The security staircase¶
The “levels” bit is shorthand from how regulators and operators structure security capacity in critical infrastructure (energy, water, telecoms). It is not always spelled out the same way, but in EU/NIS2/ENISA-type documents and sector standards there seems to be a kind of staircase:
Level A (operator/SOC level)¶
Each Distribution System Operator (DSO), Transmission System Operator (TSO), or even big supplier must run some form of SOC-lite. For example: TenneT, RTE, E.ON. They monitor their own estate, do first-line response, and escalate. Their labs are often small — test harnesses, PoC environments, maybe a simulated grid segment — mostly for detection tuning and training ops staff.
Level B (sector/CNA level)¶
The Cybersecurity and Network Assurance body, usually national or sector-wide. In Germany this could be BSI, in France ANSSI, in the Netherlands ILT (for energy oversight). They ensure operators share intelligence and follow common playbooks. They maintain a bigger lab: a reference environment for cross-operator systems, interop checks, malware detonation, and joint red-blue exercises.
Level C (national CSIRT/Gov cert level)¶
Above CNA sits the national CSIRT or competent authority: GovCERT.NL, CERT-FR, BSI CERT-Bund, INCIBE-CERT in Spain. They see incidents that go beyond one sector, coordinate with law enforcement, and pass threat intel between sectors and internationally. Their labs are broader — spanning multiple domains, handling classified data, doing advanced malware research.
Level D (EU-wide coordination)¶
At the top sits the EU layer. ENISA provides guidance, capacity building, and runs Cyber Europe. CERT-EU protects EU institutions but also brokers intel between national CSIRTs. The NIS Cooperation Group and the CSIRTs Network ensure incidents that spill across borders are handled consistently. The Joint Research Centre (JRC) maintains smart grid and EV charging test facilities, feeding evidence into EU policy and certification schemes.
Embrace messy reality¶
Device Level (exposure) |
Examples |
Main risks |
CNA role |
Lab needed? |
Who does testing / PoC |
|---|---|---|---|---|---|
Level A devices (consumer / prosumer) |
Smart plugs, Zigbee hubs, EV wallboxes in homes |
Weak auth, replay attacks, unsafe default configs |
Receive CVE submissions, assign IDs, publish entries |
No |
Vendors, independent researchers; CNA may request minimal PoC for verification |
Level B devices (commercial / municipal) |
Office BMS, school PV inverters, municipal EV charging clusters |
Poor patching, supply-chain firmware flaws, lateral spread |
Validate CVEs, coordinate with sector CNAs, ensure advisory issuance |
Sometimes (small test harness) |
Sector reference labs, vendors |
Level C devices (industrial / inter-utility) |
Substation controllers, SCADA gateways, ICCP/TASE.2 stacks |
DoS via protocol abuse, timestamp / association flaws |
Validate CVEs, liaise with national CSIRTs, ensure publication |
Yes (shared CSIRT / sector lab) |
CSIRT labs, vendor SOCs, forensic teams |
Level D devices (grid-critical / cross-border infra) |
HVDC interconnectors, ENTSO-E cross-border balancing platforms, large-scale DER aggregation |
Mass manipulation of setpoints, geopolitical disruption |
Assign CVE, coordinate with ENISA/CERT-EU, advise national CSIRTs |
Yes (mega testbed) |
JRC / ENTSO-E mega testbed, specialised vendor labs, national CSIRTs |
CNA labs in practice¶
CNA role is administrative and coordinating: Its main responsibility is to receive vulnerability reports, validate that they are unique (not already assigned a CVE), and publish CVE entries. You also ensure vendors or discoverers get credit and that proper advisories are issued.
PoC validation is usually delegated
The CNA can request a minimal test case or proof-of-concept to verify the vulnerability is real, but you rarely need a full-blown lab.
Actual exploit testing, attack simulation, and lab experimentation is handled by:
Vendors of the affected devices/software
Reference labs or sector labs (for industrial/critical devices)
National CSIRTs if the CVE affects national infrastructure
When a lab might be useful
For high-volume submissions or complicated ICS/SCADA CVEs, having access to a shared sandbox or small test harness can help confirm PoCs without touching production systems.
But this is usually lightweight, not a full CSIRT or mega testbed setup.
A CNA is mostly about coordination, verification, and publication, not hands-on attack testing.