Cybersecurity

Implementation indicators 

  • Institutions and legislation

    Institutions and legislation

    An updated cybersecurity strategy is not yet adopted and the current legal framework does not transpose compliant cybersecurity requirements in energy. The identification and designation of critical energy infrastructures and services is not completed. The computer emergency response team covering the energy sector is in restructuring.

  • Requirements for operators and NRA

    Requirements for operators and NRA

    Energy-specific risk analysis is missing. There are general obligations to develop individual information security rules by
    stakeholders and obligations for reporting incidents. Rules and obligations for energy stakeholders are missing. Cybersecurity competences and powers of the energy regulator are not enforced.

State of implementation

In Georgia, cybersecurity competences are shared between the defence sector and the economic sector. The economic branch is less developed with certain aspects of compliance and security measures completely missing.

The Cybersecurity Strategy 2012 - 2015 set the basis on combatting terrorism and cybercrime, promoted cyber threat analysis, institutional coordination, public awareness, international cooperation and protection of critical information systems, and requested establishment of computer security incident response teams (CSIRTs). The follow-up Strategy 2017 - 2018 goes a step further by calling for compliant legislation, risk assessment
rules and public-private partnership. It does not specifically address energy. The adoption of the draft cybersecurity strategy for 2020 - 2022 was postponed due to ongoing restructuring
of the administration responsible for data security.

The Digital Governance Agency (DGA) operates as the national cybersecurity authority under the Ministry of Justice, according to the Law on Information Security amended in June 2020. The Law defines security of critical information systems both in the public and private domains of the economy, including information security audits, security management and services, and the concept of CERT operation. Energy is not specifically referenced in the Law, and international cybersecurity cooperation measures are missing.

Security of critical information infrastructure is the main objective of both the strategy and the Law. However, the criteria for identification and designation of critical energy infrastructure and essential services are not defined. The implementation is guided by the DGA, with the assistance of the energy regulator GNERC. DGA has not yet completed the assessment of information submitted by companies in a recent survey of the critical infrastructure. The computer emergency response team operating within the Agency (CERT-GOV-GE) must be notified on security incidents. Pursuant to the 2020 amendments of the Law on Information Security, the CERT’s activities are going to be carried out by the Computer Management Agency governed by the DGA.

Cybersecurity risk assessment is barely addressed in the Strategy and not covered by the Law on Information Security. The Law provides general requirements for information security audits and obligations for performing tests. DGA is tasked to set and monitor the overall policy and assess the internal information security rules, which each operator of critical information system has to submit. Specific criteria for risk assessment in energy are
not defined.

The energy regulatory authority GNERC supports activities related to security and identification of critical infrastructure and services in the energy sector. However, it has no specific cybersecurity tasks or powers defined by law.