Unofficial transfer (c) Soyuzpravoinform LLC
It is registered
Ministry of Justice of Ukraine
August 21, 2024
No. 1278/42623
of August 5, 2024 No. 285
About approval of the Technique of assessment of condition of cyber security of power networks and practice of cyber security of power networks
According to Item 8 of the Regulations on the Department of Energy of Ukraine approved by the resolution of the Cabinet of Ministers of Ukraine of June 17, 2020 No. 507, of Item 2 of the actions plan on implementation of the Concept of implementation of "smart networks" in Ukraine till 2035 approved by the order of the Cabinet of Ministers of Ukraine of October 14, 2022 No. 908-r, PRIKAZYVAYU:
1. Approve enclosed:
1) Technique of assessment of condition of cyber security of power networks;
2) to the Practician of cyber security of power networks.
2. To provide to management of cyber security and digital development submission of this order on state registration in the Ministry of Justice of Ukraine in accordance with the established procedure.
3. This order becomes effective from the date of its official publication.
4. To impose control over the implementation of this order on the deputy minister concerning digital development, digital transformations and digitalization Andarak Roman.
Minister
G. Galushchenko
It is approved: First Deputy Minister of digital transformation of Ukraine |
O. Vyskub |
Chairman of Public service of special communication of information protection of Ukraine |
Yu.Mironenko |
V.i.o. Minister of Education and Science of Ukraine |
G. Vinnytsia |
The chairman of the National commission who performs state regulation in spheres of power and utilities |
V.Tarasyuk |
Vice-chairman of the Security Service of Ukraine |
S. Naumyuk |
Chairman of the Public regulatory service of Ukraine |
A. Kucher |
Approved by the Order of the Department of Energy of Ukraine of August 5, 2024 No. 285
1. This Technique determines model of maturity of opportunities of cyber security of power networks (further - maturity model) as objects of critical infrastructure of the fuel and energy sector of critical infrastructure and/or their systems, their parts and their sets (further - power networks).
2. Action of this Technique extends to operators of critical infrastructure (further - operators) who on the property rights, leases or on other legal causes exercise control of power networks.
3. In this Technique terms are used in the following values:
1) assets of information technologies (further - IT assets) - separate set of the electronic information resources organized for collection, processing, support, use, joint use, distribution or placement of information.
This determination includes the interconnected or interdependent systems and environment in which they work.
IT assets turn on workstations, switches, routers, firewalls, servers, virtual machines, the software, mobile computer devices, cloudy resources;
2) assets of operational technologies (further - OT assets) - assets which are in segment of operational technologies of power networks and are necessary for provision of services or productive activity.
The majority of management systems power networks include IT assets.
Workstations, switches, routers, firewalls, servers, virtual machines, the software, mobile computer devices, cloudy assets, programmable logical controllers, remote terminals, industrial management systems (ICS), security systems, control units of physical access belong to OT - assets;
3) maturity - measurable capability of the operator it is permanent to be enhanced within cyber security of power networks;
4) index of cyber security of power networks (further - the MIL index) - the periodic information materials containing expert, analytical, statistical data on condition of cyber security of power networks, and also on separate indicators of harmful effects of the realized cyberthreats the fortune of cyber security of power networks made for the purpose of assessment;
5) the cyber security maturity indicator (further - the maturity indicator) - measure value of maturity of cyber security of power networks;
6) data assets - any message or representation of knowledge, such as the facts, data which are valuable to power networks.
Data assets can be in any carrier or form, including digital or non-numerical. Data assets include business data, intellectual property, customer information, contracts, contracts, logs of safety, metadata, operational data, financial data, information on safety and logs of event management, configuration files;
7) maturity model - the structured set the practician, instructions, action plans for creation of effective programs of cyber security of power networks and holding actions for cyberprotection of power networks;
8) the C2M2 model - model of maturity of opportunities of cyber security of power networks for assessment and enhancement of programs for cyber security of power networks and strengthening of their operational stability;
9) area is logical grouping the practician.
Each such set the practician represents activities which operators carry out for establishment and development of opportunities in the field of cyber security of power networks;
10) assessment of condition of cyber security of electric networks determinations or measurement of indicators of maturity of cyber security of power networks;
11) indicator of maturity of cyber security of electric networks parameters of condition of cyber security of power networks;
12) practice is the method connected with operations which are performed repeatedly within cyber security of power networks as determine measure of level of maturity of opportunities of cyber security of power networks;
13) the level of cyber security of power networks (further - the MIL level) - the C2M2, model maturity indicator level which is determined by set the practician of cyber security of power networks (further - practice) from area of cyber security of the power networks (further - area) implemented and which are carried out in power networks.
Other terms are used in the values given in the Laws of Ukraine "About critical infrastructure", "About the basic principles of ensuring cyber security of Ukraine", "About information protection in information communications systems", "About the market of electrical energy".
4. The purpose of this Technique is determination of algorithm of assessment and enhancement of programs for cyber security of power networks.
5. C2M2 model:
1) is formulated by maturity model as set of the characteristics, attributes, indicators or samples showing capabilities and progress of implementation of measures for cyberprotection of power networks;
2) is determined by management of practice of realization of cyber security of power networks and is adapted for use by operators;
3) it is held for use operators for the purpose of implementation of self-assessment of condition of cyber security and accomplishment of actions for cyberprotection of power networks.
For effective realization of the C2M2 model it is the best of all to use it as part of continuous process of risk management of power networks.
6. Form of application of the C2M2 model is the self-assessment the operator of power networks performed in process of their need, but at least 1 time a year.
7. By results of application of the C2M2 model the operator prepares the report which goes the Ministry of Energy within 10 days, but no later than December 01 of the current year.
In the report are specified:
the cyber security of power networks this about current status;
the C2M2 models this about realization by the operator of measures for cyberprotection of power networks by results of application;
data on enhancement of programs of the operator on cyber security of power networks by results of application of the C2M2 model.
8. In the C2M2 model the term "function" belongs to power networks.
9. The C2M2 model widely determines the concept "function" to provide to operators the greatest degree of flexibility in scoping of self-assessment which is suitable for them.
10. The choice of function determines what objects of critical information infrastructure (further - objects) information (automated) electronic communication, information communications systems, automated process control systems of power networks will be subject to assessment, including the interconnected or interdependent systems and environment in which they work.
11. For the purposes of the C2M2 model the term "assets" includes all objects information (automated) electronic communication, information communications systems, automated process control systems of power networks within the selected function, including the interconnected or interdependent systems and environment in which they work.
12. The C2M2 model is included by the 356th practician which are classified to 10 areas.
13. Each area is connected with the unique purpose of management and several purposes of approach. Within the purposes as approach, and managements are more whole practicians for the description of activities for cyber security of power networks are disaggregated. Within each purpose of practice are arranged on the MIL levels.
14. For measurement of progress of the C2M2 model use the scale of indicators and indexes of condition of cyber security of power networks determining levels from MIL0 to MIL3 according to appendix to this technique. Set the practician determines each MIL level. If the operator implemented and the practician uses such set, then it reached both this MIL level, and opportunities which are represented by this MIL level.
15. Availability of measurable transitional conditions between the MIL levels allows to use scale for:
1) determination of current status of power networks concerning cyber security;
2) determination of future, more mature condition of cyber security of power networks;
3) determination of opportunities which the operator shall provide to reach future indicator of maturity of condition of cyber security of power networks.
16. Areas of the C2M2 model:
1) ASSET - Asset management, changes and configuration. Management of IT assets and OT - assets of power networks, including hardware and the software, and also data assets according to risk of cyber security for power networks;
2) THREAT - management of threats and vulnerabilities. Creation and support of plans, procedures and technologies for detection, identifications, the analysis, management and response to threats and vulnerabilities of cyber security of power networks according to risk of cyber security for them;
3) RISK - risk management. Management of IT assets and OT - assets of power networks, including hardware and the software, and also data assets according to risk of cyber security for power networks;
4) ACCESS - management of identification and access. Creation of identification data for assets to which logical or physical access to assets of power networks, management can be provided by them. Access control to assets of power networks according to risk of cyber security for them;
5) SITUATION - situational awareness. Implementation and support of measures and technologies for collection, monitoring, the analysis, warning, the reporting and use of operational information, information on safety and threats, including information on the status and summary information from other areas of the C2M2, model to receive situational awareness on working state of cyber security of power networks;
6) RESPONSE - response to events and incidents. Creation and support of plans, procedures and technologies for detection, the analysis, responses to events and incidents of cyber security of power networks and recovery after them, and also support of work during the incidents of cyber security of power networks according to risk of cyber security for them;
7) THIRD - PARTIES - supply chain management and external interdependence. Installation and support of control facilities for management of the cyberrisks arising in case of vendor interaction of services of power networks according to risk of cyber security for power networks and the purposes of the operator;
8) WORKFORCE - personnel management. Creation and support of plans, procedures, technologies and control facilities of cyber security of power networks and ensuring steady competence of personnel on cyber security according to risk of cyber security for power networks and the purposes of the operator;
9) ARCHITECTURE - architecture of cyber security. Creation and support of architecture of cyber security of power networks, including controls, processes, technologies and other elements;
10) PROGRAM - program management of cyber security of power networks. Creation and support of the program of cyber security of power networks which provides management strategic planning and financial support of activities of power networks for cyber security so that the purposes on cyber security were approved with strategic objectives and risks for object of critical infrastructure in general.
17. The C2M2 model is held for use self-assessment methodologies the operator for the purpose of measurement and enhancement of own program for cyber security of power networks.
18. Application of the C2M2 model is performed by the choice of level of implementation of each practice with use of four-point scale:
it is not executed (NI) - practice is not carried out;
it is partially executed (PI) - accomplishment is not complete, there are many opportunities for improvement;
it is generally executed (LI) - generally executed, but there is possibility of improvement;
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.