The ongoing energy transition involves the implementation of a distributed and multi-technological digital infrastructure, potentially exposed to a variety of vulnerabilities and threats that could be used by cybercrime activities to cause interruptions in the electricity service and unwanted cascading effects on other civil and industrial services and sectors, of non-negligible value. The first objective of the activity concerns the development of a methodology for specifying and analyzing cybersecurity requirements based on appropriate software tools, which allows evaluating the compliance/necessity of the security measures already adopted or of the new measures to be adopted.

The methodology starts from the specification of cybersecurity requirements provided by the NISTIR 7628 guideline through the SGAM Toolbox module, and exploits the functionalities of the CSET tool to define a process of adaptation to the context, integration and analysis of cybersecurity requirements at system and architecture level. The methodology has been applied to the use case related to congestion management in the transmission electricity network developed by the Italian demonstrator of the European OSMOSE project.

The second objective of the activity concerns the development and testing of software modules for a real-time identification platform for cyber anomalies in energy systems. To identify attack processes, significant system indicators need to be collected and analyzed. Starting from the study of the electro-energetic context, some relevant IT/OT events have been identified. In order for the logs of interest to be analyzed and correlated, an application for a filter function of events relevant to security has been developed. Thanks to different modules, the event filter can collect, label, and perform some preliminary statistics used by subsequent analysis tools. A platform capable of performing attack steps on energy infrastructure has also been designed, and its development has started. Some attack modules aimed at cyber-physical systems have been implemented and tested, which will be used to validate the platform’s capabilities to identify attacks and demonstrate resilience scenarios.