Collaboration for Cyber Security Resilience in Electricity and Gas.
The Mission for Cyber Security in Energy
Digital systems are a fundamental part of how electricity and gas are transmitted and distributed and how electricity is generated to supply the homes, businesses and public services needed by everyone. Like any digital system, the risks of cyber attacks are real and require skillful design, implementation and operation to keep the systems resilient. Because energy systems are complex this needs collaboration between the many companies who operate the energy systems, the systems integrators and builders who supply and design them and also government in their policies and cyber security expertise.
This industry-led web site provides a window into the cyber security work of the UK electricity and gas sector to provide a reference point for operators and their suppliers to some key standards and initiatives and also provide pointers on where to find relevant cyber security knowledge and expertise. The site presents information from the perspective of operators and systems vendors and official government policy should be referenced directly from BEIS and NCSC.
UK CYBER SECURITY TASK GROUP (E3CC)
The UK Energy Emergencies Executive (E3) is a UK government committee run by the department of Business Energy and Industrial Strategy (BEIS). The E3 provides assurance to Ministers on energy resilience and preparedness and sponsors a key forum sub-committee (E3C) to assess risk and promote delivery on security and resilience improvement programmes. The committee operates through seven Task Groups of which one is the Cyber Security Task Group (E3CC). This Task Group:
- Consists of the 24 operating companies which run the most critical national infrastructure for electricity and gas for the UK together with invited members of BEIS, Ofgem and the UK NCSC;
- Carries out a periodic risk assessment on cyber threat and management capability;
- Shares best practices on non-competitive issues and cyber incidents of mutual concern;
- Directly, or through partnership, progresses initiatives to enhance the cyber security of electricity and gas systems and their supporting organisation
NETWORK INFORMATION SYSTEMS REGULATION
The Security of Network & Information Systems Regulations (“NIS Regulations”) place legal obligations on providers to protect UK critical services by improving cyber security. It came into force on 10th May 2018. This is overseen and enforced for electricity and gas by Ofgem and BEIS who share the responsibilities of Competent Authority (CA).
The expectations of the NIS Directive in the UK is being framed with a set of supporting cyber security principles developed by the National Cyber Security Centre (NCSC) and then adopted and developed by the Competent Authorities. A good reference for this has been published on the NCSC web site. This site also describes the generic Cyber Assessment Framework which is also being used and further developed by Competent Authorities to assess Operators of Essential Services.
To date we have provided help to the CA by setting up industry sub-groups to act as a sounding board in defining scope and approaches. We expect to do more, but how the industry will work collectively to create the best and most efficient cyber security standards and best practices to support our CA is still to be developed.