The ongoing energy transition is reshaping electric power systems into increasingly smarter infrastructures that take the form of cyber-physical systems. In these systems, electrical grids are deeply interwoven with advanced information and communication technologies (ICT), improving the observability and the controllability. While these capabilities are essential for ensuring the flexibility and reliability of future energy systems, they also expand the attack surface for cyber intrusions and introduce new forms of interdependencies between the cyber and physical domains. In response to these challenges, the CYPRESS1 project aimed to develop comprehensive cyber-physical risk assessment and management frameworks for transmission systems. Cyber-physical risk refers to the combined likelihood and impact of events in which a cyber compromise propagates into the physical operation of the power system, causing measurable degradation of its reliability and/or resilience.
In order to reach its objectives, the CYPRESS project was articulated along three research work packages. The first work package developed criteria and benchmarks for cyber-physical risk management. The second work package, the focus of this white paper, developed techniques for assessing ex-ante the cyber-physical risks that could impact electric power systems. The third work package developed techniques to mitigate cyber-physical risks and to enhance the cyber-physical security of electric power systems. In addition to methodological advances, the CYPRESS project also conducted across the three work packages experimental case studies to validate the applicability of its frameworks to concrete infrastructures (such as transmission systems, distribution systems, wind farms, etc.). Based on the outcomes of the second work package, this white paper provides recommendations to aid transmission operators in identifying relevant cyber-physical threats for their systems. The remainder of this whiter paper is organized as follows. Section 2 reviews current practices in terms of cybersecurity risk assessment in Europe, and their expected evolution. On that basis, 3 emphasizes the main challenges that must be tackled to perform convincing cybersecurity risk assessments of real electric power systems. Section4 summarizes then the main contribution of the CYPRESS project to these challenges. Finally, Section 5 concludes by giving recommendations on the next steps.
