Six months on from the Network and Information Systems Regulations 2018 (NIS) transposing into UK law, Ofgem (Competent Authority for Downstream Gas and Electricity sectors in GB) has released guidance for Operators of Essential Services (OES), to help them understand their responsibilities and how Ofgem will approach the implementation of NIS Regulations.
Following one-to-one consultations via Ofgem and the Energy Emergency Executive Committee, Cyber Security Task Group (E3CC), it is expected by now that OESs have identified network and information systems where a compromise of the system could impact the supply of an energy service. Energy OESs had a requirement to submit their final scope of essential services to Ofgem by 15th October 2018.
The scope of the essential service consists of grouping of assets per site; high level architecture showing connectivity points of critical systems and networks; identification of any major upgrades; and justification for any systems deemed out of scope.
The next stage is for OESs to “undertake a robust but realistic CAF [Cyber Assessment Framework] self-assessment supported by evidence”. The self-assessment has been designed by the National Cyber Security Centre (NCSC) with thirty-nine contributing outcomes associated with a set of Indicators of Good Practice (IGPs), which are based upon good cyber security practices such as international standards, frameworks or methodologies.
The self-assessment will include strategy, governance, cyber risk assessments, identification of sites, systems, assets and stakeholders for each site. Ofgem highly recommend conducting self-assessments with the most critical sites and assets first, especially as the self-assessments will take effort on behalf of the OESs to complete, with their associated evidence and a submission deadline to Ofgem of 15th February 2019.
The preliminary work does not stop there. Following submission of the self-assessments, OESs need to start work on their improvement plans to implement cyber-security countermeasures for risks which are outside of their risk acceptance levels. Ofgem is planning to develop a template for submission of the improvement plans, which must be submitted to the regulator by 30th April 2019.
Ofgem expects the preparation for improvement of cyber security for OESs to take time; they state “OES may need to undertake a significant amount of work to put in place both a Cyber Security Management System (CSMS) and the necessary technical cyber-security countermeasures to manage risks appropriately”. It is expected to take six to 12 months for preparation, including any design changes and a further six months for implementation of ‘quick wins’.
So, why is there an expectation that cyber improvements will take a long time? NIS is viewed as the baseline for cyber security, the starting point of overall improvement for critical national infrastructure. New technologies are disrupting the energy sector through digitisation technology, such as smart meters, which have introduced faster, more efficient control and the addition of new energy supplies through renewable energy delivered from alternative energy sources like solar, waves, geothermal, bio energy and wind turbines.
This has also presented an influx of new companies, who are competing strongly with the big energy companies; all of which are connected to a growing and complex critical energy network.
With these recent and future changes, the energy network has become a cocktail of old legacy equipment mixed with new technology and, when legacy parts are restricted or become end-of-life, then new technology is brought into the mix, with the potential to introduce new vulnerabilities.
Supply chain risks are a threat and can happen anywhere, as the recent outage from mobile phone provider O2 demonstrated. The 24-hour outage affecting millions of customers was caused by a software failure by Ericsson, a supplier of critical components in the O2 network, who had failed to update an expired certificate in a version of its management software. This demonstrates how an interconnected system is only as strong as weakest point.
Cyber threats against the energy sector are on the increase. The threats are real and energy is a prime target because it is so critical, as other sectors rely upon energy to deliver their services. When under attack, an energy system is harder to disconnect from the network, as this could result in safety concerns from system failures, fire or explosions, causing a physical wide disruption from blackouts or brownouts.
The biggest issue facing the energy sector is a combination of the complexity of energy networks and the short supply of appropriate cyber security skills. Ofgem says robust strategic improvement planning is expected to take six months, including recruitment and training. Principle B6 , Staff Awareness and Training from the Indicators of Good Practice will be essential in the energy sector.
Our experience of how the challenges arising from the lack of skilled resource are impacting the energy sector can been seen in the absence of clear scoping of the NIS environment. Are organisations able to clearly identify what is ‘in scope’ or are they at risk of over extending? Additionally, we frequently discover a deficiency of detailed threat analysis and risk assessment, leading to a generic risk of ‘cyber-attack’. A common failing is not having a central view of all networks, with corporate resource governed by IT and industrial resource falling under an engineering function. To address the NIS Regulation, organisations must access expertise that transcends these traditional boundaries.
In Quarter 3 of 2019, Ofgem will release an audit schedule, which will be prioritised in accordance with OESs’ submitted improvement plans and risks across the sector, with commencement of audit inspections in Quarter 4, 2019.
OESs are to expect an audit in the first year and then a continuing rolling audit program. Each audit inspection is expected to be at least three to five days and may scale upwards, depending on the size and complexity of the OES.