtheISA/IEC62443series.Adoptingexistinginternationalstandardsratherthancreatinguniqueregionalstandardswouldensurea

moreuniversallyacceptedandharmonizedapproachto4.

Incidentresponseandreporting:

Globalcommitmenttoadopta

commonandef?cientinternational

incidentreportingtaxonomyandrequirements.Thiscommitmentwouldensureastandardized

approachtoreportingcybersecurityincidents.Sucha

taxonomyfacilitatesa

betterandsharedunderstandingofthenatureandimpactofincidents,enablinga

coordinatedandtimelyresponsebothwithinandacross

borders.cybersecuritypractices,leveragingestablishedbestpractices.Thesestandardsshouldbeupdatedwhenneededtoallowfora

harmonizedapproachtoglobalregulationsinsteadoffrequentchangestryingtoaccountforevolvingtechnologiesandthreats.5.

Cybersecurityhygieneinternalpoliciesandprocedures:Globalcommitmenttoestablishbasiccyberhygieneprinciplesspeci?ctotheelectricitysector.

Thiscommitmentwouldprovideforafoundationallevelofsecurityacrossalloperations,reducingvulnerabilities,enhancingoverallresilienceandpromotingacybersecurityculture.FacilitatingGlobalInteroperabilityofCyberRegulationsintheElectricitySector7ConclusionThesecollectivecommitmentshelpregulatorsandotherstakeholdersintheelectricitysectortoshareacommonvisionandunderstandwhattheelectricitysectordeemsasimportanttobecyberresilient.Together,

theyembodythedirectionthattheglobalcommunityisheadingtowards.Additionally,theadoptionofinternationalstandardsandthepromotionofsecureinformation-sharingenvironmentsplayacriticalrole.Theseactionsencouragecollaboration,innovationandeffectivestrategiesforrespondingtoincidentsworldwide.Supportforstandardizeddataprotectionlaws,suchasGDPR,highlightsthecommitmenttosafeguardingsensitiveinformationandensuringitsintegrityandcon?dentiality.Achievingglobalinteroperabilityofcybersecurityregulationsintheelectricitysectordemandsasigni?cantshiftinapproach.Thistransformationinvolvesprioritizingsecuritymeasuresovermereregulatorycompliance,takingaproactivestancetobolstercybersecuritystandardsandensuringahigherlevelofprotection.Itrequirestheestablishmentofconsistentriskevaluations,uniformstandardsandsharedresponsibilitythroughoutthesupplychaintostrengthenthecybersecuritystructureofthesector.Ultimately,thejourneytowardsamoresecureandrobustelectricitysectorinvolvesaligningregulations,fosteringcollaborationandstreamliningendeavoursacrossdiversejurisdictions.Thiscollectiveendeavournotonlymitigatescyberthreatsbutalsopromotesinnovationandcoordinatedresponsemechanisms,thusestablishingaresilientanduni?edglobalcybersecurityapproachwithintheelectricityindustry.FacilitatingGlobalInteroperabilityofCyberRegulationsintheElectricitySector8ContributorsLeadauthorKesangTashi

UkyabLead,CyberResilience,ElectricityWorldEconomicForumWorldEconomicForumFilipeBeatoLead,CentreforCybersecurityWorldEconomicForumSCREGlobalRegulationsWorkingGroupleadsChristopheBlassiauSeniorVice-President,CybersecurityandProductSecurity;GlobalChiefInformationSecurityOf?cerandChiefProductSecurityOf?cer,

Schneider-Electric,FranceYuri

G.RassegaChiefInformationSecurityOf?cer(CISO),Head,CyberSecurity,Enel,ItalySCREcommunityJoseManuelAlonsoBarrilJoeDoetzlCISO,Iberdrola,SpainCISO,HitachiEnergy,SwitzerlandStefanoBraccoMortenDuusKnowledgeManager,

ACER,SloveniaChiefInformationSecurityOf?cer,

Vestas,DenmarkMannyCancelSVPandCEOofE-ISAC,NERC,USAMikhailFalkovichChiefInformationSecurityOf?cer,ConsolidatedEdison,USATimConwayDirectorofSCADAandICS,SANSInstitute,USAPeterFr?kj?rSebastijanCuturaSeniorSecurityArchitect,Vestas,DenmarkPolicyManager,

EuropeanCyberSecurityOrganisation,BelgiumLorisGasparriniHeadofCyberSecurityStandardsandExternalStakeholders,Enel,ItalyTodd

DavisHeadofCyberRisk&StrategyTrends,

Vestas,DenmarkAgustínValenciaGil-OrtegaOTSecurityBusinessDevelopment,Fortinet,SpainMarkAntonyD’AmbrogioRegionalInformationSecurityOf?cer,

Orsted,UnitedKingdomDavidAndresHurtadoHeadofOTCybersecurity&Resilience,Naturgy,SpainGabrieleDeLucaCybersecurityExpert,Enel,ItalyFrederikLille?reJ?gerChiefInformationSecurityOf?cer,

Orsted,DenmarkFacilitatingGlobalInteroperabilityofCyberRegulationsintheElectricitySector9RosaKarigerGabriellaSerinoGlobalSecurityGovernance&Intelligence,Iberdrola,SpainCyberExpert,Enel,ItalyLeoSimonovichJesusSanchezLopezHeadofGlobalCybersecurity,Naturgy,SpainVicePresident;GlobalHead,IndustrialCyberandDigitalSecurity,SiemensEnergy,USAStuartMadnickHenrikLothThiesenJohnNorrisMaguireProfessorofInformationTechnologiesandProfessorofEngineeringSystems,MIT–SloanSchoolofManagement,USAGlobalDirectorofInformationSecurity&RiskManagement,Vestas,DenmarkPhilipTonkinAngelicaMarottaChiefofStaff,Dragos,UnitedKingdomAf?liatedResearcher,

Cybersecurity,MassachusettsInstituteofTechnology,

USAMaximilianUrbanInformationSecurityOf?cerandInnovationManager,

NetzNieder?sterreich,AustriaPauloMonizDirector-InformationSecurityandITRisk,EDP-EnergiasdePortugal,PortugalSwantjeWestpfahlCEO,InstituteforSecurityandSafety(ISS),GermanyCharmaine