Guest blog: EnergyUK - Cyber security in the energy sector

For the UK energy industry, cybersecurity has not necessarily been an area which dominates conversation, within Government nor at industry level.

But as we move towards a smarter, more flexible energy market, where more operating systems require information technology capabilities, the threat landscape changes bringing ample cybersecurity challenges to the fore - challenges which are only now starting to peak Government and media interest. Whilst this convergence of Information Technology and Operational Technology in the energy industry brings many benefits, optimising industry level processes and affording a more innovative transfer of electricity, it brings with it an increase in attack planes which, with little regulation, have the capability to comprise the operating systems which contribute to our critical national infrastructure.

But fear not. As we as an industry drive towards a more decentralised and distributed way of delivering electricity to consumers and businesses, cybersecurity has more and more become a topic worthy of discussion and importantly, action.  

In 2016 the European Commission produced the Network and Information Systems (NIS) Directive, with the objective of ensuring a selection of ‘operators of essential services’ better manage cybersecurity risk, by adhering to a set of outcome-based security principles, and being assessed to ensure compliance and ultimately, improvement. The NIS Directive goes further, to impose more stringent incident reporting obligations and a penalty regime, for non-compliance.

Whilst we are in the very early stages of NIS Directive implementation, it has become clear that as an industry we are relatively late to the game. This piece of legislation is the first of its kind, aiming to develop more entrenched processes around the management of risk which a lack cybersecurity poses. With threats originating from a range of sources, from state sponsored attacks to hackers sending emails infected with malware, the NIS Directive provides a much needed consistent and stable approach to managing such threats.

However, we cannot become complacent. This is just the beginning of a long road towards more stable regulation and legislation around cybersecurity protections for critical industries. We need sector-specific guidance and direction from the specialists who can transfer experience and knowledge to industries where such intelligence and skills are, unfortunately severely lacking. It is only with support from the Government, the Regulator and national organisations can we hope to build on top of this regulatory foundation in the NIS Directive, to ensure the UK is and will continue to be safe from cybersecurity attack.    

FROM SOCIAL MEDIA

How to hire the RIGHT salesperson? Join us on 7 June @techUK https://t.co/voe78psqsy. We look forward to the presen… https://t.co/M2t0nj4MIs
Read Head of Cloud, Data Analytics and AI @ChannelSwimSue's comment on the House of Lords Science and Technology Se… https://t.co/I8I9v4CwX6
Setting up a 'returners programme' at your organisation is a great practical step to improve #diversity. Have a rea… https://t.co/F6Ok8abpil
Pick up your copy of the @raconteur special report on AI in the @thetimes and read this article where @techUKCEO di… https://t.co/hARTzv2uWn
.@techUKdepCEO when we talk about the internet and regulation, we are often conflating many issues. The Lord Commun… https://t.co/y8ZxRQmNZN
.@techUKdepCEO tells Lords Communications Committee that good regulation is welcome by the industry but must be pro… https://t.co/mUSdwBSkxp
Preparing your business for GDPR can be like a game of Jenga, say Alex Milner-Smith and Sean Dempsey from… https://t.co/AXVNImZ5zl
Tune in here https://t.co/K7GZj1kmKl at 3.30pm to watch Antony Walker @techUKdepCEO give evidence to the Lords Comm… https://t.co/DMki1zHFlS
On day two of techUK Data Protection Week we're focussing on the business sector. techUK Programme Manager for Fina… https://t.co/52hJX1hBAo