top of page

Delivering risk management and compliance for a National Power Company

  • nicolaferraritest
  • Mar 20
  • 2 min read

The problem

Avella consultants were engaged to support a European power generation and distribution company in achieving compliance with the EU Network and Information Systems (NIS) Directive via a comprehensive risk assessment. As the sole national power company in this European nation, our client forms an essential component of the country’s critical national infrastructure (CNI), and any degradation to the service or power outage would have significant impact on the delivery of essential services to the population such as healthcare.


Solution and Implementation

Our engagement started by assessing the risks that the company was exposed to, both from a cyber and physical perspective. We utilised a bespoke technical security methodology which considered the cyber threats targeting the organisation, inclusive of techniques and capabilities used to launch cyber-attacks, and the likelihood of exploitation aligned with the vulnerabilities within the systems. The organisation’s enterprise IT systems, operational technology, and Supervisory Control and Data Acquisition (SCADA) controls systems were all within the scope of the assessment.


When determining the impact and consequences of a cyber incident which could affect power supply, we met with Ministerial level representatives from the nation’s central government departments including the Department for Health and the Home Office equivalent, demonstrating the importance to the nation of mitigating the risk facing energy infrastructure.


Results

The detailed risk report clearly articulated the threats facing the power generation and distribution network, associated risk levels, and the supporting risk management recommendations, providing a roadmap and strategy for mitigating the risks down to and within the acceptable risk appetite level.


As a result of our engagement, the company implemented the recommendations detailed by our report and comprehensive analysis, and consequently were successful in lobbying for European grant funding for cyber security controls, thereby mitigating their cyber risk exposure.

bottom of page