Utility Week

20 | 22ND - 28TH MARCH 2019 | UTILITY WEEK Operations & Assets Analysis T he magnitude, frequency and sophistication of cyber attacks is increasing, so the introduction of legislation to beef up the resilience of essential services, including utilities, is welcome. However, experts are warning that the growing interconnectivity of systems across the supply chain means that many will likely struggle to gauge the true extent of the risks they face. The network and information systems (NIS) regulations – the first formal cyber security regulations for the utilities sector – were adopted into law on 10 May last year. Under these regulations, operators of essential services should have submitted a self-assessment on their state of readiness to the relevant competent authority by 15 February this year (Ofgem in the case of the energy sector; the DWI for water companies). Those will be judged against the 14 principles outlined by the cyber assessment framework developed by the National Cyber Security Centre, and operators may be required to develop plans for better risk mitigation. The need to protect against cyber-attacks reached new levels of urgency aŒer a study published by Corero Network Security in May last year found that more than two-thirds of UK critical infrastructure organisations had suffered service outages on their IT networks in the previous two years. A third of these outages were believed to have been caused by cyber attacks. Mary-Jo de Leeuw, director of cyber security advocacy EMEA at not-for-profit cyber security certification consortium (ISC)2, warns that lack of awareness across the utility sector is a huge challenge, "both in terms of what parts of their operations the NIS regulations apply to, and what specifically needs to be done to comply with the regulations". Recent studies suggest that only 16 per cent of cyber security professionals overall are fully aware of the NIS regulations. The deadline for submitting improvement plans is 30 April, although Andrew Harts- horn, partner and information law specialist at law firm Shakespeare Martineau, warns that the response of each of the competent authorities has varied, so the rules may not be interpreted consistently across sectors. "Operators of essential services also need to update their governance and processes to ensure that any changes to networks and information systems are considered from a risk perspective," he says. "However, all organisations need to understand data flows both inside and outside of their business to ensure that sensitive data is appropriately protected and access limited." The initial assessment of vulnerabilities and processes is a huge task. As with GDPR (the Europe-wide general data protection regulation, which came into force last year), it's likely that many organisations are find- ing that the closer they look into their sys- tems and processes, the more challenges they find, Hartshorn warns. He believes some organisations will struggle to pull together information about data flows and understand how subcontrac- tors and complex supply chains can expose vulnerabilities. "Compliance also relies on understanding within the employee base," he points out. "Not everyone will understand from the outset what the impact of the regu- lations is, and the importance of following processes, procedures and policies." Best practice Justin Lowe, digital trust and cyber secu- rity expert at PA Consulting, says operators should make sure they understand which parts of their operation fall within the scope of the regulations, and which systems and assets directly or indirectly support these operations, including in their supply chain. "Operators should then understand what security controls are in place for those criti- cal systems and assets, what gaps there are against best practice, and what risk these present to the essential services they pro- vide," he adds. "This will provide a good foundation for defining a regulation compli- ance programme, together with the associ- ated costs that would need to be included within their regulatory price control business planning activities." Be safe – that's an order Operators of essential services are under a legal obligation to protect themselves from cyber attack, but some utilities are sleepwalking into non-compliance, as Rachel Willcox reports. What are NIS regulations? NIS regulations set out broad principles that require the operators of essential services to put "appropriate and proportionate" measures in place to implement and proactively manage cyber security. A spokeswoman for Ofgem tells Utility Week: "Operators will be required to engage in appropriate cyber risk management, report major cyber incidents that threaten supply, and take action to rectify those incidents. To fulfil this role, we have been given new powers to request information, to audit operators of essential services, to assess their security and resilience, to issue binding instructions on operators, and to fine operators if appropriate." The regulations also cover other threats affecting IT, such as power outages, hardware failures and environmental hazards. Organisations need to understand vulnerabilities and points of weakness not just in their own systems but also in any supply chain systems that interface with their own. A reporting system has also been set up to make it easier to report cyber breaches and IT failures. In the energy sector, the regulations apply to suppliers with more than 250,000 customers, transmission and distribution network operators with the potential to cause disruption to more than 250,000 final customers, and generators with more than 2GW of capacity. There are also provisions for operators of interconnectors. "So far we have more than 50 operators captured, varying from generation, transmission, distribution, supply and gas storage," an Ofgem spokeswoman says. The threshold requirement set by the Drinking Water Inspectorate (DWI) applies to any UK company that supplies potable water to 200,000 or more people.

• Cover