Today, Electric Power Utilities must continuously evaluate the cybersecurity posture of their critical infrastructures. This paper presents the application of a methodology to assess the cybersecurity posture of a demonstrator within the H2020 OSMOSE project (Optimal System-Mix of Flexibility Solutions for European Electricity) related to congestion management in the Italian transmission network.

The inclusion of these new functionalities requires several extensions to the ICT architecture of the hosting organization: new interactions with external factors and the installation of additional components must be analyzed from a cybersecurity perspective. For this purpose, a multi-phase evaluation methodology was applied to the pilot project to consider various organizational and infrastructural aspects.

Starting from the ICT technical specification of the OSMOSE pilot, the CSET tool was used to perform a compliance assessment against the NIST 800-53 standard. The first phase of the analysis identifies a list of priority requirements for each category of the standard, deemed suitable for a specific Security Assurance Level. This analysis phase assigns a ranking value to each category of requirements, enabling the identification of critical areas on which to focus the cybersecurity assessment.

The second step analyzes the ICT architecture in terms of components and networks and derives cybersecurity controls in line with the criticality levels of system assets. The security controls are then used as a guide to structure a cybersecurity test plan of functional, technical, and audit actions involving various processes and organizational areas.

The final goal of this evaluation is to check whether the integration of new ICT systems for congestion management into the pre-existing architecture requires new cybersecurity controls to meet the assigned Security Level of the entire system. The methodological approach and results presented in the paper may be of interest to many operators who must address the cybersecurity of their evolving digital infrastructures to keep abreast of the new challenges introduced by the energy transition.