Utility Week

14 | 15TH - 21ST DECEMBER 2017 | UTILITY WEEK Policy & Regulation Market view T he EU Network and Information Sys- tems (NIS) Directive, which comes into force on 10 May 2018, will result in UK legislation to protect essential services from cyber threats. The directive covers many sectors that provide essential services, with energy and utilities operators a key focus. These operators of essential services (OES) will have to ensure their cyber resilience meets the NIS security objectives and guid- ance or they could face significant fines. The problem is that awareness of the NIS Directive, and its implications, is still low across the affected industries. It has tended to be eclipsed by its "bigger brother", the General Data Protection Regulation (GDPR). However, companies must focus now because there is little time for implementa- tion before the rules come into force in May next year. The government's approach The government has held a consultation on the directive and will publish the detail of its approach around the end of this year. The consultation included four security objectives and 14 security principles for OES to follow, and it is expected that the National Cyber Security Centre will publish generic cross-sector guidance early in the new year. Meanwhile, the relevant lead govern- ment departments or authorities (designated "competent authorities") will be providing sector-specific interpretation of the generic guidance in early 2018. This means that, although the direction of the government's thinking is clear, the detail of what will actu- ally be in the legislation will not be known until early 2018, leaving OESs with only a few months to comply. Owing to the potentially significant impact of cyber incidents on essential ser- vices, the government is proposing a "high bar" penalty approach for non-compliance. There will be fines of up to 20 million euros or 4 per cent of global turnover for major breaches – such as failure to imple- ment appropriate and proportionate secu- rity measures – and 2 per cent for minor breaches – such as failure to report an inci- dent or failure to co-operate with a compe- tent authority. It has been recognised that much work has been done to protect critical infrastruc- tures and essential services from cyber threats over recent years, but the implemen- tation of the directive will result in a step change for many operators. Initially, energy and utility operators should identify whether they would be considered operators of essential services under the legislation. The consultation document is clear about the government's thinking in this area, but this may change when the consultation response is published. OESs should immediately assess their compliance with the National Cyber Secu- rity Centre's (NCSC) security objectives and principles, which were outlined in the con- sultation. They should then put in place the appropriate cyber resilience measures to pro- tect networks and information systems that provide or support essential services, along with incident-reporting mechanisms. It is also important to identify all depend- encies that enable essential services to oper- ate, such as telecoms and, potentially, third parties. Organisations can then conduct a risk assessment to understand their vulner- abilities and the appropriate response. Essential services only NIS will only apply to essential services and OESs will not be required to implement full cyber resilience capabilities across all ser- vices. These essential services are likely to be the operational infrastructure and the services they support, rather than enterprise and corporate services and systems. Once these preparatory steps have been completed, the OES can then move to designing and implementing what is required to meet the four security objectives of the NIS. The first of these is to establish an appro- priate governance framework and man- agement system – supported by policies, standards, and processes and procedures to continually assess and manage the risk to What NIS spells for utilities Energy cyber security expert Justin Low considers the implications of the EU's Network and Information Systems Directive on energy and utilities operators in the UK. the network – and information systems that support the essential services. The second objective is to ensure propor- tionate security measures are implemented. The third is to ensure the OES has the right capabilities, recognising that security is not just about implementing technical solutions but about the organisation being able to ensure that its cyber defences remain effective and that it can effectively detect security threats that could affect essential services. Effective response Finally, the directive requires organisations put in place the capabilities to respond effectively to potential security incidents once they have been detected. They should be able to minimise the impact of the inci- dent and ensure the timely restoration of services. Another critical element of the directive is to ensure that incidents are reported to rel- evant authorities "without undue delay and as soon as possible, at a maximum of no later than 72 hours aer having become aware of an incident". Experience from GDPR imple- mentations, which have the same reporting requirements, shows that incident-response procedures must be enhanced and stream- lined to meet these timescales. OESs will have to take a strategic approach and draw up a clear programme to implement these technical, management and operational measures. The implementa- tion plans should also reflect that there are likely to be further waves of implementation as sector-specific guidance and requirements is issued. Although there are currently no formal requirements for readiness report- ing, OESs may also wish to conduct NIS Directive readiness assurance reviews to provide assurance to internal and external stakeholders. What is critically important, though, is that OESs should recognise that the imple- mentation timescale is short and that they need to start preparing now. Justin Low, energy cybersecurity expert, PA Consulting Grou

• Cover