Stronger Together – Cyber Resilience in the Energy Sector
Energy Cyber Security Group (E3CC) 3rd Annual Vendor/Operator Conference.
4th March, 2020 at The IET, Savoy Place, London
Thanks to all of you who attended and contributed to the E3CC Annual Energy Supply Chain Cyber Security Conference held in the first week of March. The following meeting report outlines the highlights of the day:
Risks, National Responsibilities and Regulation
The meeting showed the continued interest and focus by government, operators and suppliers on the very real cyber security risks faced by critical energy providers. The UK Government recognises that this is a key risk that needs managing and that the supply chain is fundamental to this. In their keynote presentation, the UK NCSC confirmed that the threat is real and that the supply chain are not only important in supporting operator’s cyber security goals but also that the suppliers themselves are targets, with their own business impacts, as well as potentially presenting an attack route into multiple operators.
Ofgem and the UK Health and Safety Executive (HSE) already regulate the safety and integrity of the energy sector, and have gained additional responsibilities under the NIS Regulation to require operators to meet cyber security assurance goals. At the moment the regulation does not directly apply to the supply chain, but there is a logical pass-down of responsibility where the energy system operators are not able to achieve adequate cyber security without support from their suppliers. This is something that the government is carefully watching and, if needed, they may consider policy requiring more formal supply chain obligations in meeting cyber security standards.
Discussions in the meeting made it clear that there was an over-riding need for operators and all parts of the supply chain to be able to take action to manage cyber security risks because the fundamental goal is the protection of our society and that affects us all. Regulation just helps underpin this and helps create a level playing field of national perspectives as well as (in some cases) the opportunity provided by funding mechanisms.
The Challenge of Digital Transformation
In a series of presentations we explored the transformation of business models – with many more players and roles such as consumer energy services and aggregators, as well as new distributed technologies with renewables in generation, small distribution networks and increased use of smart consumer devices. Much work needs to be done to ensure that the new businesses have access to cyber security management skills and that new technologies are designed, built and operated cyber-secure. There was a general sense that the move to innovation runs the risk of outpacing cyber security standards and that more needs to be done.
Cyber Security Specifications, Procurement and Standards
Several presentations and discussions explored how operators specified cyber security requirements and how systems suppliers responded. In many cases the procurement process still looks to be very crude with tick box questions asking for confirmation of compliance with ‘IEC 62443’/’NIS Regulation’/’ISO 27001’ – to which a simple binary answer is close to meaningless. Standards which give more detailed use cases and design patterns are more useful and the UK ENA Energy Delivery Systems (EDS) Cyber Security Procurement Language Guide was cited as an example of good practice. The supply chain participants were unanimous in their view that a cyber security informed buyer was really helpful in the process. In discussions, some key themes emerged:
- What cyber security level is fundamental professional practice, and so should be built-in and not seen as a profit opportunity? – operators could reasonably expect that basics such as fixing discovered security vulnerabilities come as part of general product support, whereas more advanced security management capabilities could be seen as a value-added proposition. Some clarity around this could be very helpful in setting industry expectations.
- A systems supplier themselves have their own supply chain and this leads to a need to understand what is ‘inside the box’, and so ‘bill of material approaches’ and supporting supply chain management cascades need to be part of the cyber security management process.
- How does a vendor conduct security and operate security processes in their own design, build and support processes? What assurance could be asked for and provided and could this be standardised?
- Can a consistent cross supply-chain risk model be agreed so that cyber risk in operation can be compared with cyber risk management capability as designed by the vendor?
Conversation and Collaboration
The meeting came together around the view that we can only achieve the necessary cyber security capability through honest and frank collaboration rather than taking adversarial positions or relying on legal contracts as a last recourse. Some companies are working on ‘charter of trust’ activities with cross sector collaboration and these have broad goals and long-term timescales. Other activity include vendor-customer work groups looking at particular products and services to develop security roadmaps and/or better understand risks by looking at threats and attack trees. It was recognised that vendors can be key to managing cyber security incidents but were often not included in the process. Valuable actions were seen to be:
- Vendors initiating customer cyber security forums focusing on threats/risks, sharing best practices and agreeing cyber security roadmaps for products
- Multiple operators and multiple vendors working together to define security standards, expectations and assurance approaches
- Suppliers being invited to participate in operator cyber security crisis/incident management exercises
- We invite your views on the event and ideas for topics that you would like to see us follow up on.
- We have seen much interest in the idea of a joint operator/supply chain workgroup which would look at:
- Opportunities for a common assurance framework to be used to assess cyber security capability (vs. the current per company approach)
- Cyber security basics – defining the base expectation
We are therefore seeking interested parties so we can then select an appropriate cross section of stakeholders to look into further joint activity. Interested parties should email e3cc(at)csoconfidential.com