SLOVENIA: Efficiency of managing cybersecurity risk of the ELES company critical infrastructure, short audit resume


The Court of Audit of the Republic of Slovenia (hereinafter referred to as: Court of Audit) audited the efficiency of ELES, Ltd, Electricity Transmission System Operator (hereinafter referred to as: ELES) in critical infrastructure cybersecurity risk managing. It was the second audit by the Court of Audit reviewing the issue of cybersecurity.

It started in 2019, two years after the Republic of Slovenia adopted Critical Infrastructure Act (hereinafter referred to as: CI Act). The audit focused on the efficiency of ELES in implementing the requirements of the CI Act and in managing cyber security in the field of critical infrastructure. The audited period was from 1 January 2019 to 31 July 2020.

 Slovenia CS ELES Audit Picture1

The Court of Audit has found out that ELES imposed risk management in 2009 and set up a comprehensive risk management system over the following years. ELES kept a computerised catalogue of risks by fields of operations, and in 2019 also established a record of risks in the field of critical infrastructure. ELES timely identified sources of risks to critical infrastructure operations, analysed and evaluated risks to critical structure operations, determined sources of risks and monitored the state of critical infrastructure, as well as duplicated control centres and devised security plans. ELES also applied a documented information security management system, and was just concluding with the introduction of a business continuity management system at the time of the audit review. It carried out risk assessment of critical infrastructure and imposed measures for protection of critical infrastructure. Additionally, ELES responded to COVID-19 epidemic by adopting various measures and thus ensured continuous operation of the processes.

Slovenia CS ELES Audit Picture2

ELES efficiently detected cyber threats, namely by various documented activities, there were roles and responsibilities for detecting security events defined, and it performed various detection activities. It followed established procedures for submitting information on detected events, as well as continuously improved detection processes and built knowledge bases relating to security events. ELES had a response plan for managing response to cyber threats. Its employees were appropriately trained for responding and reported and submitted information on the events to relevant recipients within and outside ELES. ELES managed responding also by analysing notices and understanding of the impact of incidents on the organisation, as well as by classifying security incidents. It applied processes for monitoring, analysing and responding to vulnerabilities, and for limiting and mitigating security incidents. ELES had no special strategy for the field of cybersecurity, however, it did establish policies pertaining to all segments of the integrated management system that were through management reviews subject to ongoing inspection and relevant updating. There exist possibilities for improvements that ELES is aware of and has thus introduced them.

According to the opinion of the Court of Audit, ELES was efficient in managing cybersecurity risk relating to critical infrastructure in the period covered by the audit. The Court of Audit did not demand from ELES to submit a response report, however, it proposed several recommendations for further improvements.

Audit infographic is available at