Extended Gap Analysis: an Approach for Security Assessment of Critical Infrastructures

Critical infrastructures (CI) have been undergoing significant developments resulting from new economy and society driven trends and demands. In the energy supply, decentralization and digitalization are the key processes that push a significant amount of innovation and movement into the networking of many distributed information technology (IT) and operational technology (OT) based energy systems. These advancements bring substantial benefits, but expose the underlying systems to a number of risks at the same time. In response, governments and sector specific organizations have published a series of regulatory requirements and guidelines on cybersecurity for the industry and especially for CI. This article describes a practical approach to conducting cybersecurity assessments for CI in the form of an extended gap analysis. The goal is to develop a technique for analyzing gaps between the security measures already implemented, and the recommendations formulated in the legal acts and standards for different CI sectors. The methodology includes several assessment steps and layers to address a wide range of security controls of existing standards, taking into account the limitations of conducting such security analyses in the operational environment, especially of power supply systems. The presented approach has been developed and practically tested for a digital substation of a local German energy grid operator.