Case Study - EC: A risk governance process for ICT threats to critical infrastructures

Client: European Union
Sector: central government
Services delivered: risk management , asset management

Nuclear power

The potential problem

Cross border energy infrastructure has been identified as high priority European Critical Infrastructure (ECI) by the European Commission. The energy industry is particularly dependent on Information and Communication Technology (ICT) systems, which are also considered to be ECI. The European Commission therefore needs to understand the increasing interconnectedness between these two sectors, the types of threats posed, and the defences that protect the flow of energy across EU borders.

Understanding the problem

Risk Solutions worked closely with AEA Technology to develop a Risk Governance Framework for identifying and managing the vulnerability of cross-border energy supplies (oil, gas, electricity) to threats related to ICT systems.

The risk governance framework was created through a process of consultation with experts; literature review; stakeholder questionnaires; and expert workshops. It was based on the internationally respected International Risk Governance Council (IRGC) standard for risk governance (

How it works

The Risk Governance Framework guides the user through four stages of risk thinking: 

  • Pre-assessment; which involves getting a broad picture of the risk 
  • Appraisal; which identifies the knowledge needed for judgement and decisions
  • Characterisation and evaluation; which assesses whether the risk is acceptable or not
  • Management; which identifies who needs to do what and when.

At each stage it prompts users to consider the fifth element of communication; which determines who needs to be told, when and how.

What it considers

The Risk Governance Framework prompts users to consider the following:

  • The existing and planned changes to European cross border energy infrastructure, and the possible ways in which it could be vulnerable or exposed to ICT threats
  • The range of possible ICT related threats and the types of defences that can be put into place, resulting in an estimate of the small likelihood of cross-border energy supplies being affected
  • The potential impact of disruptions to energy systems
  • The ways in which these risks should be managed across European borders.

It also encourages users to consider possible precursors to future threats which are not experienced today, to increase preparedness.

As part of the work Risk Solutions and AEA Technology designed and ran two workshops in Brussels for experts from the European energy sector. Risk Solutions facilitated debate at these workshops which explored the issues and tested the Risk Governance Framework through the use of a case study.

The results

When used by member states the Risk Governance Framework will encourage a more consistent approach between organisations and member states for identifying and managing risks. In this way, best practice can be communicated and shared across Europe, and the EU can be assured that changes in technology and markets are not introducing new threats to cross border energy supplies.

As a result of this work, Risk Solutions was able to develop pragmatic guidance and supporting materials for a process that could be employed by a member state or energy supplier to comprehensively assess potential vulnerabilities arising from ICT related threats to their energy infrastructure, and take steps to reduce this vulnerability.