First step into automation of security assessment of critical infrastructures

Critical infrastructures have been undergoing significant developments result- ing from new economy and society driven trends and demands. In the energy supply, decentralization and digitalization are the key processes that push a significant amount of innovation and movement into the networking of many distributed information and operational technology based energy systems. These advancements bring substantial benefits, but expose the underlying systems to a number of risks at the same time. In response, governments and sector-specific organizations have published a series of regulatory re- quirements and guidelines on cybersecurity for the industry and especially for critical infrastructures. This article describes a practical approach to con- ducting cybersecurity assessments for critical infrastructures in the form of an extended gap analysis. The goal is to develop a technique for analyzing gaps between the security measures already implemented, and the recom- mendations formulated in the legal acts and standards for different critical infrastructure sectors. The methodology includes several assessment steps and layers to address a wide range of security controls of existing standards, taking into account the limitations of conducting such security analyses in the operational environment, especially of power supply systems. In addition, a possible automation strategy for the initial phase of the security assessment is presented, in which information about the assets under investigation is col- lected and the appropriate security measures are identified. The presented approach has been developed and practically tested for a digital substation of a local German energy grid operator.