Utility Week

UTILITY WEEK | 6TH - 12TH APRIL 2018 | 19 Policy & Regulation Market view T he energy sector is a target for cyber- attacks, as can be seen from the assault on Saudi Aramco in 2012 through to the recently discovered "Trisis" malware. The lat- ter, reportedly created by nation state actors, disables safety measures built into industrial control systems and was discovered in a Mid- dle Eastern petrochemical plant. It is believed to be the third publicly known attack on industrial control systems (the first two being the Stuxnet malware affecting nuclear centrifuges in Iran in 2010 and the attacks on the Ukrainian power grid in 2015). The increasing interconnection of the energy sector creates additional complexity in cyber-security management, particularly through the challenges of managing cyber- security risk in the supply chain. The digiti- sation of the sector, including the increase in web-connected devices such as smart grids and smart meters, while providing exciting innovation opportunities and increasing effi- ciency, is making it both more challenging and more important than ever to confront cyber-security. Legal, regulatory and operational risks Businesses are increasingly faced with potential legal liabilities arising from cyber- incidents in contract, tort or through regula- tory enforcement and energy companies are updating and developing their cyber-inci- dent response plans to reflect the increased legal, operational and technical risks they are facing. Where operational security is compromised, there is also a risk of environ- mental damage, physical damage to prop- erty, and personal injury or loss of life. Regulatory obligations oen have a bear- ing on cyber-security, such as the regulatory obligations under the Gas Act 1986 and the conditions imposed in licences for the trans- portation and supply of gas. Gas transporters are required to develop and maintain an efficient and economical pipeline system and gas shippers, suppliers and interconnector operators are required to share information with gas transporters to ensure the safe, secure and efficient opera- tion of pipeline systems. In light of recent cyber-security incidents, and the significant risks posed to gas infra- structure, in order to discharge these obliga- tions businesses involved in the supply and transportation of gas will need to consider: • whether their cyber-security manage- ment systems, including management of cyber-security risk in their supply chains, are robust enough to detect, prevent and manage cyber-security risk; • the extent to which they are required to share information about those man- agement systems with other market participants; • whether their actions could have any prejudicial effect on other market participants. The increasing integration of businesses' IT and operational systems with other com- panies in their supply chain increases the attack surface for would-be hackers. Busi- nesses are allocating responsibility for deal- ing with cyber-security, and liability in the event of an incident, by including cyber- security terms in contracts with customers and suppliers. However, businesses are recognising that the allocation of liability is not enough – it is far better to engender the right cyber- security behaviours in the supply chain in order to avoid incidents in the first place. New legislation Governments around the world are legislat- ing new requirements for minimum stand- ards of cyber-security. In the European Union, May 2018 will see the General Data Protection Regulation (GDPR) and Network and Information Security Directive (NISD) come into force. While energy companies should be aware of the GDPR because it imposes requirements on all companies processing personal data and imposes sig- nificant fines for non-compliance (up to 4 per cent of global turnover), NISD is aimed at operators of "essential services", a desig- nation that will capture many energy com- panies, including electricity generators and Cyber-security and energy Cyber-attacks can be sophisticated and perpetrated by state players, and energy companies find themselves in the frontline. Andrew Moir, Herbert Smith Freehills and Peter FitzPatrick write. transmitters and companies involved in oil and gas production and distribution. NISD requires member states to intro- duce policy and regulation to achieve a high level of security of network and information systems, require reporting in the event of incidents and enforce an "effective, propor- tionate and dissuasive" sanction regime. In the UK, dra implementing regulations for NISD are expected soon. The initial dead- line for implementation is 9 May 2018. The NCSC has issued guidance that is expected to be adopted by the sectoral regulators adopt- ing a principles-based approach to cyber- risk focusing on four high-level objectives, including managing risk, protecting against cyber-attacks, detecting attacks and mini- mising the impact of incidents. Businesses with cross-border operations will need to become familiar with indi- vidual member states' implementations of NISD, and other legislation outside of the EU, and be alive to the possibility that non- compliance could lead to liability in multiple jurisdictions. What does the future hold? The 2015 cyber-attack on the Ukrainian power grid and the attack on a petrochemi- cal plant have highlighted the significant threat of a cyber-attack on the energy sector. The threat from cyber-criminals, state actors and hacktivists is not going away: energy businesses need to keep ahead of the curve. Andrew Moir, head of the global cyber security practice; Herbert Smith Freehills and Peter FitzPatrick, associates, disputes practice, Herbert Smith Freehills Key points The energy sector has been targeted by sophisticated cyber-attacks. Legislation is been enacted worldwide to tighten cyber-security. New EU legislation places specific obliga- tions on "essential services" .

• Cover