The regulation of cybersecurity in the energy sector, currently under development at both the European level as a network code and the Italian level as legislation for the national security perimeter, recognizes that addressing the evolving threats to cybersecurity requires investment in research activities related to compliance verification and the development of tools for calculating compromise indicators.

The activities described address both needs by establishing, in the first case, a methodology for deriving test plans from cybersecurity compliance analysis to standard requirements, and in the second case, a process for developing tools to calculate compromise indicators based on advanced probabilistic models and technologies being developed as international standards.

The specification and analysis methodology for cybersecurity requirements was applied to the analysis of an architecture for congestion management in the national transmission network. The results of the analyses were used to structure a cybersecurity test plan for the infrastructure, which was validated by cybersecurity experts from the network operator with positive outcomes.

A simulation tool for attack processes based on Bayesian networks was applied to the remote control of energy resources. The simulation results demonstrated that the model, which captures dependencies between attack steps and uses the detection of security-relevant events, has significant potential for predicting illicit behavior. In this context, such predictive capability helps identify data and events that can guide the development of an experimental anomaly detection platform based on the most probable attacks. When integrated into the experimental platform, the analysis tool becomes functional for the detection and prediction of attackers’ next moves. This feature makes it particularly suitable for developing strategies that, by leveraging predictive capabilities, ensure the cyber resilience of the remote control system by preventing attackers from successfully completing their attack processes. In terms of resilience, this activity also contributed to calculating the electrical impact by using a probabilistic model to determine the likelihood of attacks on the architecture of the automatic load shedding system in emergency conditions on the national transmission network.

The experimental platform has been extended to include functions for monitoring remote control communications, modules for collecting security-relevant events based on standard reference technologies, the emulation of a complex attack process on remote control communications, and an anomaly detection platform.

The activity will continue with the validation of the compliance analysis methodology and the tools for processing compromise indicators guided by graphical-probabilistic analysis and reference standards.