Final Report Summary - EURACOM (EUropean Risk Assessment and COntingency planning Methodologies for interconnected energy networks)
Executive summary:
European risk assessment and contingency planning methodologies (EURACOM) a European Commission (EC) Directorate-General Enterprise and industry (DG ENTR) - Seventh Framework Programme (FP7)-financed coordination action, addressed the issue of protection and resilience of energy supply for European interconnected energy networks. The project took place in the context of the implementation of the Directive on Critical Infrastructure Protection (CIP), addressing national energy infrastructures.
Its objective was to identify, together with European critical energy infrastructure operators, a common and holistic approach (end-to-end energy supply chain) for risk assessment (RA) and risk management solutions.
By establishing links and coherent risk management procedures across energy sectors and European Union (EU) countries, the resilience of critical energy services across the whole ('end-to-end') energy infrastructure chain sought to be increased.
EURACOM pursued 3 main objectives:
1. Elaborate and promote a common European methodology for risk management and contingency planning (CP). The result is a methodology that proposes some principles for a wider and consistent adoption of RA and CP approaches in the energy sector.
2. Promote a dialogue between energy and security stakeholders through the creation of a lasting European forum for security of energy infrastructures, the creation of a web platform and the organisation of workshops (WSs). EURACOM has initiated a common platform for discussion and future decision making at European level between all stakeholders of the energy chain from different European countries, thus strengthening a common understanding of threats and risks, the establishment of common procedures, and developing effective and coherent tools for the planning of contingency measures. 2 WSs on RA and CP followed by sectoral WSs on gas and electricity, a stakeholder meeting on oil, and a WS with regulators have been organised in order to validate the proposed EURACOM methodology for the specific sectors and or needs.
3. Supporting European policies for the protection of critical energy infrastructures.
The EURACOM partners have eventually made suggestions to support European policies for the protection of critical energy infrastructures. EURACOM have provided elements to decision maker in order to foster a comprehensive and common understanding for the development of more secure, integrated frameworks, and for the implementation of emergency plans.
Project context and objectives:
The project took place in the context of the implementation of the Directive on CPI, addressing national energy infrastructures.
Its objective was to identify, together with European critical energy infrastructures operators, a common and holistic approach (end-to-end energy supply chain) for RA and risk management solutions.
By establishing links and coherent risk management procedures across energy sectors and EU countries, the resilience of critical energy services across the whole ('end-to-end') energy infrastructure chain sought to be increased.
EURACOM pursued 3 main objectives:
1. elaborate and promote a common European methodology for risk management and CP;
2. promote a dialogue between energy and security stakeholders through the creation of a lasting European forum for security of energy infrastructures, the creation of a web platform and the organisation of WSs;
3. support European policies for the protection of critical energy infrastructures.
At the scope a preliminary work lead to the elaboration of the EURACOM methodology: the definition of generic system architecture with relevant functionalities for hazard identification.
These activities delivered a view of the energy networks which are analysed, and a way to model the energy networks. As such, the activities served as input for the RA:
- as a framework to study energy networks and their critical elements;
- as a collection of models to study along typical risk views (e.g. ARECI);
- as an initial analysis of the methodology to be continued and deepened during the WSs.
Both desktop studies on RA methods and further analysis of the link between contingency management and business continuity management (BCM) and RA methodologies fed the development of a common EURACOM approach.
The consortium have thus developed a risk and contingency management concept and framework that can be applied successfully within the energy sector, with special emphasis being given to interconnections of energy networks, CP interoperability and risk sharing between operators.
EURACOM has then launched a common platform for discussion and future decision making at European level between all stakeholders of the energy chain from different European countries, thus strengthening a common understanding of threats and risks, the establishment of common procedures, and developing effective and coherent tools for the planning of contingency measures.
In order to validate the proposed EURACOM methodology for RA and CP, the EURACOM consortium has organised a series of WSs and conferences.
The WS on 'Risk management methodology validation' (WS 5.1) and the WS on 'CP methodology validation' (WS 5.2) allowed to assess and validate the proposed EURACOM risk management and CP methodologies, through scenarios and case studies tailored for the specific sector infrastructures, although the second WS focused quite exclusively on the electricity sector, due the high interest presented by the relevant operators and the light interest to keep in close contact with security solutions suppliers shown by the other sector operators.
The WS 5.6 ('Regulators' WS') gathering EU energy regulators and national CIP contact points, in Brussels, Belgium, on 10 November 2010, aimed at presenting and discussing the EURACOM's proposed methodology for RA and CP with the focus on its potential contribution to national and / or European initiatives (regulatory, policy, etc) in the field of energy infrastructures security.
Finally the EURACOM conference 'Securing Europe's energy infrastructure' gathering 124 participants including representatives from the EU institutions, Member States, private sector, research institutes, reached the recognition that EURACOM has indeed developed a comprehensive holistic approach that goes beyond usual activities of Member States and that could be extremely useful to support European policies for the protection of critical energy infrastructures.
The use of the EURACOM methodology, could provide elements to decision maker in order to foster a comprehensive and common understanding by Member States and sectoral stakeholders for the development of more secure, integrated frameworks, and for the implementation of emergency plans, with particular attention to the growing vulnerability of the energy infrastructure to cyber attacks.
It has been also recognised the need and the importance of comparing standards and possibilities in different states. Yet some European governments are not taking sufficient measures in support of the European programme for CIP. EURACOM could be used to raise awareness on the issue and support definition and implementation of operator security plans as requested in the ECI Directive.
Project results:
During the 2 years of the project, EURACOM has produced different types of results:
a) a taxonomy and a general energy infrastructure system description;
b) a common methodology for RA and CP;
c) a forum gathering the stakeholders of the energy sector.
a) The EURACOM taxonomy and general energy infrastructure system description
EURACOM's first achievement is the provision of a taxonomy and a description of the general energy infrastructure system (D1.1 and D1.2.). In details, this includes:
- a common overview of the energy networks that are analysed;
- a common understanding: 'What's there now'?
- a common terminology amongst partners and externals;
- a common way to model the energy networks.
D1.1 (the definition of generic system architecture with relevant functionalities for hazard identification) provided a view of the energy networks which were analysed, and a way to model the energy networks and an insight to the order of magnitude of the complexity of the subject addressed by EURACOM, which helped to further scope the project.
The analysis for D1.1 was carried out along an architecture framework, based on the enterprise architecture paradigm, but primarily used as descriptive framework, describing the European energy environment. As such it was not a basis for information system design and unlike many design frameworks, we restricted this framework to the conceptual abstraction level, which can be characterised by the 'what' question (as opposed to the 'how' and 'with what').
Within this framework we have covered three dimensions:
- energy markets - gas, electricity, oil (partially);
- organisation levels - organisational, national, European;
- conceptual views - strategy / process / information / network.
A very brief description of what these architectural models resulted in is given below:
Energy markets: looking at the overall energy supply chain, similarities between oil, gas and electricity markets are evident: energy is produced, transported though lines, pipes, or mobile carriers and consumed. From this point of view we will use a generic supply chain model, differentiating a flow of commodities and a flow of ownership of the commodities. This led to the following model:
Organisational levels: with the creation of a common European energy market, cooperation within the energy market becomes increasingly important. From a risk management perspective, it is the key to understand the various levels of interactions and recognise their implications. In this dimension we distinguish amongst types of organisational level, focusing on interactions between them:
- European level: EC and international associations and their internal / cross organisational interactions.
- National level: the National governments and association and their internal/cross organisational interactions.
- Organisation level: describing the energy companies and internal / cross organisational interactions.
- Conceptual views: the conceptual views can be used from a risk management perspective by providing a complete outlook of all aspects that can involve risks. Risks at the physical level are usually quite tangible, as failures of transmission lines, or e.g. compressor stations. Risks at higher levels may be more abstract due to longer term and indirect effects. Nevertheless, poor information exchanges, unclear responsibilities, contradicting strategies between member states are equally important to consider within a complete RA.
We use the following views to describe the energy environment and how it is controlled:
- Strategy view: describing mission, vision, strategy and tactics.
- Process view: describing organisational processes, actors and organisational structures.
- Information view: describing information systems and information exchanges.
- Network view: describing energy networks, their topology and infrastructural elements.
- This led to the following model:
D1.1 was concluded by a taxonomy to describe energy networks, specifying in detail:
- electricity network components;
- gas network components;
- SCADA system components;
- a detailed glossary off all components used.
From the discussion with energy operators, it became evident that clear concepts and definitions were imperative for an effective discussion. Especially for the EURACOM WSs, which were held in European context, clear definitions helped in various areas:
- Understand the method: by explaining the concepts clearly. Especially within the industry, focus usually is on operational problems rather than methodical concepts. E.g. the risk management overview presented in D2.3 was highly welcomed by GIE.
- Manage scope and focus: since they are all interrelated, clarity on the various concepts helps to keep focus during the WSs. E.g. discussions easily shift towards strategy, from operational security to security of supply and operational risks easily to strategic risks.
- Clarify by relating to own organisation: a key success factor of the proposed method is that participants can relate them to their own terminology and own their organisation: what is the overlap and where are gaps as compared to the EURACOM methodology.
On the question where the EURACOM methodologies for RM en CP could help best, added value was seen in the following:
- Clarity, awareness and guidelines: at operational level RA and CP methods are well developed, based on extensive practical industry knowledge. Room for improvement could be sought in communicating a clear picture of how concepts as security management, risk management and contingency management can be made operational all through the organisation and thus raising the awareness for the 'whole picture'.
- Guidelines risk analysis: especially within a holistic approach questions as 'what are the main topics', 'how do we know we are complete' are not simple. Tools as checklists, risk categories could help here. Similar guidelines were sought for decision making: a generic method could help to come to a pan-European way to making consistent decisions.
- Tools / methods that help identify emerging risks would be helpful as well, e.g. the causes of the past blackouts stem from an ongoing change of the economic model - increased liberalisation of electricity supply industry resulting in significant increase in cross-border trades.
- Maturity model as steering mechanism: operators would like to measure the effects of improved risk management, but find it hard to put this into practice. A maturity model could help by providing a scoring mechanism. With such a mechanism in place, operators would be able to better judge how well they perform and to estimate the extra investments needed. An example would be the petrochemical covenant, according to which the Dutch government provides auditing services.
- Guidelines on confidentiality: in the absence of clear guidelines on what information can be shared and what not, the default action is not to share. This can work counter effective when it comes to sharing experiences and best practices managing security risks. In particular, operators are very reluctant in sharing infrastructure information and see improper information sharing as a security threat by itself. So it should become very clear that the EURACOM aims at sharing the same methodical steps, rather than sharing specific infrastructure information.
- Crisis management process: the key to crisis management is effective communication in abnormal situations, with many external players in limited time. An EU CP method could help in this perspective by providing guidance on e.g. better cooperation between public and private players.
b) The EURACOM common methodology for RA and CP
EURACOM's main contribution is a common methodology for RA and CP (T 2.3.). This methodology was based upon two reports:
- A desktop study of available RA methodologies (T 2.1): A review of current RA methodologies from various sources including EU Member States and international academia, industry, and government has been conducted in order to ascertain common areas of approach.
- A desktop study of available CP methodologies (T 2.2): A review of current CP methodologies from various sources including EU Member States and international academia, industry, and government has been conducted in order to ascertain common areas of approach. Special emphasis has been given to interconnections of energy networks, CP interoperability and risk sharing between operators.
The EURACOM RA methodologies
The objective of T 2.1 was to take stock and analyse available RA methodologies. It is imperative to understand that a considerable number of RA methods already exist which partly fulfil (or claim to fulfil) the objectives of EURACOM (holistic, all hazards). In truth, elements of a generic holistic method already exist in RA methods that are in use today.
What is the rationale behind the quest for another method? The reason for this is that ideally we wanted to use one single good practice method which would deliver comparable results wherever it is employed. Such a good practice method would enable the use of RAs at a specific level (for example regional infrastructure administrators) to be input to the RA at the next higher level of aggregation (for example national infrastructure administrators). Such an approach would ensure that all relevant knowledge is transferred, risk factors are managed at the appropriate level and no (or a minimum of) duplication of work is necessary.
This method is not necessarily innovative. Rather, a method that deviates not too much from the current RA methods in operation would minimise resistance in adapting the (new) RA method and maximise the use of expertise that is already present. The method should therefore not differ too much in application from established, existing methods. However, the new RA method should provide a clear added value.
In a later stage (T 2.3) this generic RA method has been integrated with CP methods and has been customised to suit the energy sector. This included the consideration of specific needs, current RA methods in use and availability of knowledge and information in this sector.
We aimed to achieve this objective by compiling a good practice method composed of best-of-breed elements, which were selected or adapted to form a consistent, logical method. These good practices were then used to assess on which aspects the EURAM method can be improved. In order to determine a set of good practices, the following steps were followed:
Selection of RA methods: First, the RA methods that are most likely to deliver valuable elements for a generic, holistic RA method were surveyed. This delivered a list of methods that were subject to analysis in the next steps of T2.1. This was performed through desktop study. The necessary interaction with (critical) infrastructure operators were handled during WSs.
Generate criteria for assessing methods: In this step, criteria were determined on which to assess the selected methods and their appropriateness for use to meet the overall EURACOM objectives.
Rate methods: In this step, the actual assessment of the selected methods was performed. The results were presented in a visual manner, so as to be able to quickly rate the individual qualities of the methods.
Consideration of pros and con: The particularities and similarities of the considered methods were assessed, as well as the added value for a generic and holistic RA method.
The EURACOM CP methodologies
The desktop study of available CP methodologies was finalised end of October 2009.
The purpose of work package (WP) 2.2 was to document a review of current CP methodologies and BCM from various sources, encompassing international, national and domain-specific standards and guidelines. Taking into consideration the growing importance of BCM as a holistic approach covering all strategic and operational activities of an organisation, a particular focus was placed on the corresponding standards.
Supported by the EURACOM D2.1 desktop study on RA methods and further analysis of the link between contingency management and BCM and RA methodologies, the results of T2.2 were meant to feed the development of a common EURACOM approach to a risk and contingency management concept and framework that could be applied successfully within the energy sector, with special emphasis being given to interconnections of energy networks, CP interoperability and risk sharing between operators.
The analysis has been structured and undertaken as desktop study following the general objectives of the task:
- to make a qualitative evaluation of existing standards and guidelines for CP and BCM based on a defined set of analysis criteria; and
- to assess the suitability for application in the energy sector, having in mind the goal to develop under this project, a common, holistic EURACOM methodology for RA and CP.
The required information sources have essentially been taken from international and national standardisation organisations and other public information sites on the Internet. The output of this report included the following key elements:
- a matrix 'criteria versus standards / guidelines' synthesising the results of the analysis;
- a summary of the mandatory elements of a new, holistic approach, with identification of strengths and weaknesses of existing frameworks and methods;
- a compilation of recommendations for the development of a EURACOM approach, taking into account the qualitative conclusions concerning the analysis of existing resources (standards, guidelines), fundamental requirements to be considered for the management of the energy supply chain and so far identified gaps of analysed resources.
The analysis followed a straightforward work approach that comprised the following steps:
Selection of resources for analysis: The desktop study initiated with the search and the identification of the relevant resources, i.e. standards and guidelines for CP and business continuity.
Definition of criteria for assessment and comparative analysis: After a first review of the available literature, a set of criteria for a more detailed and comparative analysis of the selected resources was defined. The criteria were based on common elements of the existing methodologies and frameworks. This list was iteratively completed during the course of the analysis (step 3).
Execution of the analysis: In this step, the selected resources were formally evaluated on the basis of established criteria. In order to ease the reading of the D2.3 report, each standard or guideline was described (short summary only) with highlight of the main features, underlying frameworks (e.g. for BCM, flow diagrams etc), strong points and any limitations. At the same time, the conformance of the standard or guideline with respect to each individual criterion was documented in a spreadsheet.
Conclusion and recommendations
The final step included a qualitative assessment of the output of the analysis as obtained in the scope of step 3 (execution), i.e. the above mentioned spreadsheet. In order to ensure intuitive interpretation of the content of this table, the matching of each standard or guideline with respect to the criteria was ranked according to standard compliance criteria (full, partial, non-compliant). These results were then compiled into this report.
The final section is a conclusion of the general requirements for a CP approach for the energy sector. These were extracted from the results of other project activities, namely from (EURACOM, 1) that provides an overview of European energy infra-structures and for specific topics of interest.
The EURACOM complete methodology
T 2.3 produced a first deliverable in March 2010 which was covering the whole objective apart from deriving the CP approach to sub sector specificities, this last item was finalised end of June 2010.
It is important to mention that D2.3. objectives were refocused in agreement with the EC project officer in order to clearly mention the elaboration of a methodology. T 2.3 was modified to generate the actual EURACOM RA and CP methodologies as this main deliverable of EURACOM was not clearly identified in the output of WP2.
The objective of task 2.3 (T 2.3) is described in the EURACOM description of work document:
Project summary abstract:
' EURACOM objective is to identify, together with EU energy infrastructure operators, a holistic approach (end-to-end energy supply train: from fuel transport, power generation and transmission) for RA and CP solutions '
The scope also included the requirement to 'report on the link between RA and CP methodologies'.
In addition to the analysis of the link between RA and CP methodologies, this task delivered a combined and holistic approach to RA and CP in a format that can be used as a framework for implementation by the energy sector operators. These main additional aspects were delivered through:
- the creation of a RA and of a CP approach to be implemented at operator (= organisation) level; and
- recommendations on how RA and CP processes can be implemented and supported at higher level of analysis (i.e. on the scope of interconnected energy infrastructures involving many operators).
To deliver the objectives, T2.3 involved the following sub-activities:
- analysing the links between available RA and CP methodologies. We looked in particular at the way the two processes are relying on one another;
- defining the founding principles of the RA and CP approaches by first clarifying the scope of applicability they are designed for, by positioning them against other concepts in a wider risk management perspective and by setting some of the key characteristics they will have to comply with;
- developing a generic RA approach and then tailoring it to the energy sub sectors of oil gas and electricity. This approach was largely built on the results of the EURAM study;
- developing a generic CP approach and then tailoring it to the energy sub sectors of oil gas and electricity (note: this is this last activity of tailoring which was delayed in T2.3);
- providing particular emphasis on how the RA approach and the CP approach interact to deliver 'The EURACOM combined RA and CP approach';
- developing recommendations to allow the implementation of the EURACOM approaches at higher level of analysis (i.e. above the single operator level) for managing dependencies of the energy sector in RA and CP.
c) The EURACOM forum gathering the stakeholders of the energy sector
In the context of the EURACOM project, the energy risk information exchange (ERIE) platform represented an attempt to support information exchanges among energy-sector stakeholders on security operational needs, experiences and lessons learnt, best practices in RA and CP, resilience and risk mitigation, etc.
The platform addressed the following user types: electricity producers, transmitters and distributors, gas and oil distributors, operator's associations, security solution suppliers, regulatory bodies and interest groups, along with EURACOM project partners.
The platform aimed to:
- offer a basis to promote information exchange between energy-sector stakeholders and disseminate EURACOM results;
- review the main achievements of the EURACOM activities and provide orientations for future actions via feedback from operators;
- informing stakeholders about the state of play in the RA / CP area;
- promote dialogue on critical issues in RA and CP.
The ERIE platform was based on the EC CIRCA web tool, a secure web-based tool for the exchange of information in support to the EURACOM community. Communication information resource centre administrator (CIRCA) enabled the EURACOM community, which is geographically spread across Europe (and beyond) to maintain a private space on the Internet where they can share information.
In parallel, EURACOM mapped energy infrastructures operators. Particular efforts were dedicated to obtain the involvement of oil operators and association in EURACOM methodology and in the organisation of sector specific WSs. Despite the efforts, the oil sector was not convinced that a common approach to risk management would be beneficial to the operators in their sector. Therefore, the oil sector specific WS did not take place.
Overall, EURACOM has established contacts with the representatives of the different communities addressed by EURACOM:
- on the Industry side (operators): electricity, gas and oil;
- on the policy side: EC, European Parliament, some Member States;
- on the regulatory side: EER.
These contacts led to a satisfactory participation at the EURACOM WSs.
During the project a series of WSs were organised with specific stakeholders to continue to stimulate networking, dialogue and cooperation between the energy operators and the supply industry. For instance, the attendance at the 'Gas' WS reflected a quite good representativeness of the European countries with 11 Member States being represented, including one island (UK) and two representatives of eastern European countries (Greece and Romania).
Beyond the sectoral approach, a WS with 23 regulators was also organised with an excellent level of attendance:
DG Civil Protection Ministry of Interior, Bulgaria
FOD Binnenlandse Zaken / SPF Interieur, Belgium
ECSA - European Corporate Security Association, Belgium
EPCIP, Austria
Federal Office of Civil Protection and Disaster Assistance National Hazard Register, Germany
Civil Emergency Preparedness and Strategies Division MOI, Czech Republic
Ministry for Climate and Energy, Denmark
DG for Energy, EC
Office of The Prime Minister, Lithuania
Federal Ministry of the Interior, Austria
In general, the WSs were considered very successful by both EURACOM partners and by the attendees.
In terms of content, the WSs were structured to allow a maximum of input from the Gas and Electricity sector, restricting the flow of information from the consortium to the sector to the minimum required to feed the discussion and maximising the feedback from the sectors. The outcome of the WSs provided already some hints on the elements that should be reviewed in the context of 'WP6: Analysis, update and consolidation of system structure / taxonomy, methodology and recommendations'.
Potential impact:
In regard of the potential impact of the project results, the EURACOM methodology not only offers the basis for common and compatible assessment and management tools that can be adapted to different situations, energy operators, and countries, but it also reinforces the European industry's potential to create important market opportunities by its common approach across sectors.
Eventually, if widely adopted, the common methodology can contribute to enhanced cooperation and coordination across Europe, to the development and promotion of metrics, standards, evaluation and certification methods and best practices, which will improve the overall protection of energy infrastructures.
In order to get a maximum impact of the EURACOM methodology on implementation of security solutions and procedures for energy infrastructures, the following suggestions have been made:
- Perform a case study with operator: One of the ways to test the current methodology and to improve its usability would be to perform a case study with selected operators, e.g. one from the electricity and one from the gas sector. For such a case study, close collaboration with the sector associations should be aimed for, in order to ensure that the results of the case studies are relevant for the whole energy sector.
- Apply EURACOM to analyse new technological developments: In the next years, there are expected large investments and technological developments in the energy sector in Europe. The European Parliament has recently debated about the need to strongly invest in energy, not only on renewable sources but also in 'traditional' power plants. The traditional energy grids are soon to be augmented with information and communication technologies (ICT) to form so-called smart grids. In order to determine the appropriate level of protection for these new technologies, a coordinated approach to risk management will be a key requirement. EURACOM may be used to analyse the new technological developments in the energy sector.
- Apply EURACOM to analyse the advanced cyber threat: The growing use of ICT in the energy infrastructure leads to a growing cyber threat. A series of recent incidents has highlighted the vulnerability of the power grid and other energy infrastructures. Both unintentional disruptions of the ICT-based process control environment and cyber attacks disrupted energy systems all over the world. Malware and hackers have penetrated critical process control systems in the energy sector, not only in the US but also in Europe. The recent incident with the Stuxnet worm is an example of this growing threat and shows the possibilities that these professionally built tools may have on the energy infrastructure. The EURACOM methodology may be used to analyse and mitigate the risk posed by the advanced persistent cyber threat.
All the documents supporting this approach are available on the EURACOM website.
In regard of the dissemination activities and Exploitation of results, a strong communication and dissemination strategy supported the project with the widest possible degree of dialogue and dissemination of initial results in order to raise awareness inside the project. This included different activities of communication and dissemination:
- creation of the EURACOM look and feel (logo, flyer, presentations etc);
- creation of EURACOM web pages on EOS website;
- publication of article, flashnews etc.
a) EURACOM Flashnews: In order to inform the stakeholders of the European Energy Infrastructure Community about small piece of information, like the publication of a deliverable online, or an upcoming WS, EOS created a flashnews. EURACOM Flashnews is a very short Newsletter, which allows to give brief news, and dont necessitates too much time to be produced.
b) EURACOM published a one-pager in the SDA roundtable & EURACOM final conference brochure European Energy Review.
c) EURACOM published an article in March 2011 on the European Energy Review website (see http://www.europeanenergyreview.eu online for further details).
- Participation at conferences:
a) EURACOM participated at the 'OSCE public-private expert' WS on protecting non-nuclear critical energy infrastructure against terrorist attacks which took place on the 11-12 February 2010 (Vienna, Austria). Luigi Rebuffi, CEO of EOS and President of the EURACOM steering committee, delivered a speech on 'RA methodologies to protect non-nuclear critical energy infrastructure' - including identification of critical infrastructure and interdependencies between critical sectors. Eric Luiijf, Principal Consultant of TNO Defence, Security and Safety, made a presentation on the cyber security aspects of critical energy infrastructures and on public-private partnerships (PPPs).
b) EURACOM participated at the SRC'10 conference on research, development and innovation for a more secure Europe which took place on the 22-24 September 2010 (Ostend, Belgium). Luigi Rebuffi, CEO of EOS and President of the EURACOM steering committee, delivered a speech on 'Towards a common European approach for security of energy infrastructures'.
c) EURACOM organised the final conference on 'Securing Europe's energy infrastructure' on 24 January 2011 (Brussels, Belgium). Luigi Rebuffi, CEO of EOS and President of the EURACOM steering committee, also delivered a speech on 'Securing Europe's energy infrastructure'. EURACOM partners and conference participants welcomed this initiative from EOS and commit to share EURACOM's findings.
Furthermore, concerning the exploitation of results, the methodology was presented before 23 regulators at the 5th WS and before the main energy stakeholders at the final conference. During these events it was made clear that the methodology could be made available to national regulators and energy operators as a public result of this CSA. Partners of the EURACOM project like TNO, ALTRAN, Thales and Edisoft offered their support to public and private stakeholders for the implementation of the methodology.
List of websites: http://www.eos-eu.com/?Page=EURACOM
European risk assessment and contingency planning methodologies (EURACOM) a European Commission (EC) Directorate-General Enterprise and industry (DG ENTR) - Seventh Framework Programme (FP7)-financed coordination action, addressed the issue of protection and resilience of energy supply for European interconnected energy networks. The project took place in the context of the implementation of the Directive on Critical Infrastructure Protection (CIP), addressing national energy infrastructures.
Its objective was to identify, together with European critical energy infrastructure operators, a common and holistic approach (end-to-end energy supply chain) for risk assessment (RA) and risk management solutions.
By establishing links and coherent risk management procedures across energy sectors and European Union (EU) countries, the resilience of critical energy services across the whole ('end-to-end') energy infrastructure chain sought to be increased.
EURACOM pursued 3 main objectives:
1. Elaborate and promote a common European methodology for risk management and contingency planning (CP). The result is a methodology that proposes some principles for a wider and consistent adoption of RA and CP approaches in the energy sector.
2. Promote a dialogue between energy and security stakeholders through the creation of a lasting European forum for security of energy infrastructures, the creation of a web platform and the organisation of workshops (WSs). EURACOM has initiated a common platform for discussion and future decision making at European level between all stakeholders of the energy chain from different European countries, thus strengthening a common understanding of threats and risks, the establishment of common procedures, and developing effective and coherent tools for the planning of contingency measures. 2 WSs on RA and CP followed by sectoral WSs on gas and electricity, a stakeholder meeting on oil, and a WS with regulators have been organised in order to validate the proposed EURACOM methodology for the specific sectors and or needs.
3. Supporting European policies for the protection of critical energy infrastructures.
The EURACOM partners have eventually made suggestions to support European policies for the protection of critical energy infrastructures. EURACOM have provided elements to decision maker in order to foster a comprehensive and common understanding for the development of more secure, integrated frameworks, and for the implementation of emergency plans.
Project context and objectives:
The project took place in the context of the implementation of the Directive on CPI, addressing national energy infrastructures.
Its objective was to identify, together with European critical energy infrastructures operators, a common and holistic approach (end-to-end energy supply chain) for RA and risk management solutions.
By establishing links and coherent risk management procedures across energy sectors and EU countries, the resilience of critical energy services across the whole ('end-to-end') energy infrastructure chain sought to be increased.
EURACOM pursued 3 main objectives:
1. elaborate and promote a common European methodology for risk management and CP;
2. promote a dialogue between energy and security stakeholders through the creation of a lasting European forum for security of energy infrastructures, the creation of a web platform and the organisation of WSs;
3. support European policies for the protection of critical energy infrastructures.
At the scope a preliminary work lead to the elaboration of the EURACOM methodology: the definition of generic system architecture with relevant functionalities for hazard identification.
These activities delivered a view of the energy networks which are analysed, and a way to model the energy networks. As such, the activities served as input for the RA:
- as a framework to study energy networks and their critical elements;
- as a collection of models to study along typical risk views (e.g. ARECI);
- as an initial analysis of the methodology to be continued and deepened during the WSs.
Both desktop studies on RA methods and further analysis of the link between contingency management and business continuity management (BCM) and RA methodologies fed the development of a common EURACOM approach.
The consortium have thus developed a risk and contingency management concept and framework that can be applied successfully within the energy sector, with special emphasis being given to interconnections of energy networks, CP interoperability and risk sharing between operators.
EURACOM has then launched a common platform for discussion and future decision making at European level between all stakeholders of the energy chain from different European countries, thus strengthening a common understanding of threats and risks, the establishment of common procedures, and developing effective and coherent tools for the planning of contingency measures.
In order to validate the proposed EURACOM methodology for RA and CP, the EURACOM consortium has organised a series of WSs and conferences.
The WS on 'Risk management methodology validation' (WS 5.1) and the WS on 'CP methodology validation' (WS 5.2) allowed to assess and validate the proposed EURACOM risk management and CP methodologies, through scenarios and case studies tailored for the specific sector infrastructures, although the second WS focused quite exclusively on the electricity sector, due the high interest presented by the relevant operators and the light interest to keep in close contact with security solutions suppliers shown by the other sector operators.
The WS 5.6 ('Regulators' WS') gathering EU energy regulators and national CIP contact points, in Brussels, Belgium, on 10 November 2010, aimed at presenting and discussing the EURACOM's proposed methodology for RA and CP with the focus on its potential contribution to national and / or European initiatives (regulatory, policy, etc) in the field of energy infrastructures security.
Finally the EURACOM conference 'Securing Europe's energy infrastructure' gathering 124 participants including representatives from the EU institutions, Member States, private sector, research institutes, reached the recognition that EURACOM has indeed developed a comprehensive holistic approach that goes beyond usual activities of Member States and that could be extremely useful to support European policies for the protection of critical energy infrastructures.
The use of the EURACOM methodology, could provide elements to decision maker in order to foster a comprehensive and common understanding by Member States and sectoral stakeholders for the development of more secure, integrated frameworks, and for the implementation of emergency plans, with particular attention to the growing vulnerability of the energy infrastructure to cyber attacks.
It has been also recognised the need and the importance of comparing standards and possibilities in different states. Yet some European governments are not taking sufficient measures in support of the European programme for CIP. EURACOM could be used to raise awareness on the issue and support definition and implementation of operator security plans as requested in the ECI Directive.
Project results:
During the 2 years of the project, EURACOM has produced different types of results:
a) a taxonomy and a general energy infrastructure system description;
b) a common methodology for RA and CP;
c) a forum gathering the stakeholders of the energy sector.
a) The EURACOM taxonomy and general energy infrastructure system description
EURACOM's first achievement is the provision of a taxonomy and a description of the general energy infrastructure system (D1.1 and D1.2.). In details, this includes:
- a common overview of the energy networks that are analysed;
- a common understanding: 'What's there now'?
- a common terminology amongst partners and externals;
- a common way to model the energy networks.
D1.1 (the definition of generic system architecture with relevant functionalities for hazard identification) provided a view of the energy networks which were analysed, and a way to model the energy networks and an insight to the order of magnitude of the complexity of the subject addressed by EURACOM, which helped to further scope the project.
The analysis for D1.1 was carried out along an architecture framework, based on the enterprise architecture paradigm, but primarily used as descriptive framework, describing the European energy environment. As such it was not a basis for information system design and unlike many design frameworks, we restricted this framework to the conceptual abstraction level, which can be characterised by the 'what' question (as opposed to the 'how' and 'with what').
Within this framework we have covered three dimensions:
- energy markets - gas, electricity, oil (partially);
- organisation levels - organisational, national, European;
- conceptual views - strategy / process / information / network.
A very brief description of what these architectural models resulted in is given below:
Energy markets: looking at the overall energy supply chain, similarities between oil, gas and electricity markets are evident: energy is produced, transported though lines, pipes, or mobile carriers and consumed. From this point of view we will use a generic supply chain model, differentiating a flow of commodities and a flow of ownership of the commodities. This led to the following model:
Organisational levels: with the creation of a common European energy market, cooperation within the energy market becomes increasingly important. From a risk management perspective, it is the key to understand the various levels of interactions and recognise their implications. In this dimension we distinguish amongst types of organisational level, focusing on interactions between them:
- European level: EC and international associations and their internal / cross organisational interactions.
- National level: the National governments and association and their internal/cross organisational interactions.
- Organisation level: describing the energy companies and internal / cross organisational interactions.
- Conceptual views: the conceptual views can be used from a risk management perspective by providing a complete outlook of all aspects that can involve risks. Risks at the physical level are usually quite tangible, as failures of transmission lines, or e.g. compressor stations. Risks at higher levels may be more abstract due to longer term and indirect effects. Nevertheless, poor information exchanges, unclear responsibilities, contradicting strategies between member states are equally important to consider within a complete RA.
We use the following views to describe the energy environment and how it is controlled:
- Strategy view: describing mission, vision, strategy and tactics.
- Process view: describing organisational processes, actors and organisational structures.
- Information view: describing information systems and information exchanges.
- Network view: describing energy networks, their topology and infrastructural elements.
- This led to the following model:
D1.1 was concluded by a taxonomy to describe energy networks, specifying in detail:
- electricity network components;
- gas network components;
- SCADA system components;
- a detailed glossary off all components used.
From the discussion with energy operators, it became evident that clear concepts and definitions were imperative for an effective discussion. Especially for the EURACOM WSs, which were held in European context, clear definitions helped in various areas:
- Understand the method: by explaining the concepts clearly. Especially within the industry, focus usually is on operational problems rather than methodical concepts. E.g. the risk management overview presented in D2.3 was highly welcomed by GIE.
- Manage scope and focus: since they are all interrelated, clarity on the various concepts helps to keep focus during the WSs. E.g. discussions easily shift towards strategy, from operational security to security of supply and operational risks easily to strategic risks.
- Clarify by relating to own organisation: a key success factor of the proposed method is that participants can relate them to their own terminology and own their organisation: what is the overlap and where are gaps as compared to the EURACOM methodology.
On the question where the EURACOM methodologies for RM en CP could help best, added value was seen in the following:
- Clarity, awareness and guidelines: at operational level RA and CP methods are well developed, based on extensive practical industry knowledge. Room for improvement could be sought in communicating a clear picture of how concepts as security management, risk management and contingency management can be made operational all through the organisation and thus raising the awareness for the 'whole picture'.
- Guidelines risk analysis: especially within a holistic approach questions as 'what are the main topics', 'how do we know we are complete' are not simple. Tools as checklists, risk categories could help here. Similar guidelines were sought for decision making: a generic method could help to come to a pan-European way to making consistent decisions.
- Tools / methods that help identify emerging risks would be helpful as well, e.g. the causes of the past blackouts stem from an ongoing change of the economic model - increased liberalisation of electricity supply industry resulting in significant increase in cross-border trades.
- Maturity model as steering mechanism: operators would like to measure the effects of improved risk management, but find it hard to put this into practice. A maturity model could help by providing a scoring mechanism. With such a mechanism in place, operators would be able to better judge how well they perform and to estimate the extra investments needed. An example would be the petrochemical covenant, according to which the Dutch government provides auditing services.
- Guidelines on confidentiality: in the absence of clear guidelines on what information can be shared and what not, the default action is not to share. This can work counter effective when it comes to sharing experiences and best practices managing security risks. In particular, operators are very reluctant in sharing infrastructure information and see improper information sharing as a security threat by itself. So it should become very clear that the EURACOM aims at sharing the same methodical steps, rather than sharing specific infrastructure information.
- Crisis management process: the key to crisis management is effective communication in abnormal situations, with many external players in limited time. An EU CP method could help in this perspective by providing guidance on e.g. better cooperation between public and private players.
b) The EURACOM common methodology for RA and CP
EURACOM's main contribution is a common methodology for RA and CP (T 2.3.). This methodology was based upon two reports:
- A desktop study of available RA methodologies (T 2.1): A review of current RA methodologies from various sources including EU Member States and international academia, industry, and government has been conducted in order to ascertain common areas of approach.
- A desktop study of available CP methodologies (T 2.2): A review of current CP methodologies from various sources including EU Member States and international academia, industry, and government has been conducted in order to ascertain common areas of approach. Special emphasis has been given to interconnections of energy networks, CP interoperability and risk sharing between operators.
The EURACOM RA methodologies
The objective of T 2.1 was to take stock and analyse available RA methodologies. It is imperative to understand that a considerable number of RA methods already exist which partly fulfil (or claim to fulfil) the objectives of EURACOM (holistic, all hazards). In truth, elements of a generic holistic method already exist in RA methods that are in use today.
What is the rationale behind the quest for another method? The reason for this is that ideally we wanted to use one single good practice method which would deliver comparable results wherever it is employed. Such a good practice method would enable the use of RAs at a specific level (for example regional infrastructure administrators) to be input to the RA at the next higher level of aggregation (for example national infrastructure administrators). Such an approach would ensure that all relevant knowledge is transferred, risk factors are managed at the appropriate level and no (or a minimum of) duplication of work is necessary.
This method is not necessarily innovative. Rather, a method that deviates not too much from the current RA methods in operation would minimise resistance in adapting the (new) RA method and maximise the use of expertise that is already present. The method should therefore not differ too much in application from established, existing methods. However, the new RA method should provide a clear added value.
In a later stage (T 2.3) this generic RA method has been integrated with CP methods and has been customised to suit the energy sector. This included the consideration of specific needs, current RA methods in use and availability of knowledge and information in this sector.
We aimed to achieve this objective by compiling a good practice method composed of best-of-breed elements, which were selected or adapted to form a consistent, logical method. These good practices were then used to assess on which aspects the EURAM method can be improved. In order to determine a set of good practices, the following steps were followed:
Selection of RA methods: First, the RA methods that are most likely to deliver valuable elements for a generic, holistic RA method were surveyed. This delivered a list of methods that were subject to analysis in the next steps of T2.1. This was performed through desktop study. The necessary interaction with (critical) infrastructure operators were handled during WSs.
Generate criteria for assessing methods: In this step, criteria were determined on which to assess the selected methods and their appropriateness for use to meet the overall EURACOM objectives.
Rate methods: In this step, the actual assessment of the selected methods was performed. The results were presented in a visual manner, so as to be able to quickly rate the individual qualities of the methods.
Consideration of pros and con: The particularities and similarities of the considered methods were assessed, as well as the added value for a generic and holistic RA method.
The EURACOM CP methodologies
The desktop study of available CP methodologies was finalised end of October 2009.
The purpose of work package (WP) 2.2 was to document a review of current CP methodologies and BCM from various sources, encompassing international, national and domain-specific standards and guidelines. Taking into consideration the growing importance of BCM as a holistic approach covering all strategic and operational activities of an organisation, a particular focus was placed on the corresponding standards.
Supported by the EURACOM D2.1 desktop study on RA methods and further analysis of the link between contingency management and BCM and RA methodologies, the results of T2.2 were meant to feed the development of a common EURACOM approach to a risk and contingency management concept and framework that could be applied successfully within the energy sector, with special emphasis being given to interconnections of energy networks, CP interoperability and risk sharing between operators.
The analysis has been structured and undertaken as desktop study following the general objectives of the task:
- to make a qualitative evaluation of existing standards and guidelines for CP and BCM based on a defined set of analysis criteria; and
- to assess the suitability for application in the energy sector, having in mind the goal to develop under this project, a common, holistic EURACOM methodology for RA and CP.
The required information sources have essentially been taken from international and national standardisation organisations and other public information sites on the Internet. The output of this report included the following key elements:
- a matrix 'criteria versus standards / guidelines' synthesising the results of the analysis;
- a summary of the mandatory elements of a new, holistic approach, with identification of strengths and weaknesses of existing frameworks and methods;
- a compilation of recommendations for the development of a EURACOM approach, taking into account the qualitative conclusions concerning the analysis of existing resources (standards, guidelines), fundamental requirements to be considered for the management of the energy supply chain and so far identified gaps of analysed resources.
The analysis followed a straightforward work approach that comprised the following steps:
Selection of resources for analysis: The desktop study initiated with the search and the identification of the relevant resources, i.e. standards and guidelines for CP and business continuity.
Definition of criteria for assessment and comparative analysis: After a first review of the available literature, a set of criteria for a more detailed and comparative analysis of the selected resources was defined. The criteria were based on common elements of the existing methodologies and frameworks. This list was iteratively completed during the course of the analysis (step 3).
Execution of the analysis: In this step, the selected resources were formally evaluated on the basis of established criteria. In order to ease the reading of the D2.3 report, each standard or guideline was described (short summary only) with highlight of the main features, underlying frameworks (e.g. for BCM, flow diagrams etc), strong points and any limitations. At the same time, the conformance of the standard or guideline with respect to each individual criterion was documented in a spreadsheet.
Conclusion and recommendations
The final step included a qualitative assessment of the output of the analysis as obtained in the scope of step 3 (execution), i.e. the above mentioned spreadsheet. In order to ensure intuitive interpretation of the content of this table, the matching of each standard or guideline with respect to the criteria was ranked according to standard compliance criteria (full, partial, non-compliant). These results were then compiled into this report.
The final section is a conclusion of the general requirements for a CP approach for the energy sector. These were extracted from the results of other project activities, namely from (EURACOM, 1) that provides an overview of European energy infra-structures and for specific topics of interest.
The EURACOM complete methodology
T 2.3 produced a first deliverable in March 2010 which was covering the whole objective apart from deriving the CP approach to sub sector specificities, this last item was finalised end of June 2010.
It is important to mention that D2.3. objectives were refocused in agreement with the EC project officer in order to clearly mention the elaboration of a methodology. T 2.3 was modified to generate the actual EURACOM RA and CP methodologies as this main deliverable of EURACOM was not clearly identified in the output of WP2.
The objective of task 2.3 (T 2.3) is described in the EURACOM description of work document:
Project summary abstract:
' EURACOM objective is to identify, together with EU energy infrastructure operators, a holistic approach (end-to-end energy supply train: from fuel transport, power generation and transmission) for RA and CP solutions '
The scope also included the requirement to 'report on the link between RA and CP methodologies'.
In addition to the analysis of the link between RA and CP methodologies, this task delivered a combined and holistic approach to RA and CP in a format that can be used as a framework for implementation by the energy sector operators. These main additional aspects were delivered through:
- the creation of a RA and of a CP approach to be implemented at operator (= organisation) level; and
- recommendations on how RA and CP processes can be implemented and supported at higher level of analysis (i.e. on the scope of interconnected energy infrastructures involving many operators).
To deliver the objectives, T2.3 involved the following sub-activities:
- analysing the links between available RA and CP methodologies. We looked in particular at the way the two processes are relying on one another;
- defining the founding principles of the RA and CP approaches by first clarifying the scope of applicability they are designed for, by positioning them against other concepts in a wider risk management perspective and by setting some of the key characteristics they will have to comply with;
- developing a generic RA approach and then tailoring it to the energy sub sectors of oil gas and electricity. This approach was largely built on the results of the EURAM study;
- developing a generic CP approach and then tailoring it to the energy sub sectors of oil gas and electricity (note: this is this last activity of tailoring which was delayed in T2.3);
- providing particular emphasis on how the RA approach and the CP approach interact to deliver 'The EURACOM combined RA and CP approach';
- developing recommendations to allow the implementation of the EURACOM approaches at higher level of analysis (i.e. above the single operator level) for managing dependencies of the energy sector in RA and CP.
c) The EURACOM forum gathering the stakeholders of the energy sector
In the context of the EURACOM project, the energy risk information exchange (ERIE) platform represented an attempt to support information exchanges among energy-sector stakeholders on security operational needs, experiences and lessons learnt, best practices in RA and CP, resilience and risk mitigation, etc.
The platform addressed the following user types: electricity producers, transmitters and distributors, gas and oil distributors, operator's associations, security solution suppliers, regulatory bodies and interest groups, along with EURACOM project partners.
The platform aimed to:
- offer a basis to promote information exchange between energy-sector stakeholders and disseminate EURACOM results;
- review the main achievements of the EURACOM activities and provide orientations for future actions via feedback from operators;
- informing stakeholders about the state of play in the RA / CP area;
- promote dialogue on critical issues in RA and CP.
The ERIE platform was based on the EC CIRCA web tool, a secure web-based tool for the exchange of information in support to the EURACOM community. Communication information resource centre administrator (CIRCA) enabled the EURACOM community, which is geographically spread across Europe (and beyond) to maintain a private space on the Internet where they can share information.
In parallel, EURACOM mapped energy infrastructures operators. Particular efforts were dedicated to obtain the involvement of oil operators and association in EURACOM methodology and in the organisation of sector specific WSs. Despite the efforts, the oil sector was not convinced that a common approach to risk management would be beneficial to the operators in their sector. Therefore, the oil sector specific WS did not take place.
Overall, EURACOM has established contacts with the representatives of the different communities addressed by EURACOM:
- on the Industry side (operators): electricity, gas and oil;
- on the policy side: EC, European Parliament, some Member States;
- on the regulatory side: EER.
These contacts led to a satisfactory participation at the EURACOM WSs.
During the project a series of WSs were organised with specific stakeholders to continue to stimulate networking, dialogue and cooperation between the energy operators and the supply industry. For instance, the attendance at the 'Gas' WS reflected a quite good representativeness of the European countries with 11 Member States being represented, including one island (UK) and two representatives of eastern European countries (Greece and Romania).
Beyond the sectoral approach, a WS with 23 regulators was also organised with an excellent level of attendance:
DG Civil Protection Ministry of Interior, Bulgaria
FOD Binnenlandse Zaken / SPF Interieur, Belgium
ECSA - European Corporate Security Association, Belgium
EPCIP, Austria
Federal Office of Civil Protection and Disaster Assistance National Hazard Register, Germany
Civil Emergency Preparedness and Strategies Division MOI, Czech Republic
Ministry for Climate and Energy, Denmark
DG for Energy, EC
Office of The Prime Minister, Lithuania
Federal Ministry of the Interior, Austria
In general, the WSs were considered very successful by both EURACOM partners and by the attendees.
In terms of content, the WSs were structured to allow a maximum of input from the Gas and Electricity sector, restricting the flow of information from the consortium to the sector to the minimum required to feed the discussion and maximising the feedback from the sectors. The outcome of the WSs provided already some hints on the elements that should be reviewed in the context of 'WP6: Analysis, update and consolidation of system structure / taxonomy, methodology and recommendations'.
Potential impact:
In regard of the potential impact of the project results, the EURACOM methodology not only offers the basis for common and compatible assessment and management tools that can be adapted to different situations, energy operators, and countries, but it also reinforces the European industry's potential to create important market opportunities by its common approach across sectors.
Eventually, if widely adopted, the common methodology can contribute to enhanced cooperation and coordination across Europe, to the development and promotion of metrics, standards, evaluation and certification methods and best practices, which will improve the overall protection of energy infrastructures.
In order to get a maximum impact of the EURACOM methodology on implementation of security solutions and procedures for energy infrastructures, the following suggestions have been made:
- Perform a case study with operator: One of the ways to test the current methodology and to improve its usability would be to perform a case study with selected operators, e.g. one from the electricity and one from the gas sector. For such a case study, close collaboration with the sector associations should be aimed for, in order to ensure that the results of the case studies are relevant for the whole energy sector.
- Apply EURACOM to analyse new technological developments: In the next years, there are expected large investments and technological developments in the energy sector in Europe. The European Parliament has recently debated about the need to strongly invest in energy, not only on renewable sources but also in 'traditional' power plants. The traditional energy grids are soon to be augmented with information and communication technologies (ICT) to form so-called smart grids. In order to determine the appropriate level of protection for these new technologies, a coordinated approach to risk management will be a key requirement. EURACOM may be used to analyse the new technological developments in the energy sector.
- Apply EURACOM to analyse the advanced cyber threat: The growing use of ICT in the energy infrastructure leads to a growing cyber threat. A series of recent incidents has highlighted the vulnerability of the power grid and other energy infrastructures. Both unintentional disruptions of the ICT-based process control environment and cyber attacks disrupted energy systems all over the world. Malware and hackers have penetrated critical process control systems in the energy sector, not only in the US but also in Europe. The recent incident with the Stuxnet worm is an example of this growing threat and shows the possibilities that these professionally built tools may have on the energy infrastructure. The EURACOM methodology may be used to analyse and mitigate the risk posed by the advanced persistent cyber threat.
All the documents supporting this approach are available on the EURACOM website.
In regard of the dissemination activities and Exploitation of results, a strong communication and dissemination strategy supported the project with the widest possible degree of dialogue and dissemination of initial results in order to raise awareness inside the project. This included different activities of communication and dissemination:
- creation of the EURACOM look and feel (logo, flyer, presentations etc);
- creation of EURACOM web pages on EOS website;
- publication of article, flashnews etc.
a) EURACOM Flashnews: In order to inform the stakeholders of the European Energy Infrastructure Community about small piece of information, like the publication of a deliverable online, or an upcoming WS, EOS created a flashnews. EURACOM Flashnews is a very short Newsletter, which allows to give brief news, and dont necessitates too much time to be produced.
b) EURACOM published a one-pager in the SDA roundtable & EURACOM final conference brochure European Energy Review.
c) EURACOM published an article in March 2011 on the European Energy Review website (see http://www.europeanenergyreview.eu online for further details).
- Participation at conferences:
a) EURACOM participated at the 'OSCE public-private expert' WS on protecting non-nuclear critical energy infrastructure against terrorist attacks which took place on the 11-12 February 2010 (Vienna, Austria). Luigi Rebuffi, CEO of EOS and President of the EURACOM steering committee, delivered a speech on 'RA methodologies to protect non-nuclear critical energy infrastructure' - including identification of critical infrastructure and interdependencies between critical sectors. Eric Luiijf, Principal Consultant of TNO Defence, Security and Safety, made a presentation on the cyber security aspects of critical energy infrastructures and on public-private partnerships (PPPs).
b) EURACOM participated at the SRC'10 conference on research, development and innovation for a more secure Europe which took place on the 22-24 September 2010 (Ostend, Belgium). Luigi Rebuffi, CEO of EOS and President of the EURACOM steering committee, delivered a speech on 'Towards a common European approach for security of energy infrastructures'.
c) EURACOM organised the final conference on 'Securing Europe's energy infrastructure' on 24 January 2011 (Brussels, Belgium). Luigi Rebuffi, CEO of EOS and President of the EURACOM steering committee, also delivered a speech on 'Securing Europe's energy infrastructure'. EURACOM partners and conference participants welcomed this initiative from EOS and commit to share EURACOM's findings.
Furthermore, concerning the exploitation of results, the methodology was presented before 23 regulators at the 5th WS and before the main energy stakeholders at the final conference. During these events it was made clear that the methodology could be made available to national regulators and energy operators as a public result of this CSA. Partners of the EURACOM project like TNO, ALTRAN, Thales and Edisoft offered their support to public and private stakeholders for the implementation of the methodology.
List of websites: http://www.eos-eu.com/?Page=EURACOM
