Regulatory Strategies for a Resilient Smart Grid: Cybersecurity Compliance in the Electric Energy Sector
Abstract
Rapid innovation in a digitally enabled electric grid requires attention to cybersecurity and resilience. This doctoral thesis is a multidisciplinary study exploring regulatory strategies toward compliance with smart grid resilience goals. Security regulation in the form of legislation, consultation, and audits is essential in the path to a desired future state of resilience. This doctoral work has identified smart-grid-enabled business cases with very high consequence potential, explored the development and coverage of relevant cybersecurity legislation, and investigated the effects of key legal requirements and audit methodologies for smart grid resilience. This is a descriptive work, pointing out weaknesses in current policy structures and regulatory regimes. However, this work also has normative ambitions in providing recommendations to optimize regulatory compliance strategies.
This study has developed a conceptual model for regulatory compliance based on available research on regulatory strategies and the use of hard and soft law. The model links components of regulation to factors impacting regulatory compliance. Frey’s Motivation Crowding Theory is utilized to discuss these factors. The results show that regulatory compliance strategies should include both managerial and technical requirements. Further, it may be advantageous to introduce a differentiated focus on regulatory strategies depending on the size of the regulated entity and the knowledge level of the authority in the field.
The reason why it may be advantageous to differentiate regulatory strategies is that detailed compulsory regulation may trigger a compliance focus instead of a security focus and even reduce motivation to reach compliance for large entities with a motivated security team. Regulatory strategies may also be differentiated based on the authority’s competence level. In cases where the authority’s competence level is low, it may be better to rely on strategies such as Enforced self-regulation, letting the regulated entity take more responsibility for choosing the most effective security measures.
Has parts
Paper 1: Hagen, Janne; Toftegaard, Øyvind Anders Arntzen. (2022). Cyber Security Requirements in the Norwegian Energy Sector. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XV. ICCIP 2021. IFIP Advances in Information and Communication Technology, vol 636. Springer, Cham. © IFIP International Federation for Information Processing 2022. Published by Springer. Available at: https://doi.org/10.1007/978-3-030-93511-5_1Paper 2: Toftegaard, Øyvind Anders Arntzen, Hagen, Janne; Hämmerli, Bernhard Markus (2022). Are European Security Policies Ready for Advanced Metering Systems with Cloud Back-Ends? In: Staggs, J.,Shenoi, S. (eds) Critical Infrastructure Protection XVI. ICCIP 2022. IFIP Advances in Information and Communication Technology, vol 666. Springer, Cham. © IFIP International Federation for Information Processing 2022. Published by Springer. Available at: https://doi.org/10.1007/978-3-031-20137-0_2
Paper 3: Toftegaard, Øyvind Anders Arntzen. (2022). An Effect Analysis of ISO/IEC 27001 Certification on Technical Security of Norwegian Grid Operators. 2022 IEEE International Conference on Big Data (Big Data), Osaka, Japan, pp. 2620-2629. Copyright © 2022 IEEE. Available at: http://dx.doi.org/10.1109/BigData55660.2022.10020529
Paper 4: Toftegaard, Øyvind Anders Arntzen; Abraham, Doney; Shenoi, Sujeet; Hämmerli, Bernhard Markus (2024). Smart-Grid-Enabled Business Cases and the Consequences of Cyber Attacks. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XVII. ICCIP 2023. IFIP Advances in Information and Communication Technology, vol 686. Springer, Cham. © IFIP International Federation for Information Processing 2024. Published by Springer. Available at: https://doi.org/10.1007/978-3-031-49585-4_2
Paper 5: Abraham, Doney; Toftegaard, Øyvind Anders Arntzen; Ben Jose D. R., Binu; Gebremedhin, Alemayehu; Yildirim-Yayilgan, Sule. Consequence simulation of cyber attacks on key smart grid business cases. Frontiers in Energy Research 2024 ;Volum 12. Published by Frontiers Media. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). Available at: http://dx.doi.org/10.3389/fenrg.2024.1395954
Paper 6: Hagen, Janne; Hämmerli, Bernhard Markus; Toftegaard, Øyvind Anders Arntzen. 2024). Relationships between Security Management and Technical Security of Norwegian Energy Entities. In: Pickl, S., Hammerli, B., Mattila, P., Sevillano, A. (eds) Critical Information Infrastructures Security. CRITIS 2023. Lecture Notes in Computer Science, vol 14599. Springer Nature, Switzerland. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2024. Available at: https://doi.org/10.1007/978-3-031-62139-0_13
Paper 7: Toftegaard, Ø., Grøtterud, G., Hammerli, B. (2024). Operational Technology Resilience in the 2023 Draft Delegated Act on Cybersecurity for the Power Sector - An EU Policy Process Analysis. Computer Law & Security Review, vol 54. Published by Elsevier Ltd. This is an open access article under the CC BY license. Available at: https://doi.org/10.1016/j.clsr.2024.106034
Paper 8: Toftegaard, Øyvind Anders Arntzen; Sun, Luyi; Hämmerli, Bernhard Markus. Defending Smart Grid Infrastructure—A Scenario-Based Analysis of Cybersecurity and Privacy Rules in China, France, Russia, UK, and USA. Journal of Information Warfare 2024. © Copyright 2023 Journal of Information Warfare. All Rights Reserved.