PHOENIX Policy Brief: a reasoned overview of challenges and suggested policy options

During the timeframe of the PHOENIX project, and since its beginning phase, CyberEthics Lab. (CEL) worked to establish a new mindset in the cybersecurity development process by considering ethics and privacy dimensions as well.

This mindset was laid on the PRESS Conceptual Framework which analysed privacy and data protection, regulatory, ethics, societal and security concerns and therefore identified guidelines in terms of compliance rules and governance policies. Based on this framework, the PHOENIX project assessed activities and outcomes, and this experience allowed to learn several lessons, as well as to consider main concerns dealing with Electrical Power and Energy Systems (EPES) critical infrastructures in the energy sectors related to the different analysed dimensions (i.e. privacy, ethics and cybersecurity). In the light of these lessons and on the basis of the main identified concerns, CEL worked to prepare the first draft of the PHOENIX Policy Brief, a document containing the assessment of the main risks and challenges in the EPES context, as well as suggested policy options. The PHOENIX Policy Brief was submitted for judgement to a pool of multidisciplinary experts, and it was finally discussed during the PHOENIX Final Workshop roundtable, organised by CyberEthics Lab. and held in Rome on July 7, 2022. Based on the comments and feedback received from the experts during the event, the Policy Brief document was integrated with three additional policy options and then refined and finalised with a list of prioritised policy options. Through the identification of ten risks and challenges (see Figure 1), this Policy Brief formulates a set of 14 Policy Options aiming to provide guidelines for potential enhancements of next releases of technical developments, operations and regulations in the EPES sector.

The expert judgement allowed to rank the five highest priority policy options addressing relevant risks and challenges, i.e.:

• Cybersecurity: Cybersecurity certification scheme and Standardisation, Incident notification, Key elements that all companies must address;
• Privacy: Need-to-know;
• Ethics: Human factor and social impact.

In conclusion, the PHOENIX Policy Brief is a useful tool to clearly identify not only the major risks and challenges that may be encountered in the aforementioned fields, but it also provides an overview of present and future legislation and the guidelines to be followed to best comply with it. The definition of the PHOENIX Policy Brief in its latest version is mainly based on experiences and lessons learnt by a consortium of 24 EU partners cooperating during a three-year lifecycle project. Moreover, the final debate and judgement from six external experts in various disciplines allowed to improve quality and to add value with further options to be considered in the EPES critical infrastructures.

For further details, the originally published article is available on https://cyberethicslab.com/en/phoenix-policy-brief-1740/