Guest blog: EnergyUK - Cyber security in the energy sector

For the UK energy industry, cybersecurity has not necessarily been an area which dominates conversation, within Government nor at industry level.

But as we move towards a smarter, more flexible energy market, where more operating systems require information technology capabilities, the threat landscape changes bringing ample cybersecurity challenges to the fore - challenges which are only now starting to peak Government and media interest. Whilst this convergence of Information Technology and Operational Technology in the energy industry brings many benefits, optimising industry level processes and affording a more innovative transfer of electricity, it brings with it an increase in attack planes which, with little regulation, have the capability to comprise the operating systems which contribute to our critical national infrastructure.

But fear not. As we as an industry drive towards a more decentralised and distributed way of delivering electricity to consumers and businesses, cybersecurity has more and more become a topic worthy of discussion and importantly, action.  

In 2016 the European Commission produced the Network and Information Systems (NIS) Directive, with the objective of ensuring a selection of ‘operators of essential services’ better manage cybersecurity risk, by adhering to a set of outcome-based security principles, and being assessed to ensure compliance and ultimately, improvement. The NIS Directive goes further, to impose more stringent incident reporting obligations and a penalty regime, for non-compliance.

Whilst we are in the very early stages of NIS Directive implementation, it has become clear that as an industry we are relatively late to the game. This piece of legislation is the first of its kind, aiming to develop more entrenched processes around the management of risk which a lack cybersecurity poses. With threats originating from a range of sources, from state sponsored attacks to hackers sending emails infected with malware, the NIS Directive provides a much needed consistent and stable approach to managing such threats.

However, we cannot become complacent. This is just the beginning of a long road towards more stable regulation and legislation around cybersecurity protections for critical industries. We need sector-specific guidance and direction from the specialists who can transfer experience and knowledge to industries where such intelligence and skills are, unfortunately severely lacking. It is only with support from the Government, the Regulator and national organisations can we hope to build on top of this regulatory foundation in the NIS Directive, to ensure the UK is and will continue to be safe from cybersecurity attack.    

FROM SOCIAL MEDIA

We're at #Lab18 chatting about the role of autonomous vehicles in #DrivingtheFuture. Come take part in the debate!… https://t.co/bxde4QPS0O
Did you know that many businesses haven't gone #digital yet? Join us at our #Lab18 event where we tackle the issue… https://t.co/Kc7yt7Sdr2
techUK Deputy CEO @techUKdepCEO comments on PM Statement saying UK and EU "must commit to finding a solution that a… https://t.co/T5dbsR8yPF
Get ready for techUK’s Cloud Week! From Monday, we’ll be hosting a week of guest blogs, podcast interviews, press… https://t.co/SVC5P9QKtL
#supercharging18 in Manchester on 18 Oct, will explore the ways #digital increasingly underpins Britain’s #economy.… https://t.co/sArqcyiKD5
Hear from @techUKCEO at the FutureTech Festival in December this year #GREATforCollaboration https://t.co/OzJkA9IjjG
What makes a 'good' Digital Board? Read more about our new report from SmarterUK in @ComputerWeekly https://t.co/UHCTccsH57
Delighted to see @techUK Health and Social Care Council Member @AndreasHT is on the panel https://t.co/4nCJotkAvx