During the timeframe of the PHOENIX project, and since its beginning phase, CyberEthics Lab. (CEL) worked to establish a new mindset in the cybersecurity development process by considering ethics and privacy dimensions as well. This mindset was laid on the PRESS Conceptual Framework which analysed privacy and data protection, regulatory, ethics, societal and security concerns and therefore identified guidelines in terms of compliance rules and governance policies. Based on this framework, the PHOENIX project assessed activities and outcomes, and this experience allowed to learn several lessons, as well as to consider main concerns dealing with Electrical Power and Energy Systems (EPES) critical infrastructures in the energy sectors related to the different analysed dimensions (i.e. privacy, ethics and cybersecurity). In the light of these lessons and on the basis of the main identified concerns, CEL worked to prepare the first draft of the PHOENIX Policy Brief, a document containing the assessment of the main risks and challenges in the EPES context, as well as suggested policy options.
Given the vastity of stakeholders surrounding EPES critical infrastructures and the relevance of identified risks and challenges, it was considered definitely necessary the engagement of representatives of different roles and players in the analysis, debate and finalisation of the policy brief. This is a best practice in project management (e.g. PMBOK) and diversely, lack of engagement might raise barriers against the implementation of policies themselves. For this reason, the PHOENIX Policy Brief was submitted for judgement to a pool of multidisciplinary experts, and it was finally discussed during the PHOENIX Final Workshop roundtable, organised by CyberEthics Lab. and held in Rome on July 7, 2022. Six experts, including a policy maker, were identified representing the different dimensions analysed by the Policy Brief, and specifically (i.e. ethics, privacy and cybersecurity). Based on the comments and feedback received from the experts during the event, the Policy Brief document was integrated with three additional policy options and then refined and finalised with a list of prioritised policy options. Through the identification of ten risks and challenges (see Figure 1), the Policy Brief formulates a set of 14 Policy Options aiming to provide guidelines for potential enhancements of next releases of technical developments, operations and regulations in the EPES sector. While the Policy Brief documents all of them, this article only presents the most ranked ones:
Chart of the risks and categories identified in the Policy Brief
One of the most relevant PHOENIX objectives is the prevention and immediate identification of cyberattacks directed against Electrical Power and Energy Systems (EPES). The PHOENIX PRESS Conceptual Framework analysed the current EU regulatory frameworks and specifically the Network and Information Security Directive (NIS – EU Directive 2016/1148), which is the main European cybersecurity legislation and aims at improving cooperation between member states to tackle cyberattacks. A proposal for amendment of this directive, the NIS 2, is currently in the legislative process and it aims to implement and innovate the previous NIS directive. The Policy Brief analyses the most relevant aspects of this latest legislation with regard to cybersecurity risks, suggesting the best way to deal with these risks and implement security.
Cybersecurity certification scheme and Standardisation: The current version of NIS 2 proposal declares that certain categories of “important or essential entities” are required to join and use a cybersecurity certification system in accordance with the ‘Cybersecurity Act’ (EU Regulation 2019/881). This regulation introduces an EU-wide certification scheme with the aim of fostering a uniform protection and making the digital system standardised among the member states. For this challenge, the PHOENIX Policy Brief identifies critical infrastructures as “important entities” to be mandated to adopt these cybersecurity certification scheme and, for this reason, the compliance with this eventuality should be monitored and taken into consideration.
Considering the innovation introduced by the IoT and the massive amount of personal data collected through the use of smart devices in the context of EPES and critical infrastructures, there is an urgent need for regulation. It is therefore necessary that the legal requirements of the GDPR are met in every step of data processing. After dealing with the topic of privacy, therefore, the PHOENIX Policy Brief deals with the implementation of data protection aspects, in order to respond to all the risks and challenges that may result from the extensive circulation of personal data.
Need to know: In the area of data collection, it is unfortunately a frequent activity to collect personal data, that usually is not necessary (or not justified) for the achievement of the purposes of processing. For this challenge, the PHOENIX Policy Brief suggests the principle of the “need-to-know”, and thus a continuous evaluation and justification of each single data collected should be carried out. Self-assessment tools can support the team development team in this activity and raise awareness of privacy and data protection.
Ethical issues are central when dealing with the processing of large amounts of data; numerous problems may occur within the community and among individuals, such as discrimination or the disregard of fundamental rights. In this perspective, the PHOENIX Policy Brief proposes some guidelines for a respectful and ethical use of data technology and science.
Human factor and social impact: As they affect vital systems for everyday life, personal data and the ability to access services, cyber-attacks on critical infrastructure can threaten many human and social aspects, including inter-alia psychological and physical well-being of EPES workers. In the context of EPES critical infrastructures, the PHOENIX Policy Brief recognises the need to establish a “trait d’union” enabling multidisciplinary collaboration between experts in technology, ethics, security, and legal matters, in order to address the issues from different intertwined perspectives.
In conclusion, the PHOENIX Policy Brief is a useful tool to clearly identify not only the major risks and challenges that may be encountered in the aforementioned fields, but it also provides an overview of present and future legislation and the guidelines to be followed to best comply with it. The definition of the PHOENIX Policy Brief in its latest version is mainly based on experiences and lessons learnt by a consortium of 24 EU partners cooperating during a three-year lifecycle project. Moreover, the final debate and judgement from six external experts in various disciplines allowed to improve quality and to add value with further options to be considered in the EPES critical infrastructures.