CyberScotland Week: Regulation of cyber security in the energy sector

Cyber security threats can cripple those businesses we rely on for our everyday necessities, with recent figures showing that 90% of the world’s largest energy companies suffered breaches in 2023.

1 March 2024

Lock overlay on keyboard

Cyber security threats can cripple those businesses we rely on for our everyday necessities. Recent figures show one in three firms have suffered a cyber breach in the past year. In the energy sector alone, 90% of the world’s largest energy companies suffered breaches in 2023, and co-ordinated cyber-attacks were made against critical energy infrastructure throughout Europe. 

The energy sector is particularly dependent on reliable cyber security where the complex flow of electrical data across generation, transmission and distribution is essential, and digitisation is at the heart of reform in the sector. In 2022, an IBM Security Report identified the energy sector as the UK’s top target for cyber-attacks, with 24% of all cyber-attacks in the UK made in the energy sector. 

The Network and Information System Regulations 2018

In the UK, the Network and Information System Regulations 2018 (the Regulations) were introduced in response to the increased reliance on technology by businesses delivering essential services. The Regulations apply to those Operators of Essential Services (OES) operating in the energy, oil, transport, health care, drinking water and digital infrastructure sectors. In the electricity subsector the Regulations apply to:

  • Electricity suppliers with over 250,000 customers.
  • Electricity generators if they, together with companies within their group, cumulatively generate over 2GW. 
  • Transmission systems operators (Including offshore transmission licensees)
  • Holders of interconnector licences where they connect over 1GW.

The Regulations contain two core duties for OES: 

  1. to take appropriate and proportionate technical and organisational measures to manage risks and minimise the impact of incidents affecting their network and information systems; and
  2. to notify any incident which has a significant impact on the continuity of essential services to the relevant competent authorities.

Failure to comply with the Regulations can lead to regulatory enforcement, including financial penalties ranging between £1 million to £17 million. Regulators also have the power to take steps to inspect compliance, the costs of which can be recovered from those subject to inspection. 

In the energy sector, compliance with the Regulations, and subsequent enforcement, is handled by Ofgem, which is taking active steps to assess the health status of the sector. Ofgem has published Guidance which:

  • Makes it clear that it will use the National Cyber Security Centre (NSCS) Cyber Assessment Framework (CAF) to assess compliance. Ofgem expects those in the electricity subsector to conduct and maintain and accurate reports of their position under the CAF, which looks at a set of principles designed to determine factors such as governance and risk management, data and system security, physical security and resilience risks. Ofgem released a “CAF Overlay” in, August 2023 which provides more detail on how those general principles relate specifically to the actions and behaviours demonstrating compliance in the energy sector. 
  • Indicates that those in the sector should be preparing self-assessment reports now on the basis of the CAF. Ofgem has published templates to use for reporting self-assessments and Improvement Plans.

Ofgem is clearly taking steps to assess cyber security compliance in the energy sector. However, it remains to be seen whether it will publish the results or any enforcement action, which may only serve to highlight any shortcomings in the UK’s energy security to cyber security risk. 

The risk of regulatory enforcement is high even if the visibility of that enforcement action might be low. 

The Impact of AI on cyber security in the energy sub-sector 

Importantly, the measures OES are expected to take must have regard to “the state of the art” to ensure the level of security provided is appropriate to the risk provided. As cyber threats evolve in a changing world, so must the protections deployed to manage those risks, including the increasing risks posed by AI.

In January 2024, the NCSC published the results of its assessment focusing on the potential impacts of Artificial Intelligence (AI) on cyber operations. The assessment concluded that Artificial intelligence (AI) will almost certainly increase the volume and heighten the impact of cyber-attacks over the next two years. All types of cyber threat actors – state and non-state, skilled and less skilled – are already using AI to varying degrees. Furthermore, cyber attacks against the UK will become more impactful because threat actors will be able to analyse data faster and more effectively, and use it to train AI models which threaten cyber security.

The threats to cyber security in the energy sector are increasing just the point in time that our system needs to increasingly rely on data use and digitisation. Data handling will become more complex as the system will need to understand and react to increasingly complex information and energy flows. The digitised exchange of data is needed to facilitate an energy system that can accelerate, automate, plan and anticipate processes better than at present. For example, consumer data from smart meters provides a granularity of data which can support Distribution Network Operators plan and maintain their networks. Balancing the electricity system relies on the Electricity National Control Centre at the System Operator using increasingly complicated information flows and systems to balance electricity generation and demand when that generation is increasingly decentralised and intermittent. It is concerning that Elexon (which handles the data for that balancing) was the victim of a ransomware attack on its internal systems in 2020. 

We can expect a step change in the sophistication of cyber security attacks at just the time when the UK’s energy system is increasingly reliant on and developing the utility of the systems subject to attack. Those in the energy sub-sector will need to constantly assess and reassess their systems and compliance processes if they are to comply with the Regulation’s requirements to be “state of the art” in the age of AI. 

 

Jamie McRorie is a Partner in our regulation and markets team. Jamie is the former Head of Enforcement Legal for Ofgem where he helped develop the Regulator’s approach to the regulatory enforcement of cyber security. Jamie is a confirmed speaker at All-Energy, the UK’s largest renewable and low-carbon energy exhibition and conference in Glasgow on 15-16 May. Visit Shepherd and Wedderburn’s All-Energy hub to find out more.