report

PHOENIX Policy Brief: a reasoned overview of challenges and suggested policy options

Published in Privacy by

AA

During the timeframe of the PHOENIX project, and since its beginning phase, CyberEthics Lab. (CEL) worked to establish a new mindset in the cybersecurity development process by considering ethics and privacy dimensions as well. This mindset was laid on the PRESS Conceptual Framework which analysed privacy and data protection, regulatory, ethics, societal and security concerns and therefore identified guidelines in terms of compliance rules and governance policies. Based on this framework, the PHOENIX project assessed activities and outcomes, and this experience allowed to learn several lessons, as well as to consider main concerns dealing with Electrical Power and Energy Systems (EPES) critical infrastructures in the energy sectors related to the different analysed dimensions (i.e. privacy, ethics and cybersecurity). In the light of these lessons and on the basis of the main identified concerns, CEL worked to prepare the first draft of the PHOENIX Policy Brief, a document containing the assessment of the main risks and challenges in the EPES context, as well as suggested policy options.

Given the vastity of stakeholders surrounding EPES critical infrastructures and the relevance of identified risks and challenges, it was considered definitely necessary the engagement of representatives of different roles and players in the analysis, debate and finalisation of the policy brief. This is a best practice in project management (e.g. PMBOK) and diversely, lack of engagement might raise barriers against the implementation of policies themselves. For this reason, the PHOENIX Policy Brief was submitted for judgement to a pool of multidisciplinary experts, and it was finally discussed during the PHOENIX Final Workshop roundtable, organised by CyberEthics Lab. and held in Rome on July 7, 2022. Six experts, including a policy maker, were identified representing the different dimensions analysed by the Policy Brief, and specifically (i.e. ethics, privacy and cybersecurity). Based on the comments and feedback received from the experts during the event, the Policy Brief document was integrated with three additional policy options and then refined and finalised with a list of prioritised policy options. Through the identification of ten risks and challenges (see Figure 1), the Policy Brief formulates a set of 14 Policy Options aiming to provide guidelines for potential enhancements of next releases of technical developments, operations and regulations in the EPES sector. While the Policy Brief documents all of them, this article only presents the most ranked ones:

  • Cybersecurity: Cybersecurity certification scheme and Standardisation
  • Privacy: Need-to-know
  • Ethics: Human factor and social impact

Chart of the risks and categories identified in the Policy Brief

Cybersecurity Risks and Challenges

One of the most relevant PHOENIX objectives is the prevention and immediate identification of cyberattacks directed against Electrical Power and Energy Systems (EPES). The PHOENIX PRESS Conceptual Framework analysed the current EU regulatory frameworks and specifically the Network and Information Security Directive (NIS – EU Directive 2016/1148), which is the main European cybersecurity legislation and aims at improving cooperation between member states to tackle cyberattacks. A proposal for amendment of this directive, the NIS 2, is currently in the legislative process and it aims to implement and innovate the previous NIS directive. The Policy Brief analyses the most relevant aspects of this latest legislation with regard to cybersecurity risks, suggesting the best way to deal with these risks and implement security.

Cybersecurity certification scheme and Standardisation: The current version of NIS 2 proposal declares that certain categories of “important or essential entities” are required to join and use a cybersecurity certification system in accordance with the ‘Cybersecurity Act’ (EU Regulation 2019/881). This regulation introduces an EU-wide certification scheme with the aim of fostering a uniform protection and making the digital system standardised among the member states. For this challenge, the PHOENIX Policy Brief identifies critical infrastructures as “important entities” to be mandated to adopt these cybersecurity certification scheme and, for this reason, the compliance with this eventuality should be monitored and taken into consideration.

Privacy And Data Protection Risks and Challenges

Considering the innovation introduced by the IoT and the massive amount of personal data collected through the use of smart devices in the context of EPES and critical infrastructures, there is an urgent need for regulation. It is therefore necessary that the legal requirements of the GDPR are met in every step of data processing. After dealing with the topic of privacy, therefore, the PHOENIX Policy Brief deals with the implementation of data protection aspects, in order to respond to all the risks and challenges that may result from the extensive circulation of personal data.

Need to know: In the area of data collection, it is unfortunately a frequent activity to collect personal data, that usually is not necessary (or not justified) for the achievement of the purposes of processing. For this challenge, the PHOENIX Policy Brief suggests the principle of the “need-to-know”, and thus a continuous evaluation and justification of each single data collected should be carried out. Self-assessment tools can support the team development team in this activity and raise awareness of privacy and data protection.

Ethics Risks and Challenges

Ethical issues are central when dealing with the processing of large amounts of data; numerous problems may occur within the community and among individuals, such as discrimination or the disregard of fundamental rights. In this perspective, the PHOENIX Policy Brief proposes some guidelines for a respectful and ethical use of data technology and science.

Human factor and social impact: As they affect vital systems for everyday life, personal data and the ability to access services, cyber-attacks on critical infrastructure can threaten many human and social aspects, including inter-alia psychological and physical well-being of EPES workers. In the context of EPES critical infrastructures, the PHOENIX Policy Brief recognises the need to establish a “trait d’union” enabling multidisciplinary collaboration between experts in technology, ethics, security, and legal matters, in order to address the issues from different intertwined perspectives.

In conclusion, the PHOENIX Policy Brief is a useful tool to clearly identify not only the major risks and challenges that may be encountered in the aforementioned fields, but it also provides an overview of present and future legislation and the guidelines to be followed to best comply with it. The definition of the PHOENIX Policy Brief in its latest version is mainly based on experiences and lessons learnt by a consortium of 24 EU partners cooperating during a three-year lifecycle project. Moreover, the final debate and judgement from six external experts in various disciplines allowed to improve quality and to add value with further options to be considered in the EPES critical infrastructures.

Service involved

Assessment of technology impact on privacy
We help our clients and partners to achieve their business goals while addressing ethics, privacy and cybersecurity concerns in a manner that prevents conflicts, sanctions and loss of money derived by the lack of ethical and legal compliance to national and European applicable regulations. All information technologies must respect human fundamental rights and ensure the rights of people in relation to the protection of their private life, personal data and freedom. The new EU General Data Protection Regulation (GDPR) that replaced the Data Protection Directive in all EU member states on May 2018 introduces many new obligations for companies and a comprehensive set of rights for data subjects, including the right to an effective judicial remedy against a controller or a processor and the right to compensation. Therefore, in addition to being at the receiving end of an enforcement action, data controllers and processors may be subject to court proceedings and have to pay compensation to data subjects for their infringements of the GDPR. Our approach to help our clients to avoid this kind of issues consists of a holistic service composed by the following main components: providing a Data Protection Officer to drive the organization’s legal compliance action; mapping the data processed by the organisation to measure its impact on the ethical principles and legal framework; assessing the cybersecurity mechanisms used by the organisation technologies; conducting an impact assessment for all data processing mechanisms identifying ethical, legal and security risks; making recommendations for the implementation of the organisational and technical means to be compliant with the legal framework while ensuring data confidentiality (preserving authorized restrictions on information access and disclosure, including personal privacy and proprietary information protection), integrity (assurance that data is not modified or deleted in an unauthorized and undetected manner), availability (ensuring there’s timely and reliable access to and use of information) and accountability (supporting non‐repudiation, deterrence, fault isolation, intrusion detection and prevention, and after‐action recovery and legal action).
Ethics assessment of technology
We help our clients and partners in the process of critical analysis to examine the effects that the introduction and use of a technology may have on human rights, society, and the environment. This is a complex process that requires a systematic view and consideration of how technology might affect people and society at large in the short and long term. The ethical impact of technology is therefore crucial when developing and deploying new technologies, in order to mitigate the negative effects and maximise the benefits, and to enable developers, organisations and policy makers to make informed decisions. In this assessment, we assist our clients and partners to consider all relevant factors; there are several methodologies and approaches used to assess the ethical impact of technologies, including:
  • Privacy impact analysis: this type of analysis assesses the effects of technology on the privacy of individuals and their personal information. It considers the risks of monitoring and tracking, the consequences of possible data breaches and the security measures needed to protect users' privacy.
  • Social impact assessment: this type of analysis evaluates the effects of technology on society and the economy in general, considering impacts on unemployment, social equality, access to education and health, quality of life and environmental sustainability.
  • Ethical impact assessment: This type of analysis assesses the effects of technology on society's morals and values, considering impacts on social justice, accountability, transparency, human dignity and individual freedom.
  • Life cycle analysis: This type of analysis assesses the environmental impacts of technology throughout its life cycle, from production to use and end of life.
Ethical impact assessment of technologies therefore requires a multidisciplinary evaluation involving technology experts, ethics experts, legal experts, environmental experts and other stakeholders.
Responsible Research & Innovation
We love discovering and staying on top of new research to continuously advance our knowledge and to transform it into responsible innovation, taking into account effects and potential impacts on ethics, privacy and data protection. We help national and international partners to handle ethical, legal and cybersecurity concerns on both the research process and the project outcomes, through the legal support for the involvement of human beings in the research activity, the analysis of the national and regional legal framework applicable to the implementing technology and the recommendations for the secure and compliant development of technology. We are a multidisciplinary team that promotes the inclusion of legal and ethical concerns in the design of the technology, researching and producing new knowledge and best practices towards making a conscious and transparent adoption of technology.