For the UK energy industry, cybersecurity has not necessarily been an area which dominates conversation, within Government nor at industry level.
But as we move towards a smarter, more flexible energy market, where more operating systems require information technology capabilities, the threat landscape changes bringing ample cybersecurity challenges to the fore - challenges which are only now starting to peak Government and media interest. Whilst this convergence of Information Technology and Operational Technology in the energy industry brings many benefits, optimising industry level processes and affording a more innovative transfer of electricity, it brings with it an increase in attack planes which, with little regulation, have the capability to comprise the operating systems which contribute to our critical national infrastructure.
But fear not. As we as an industry drive towards a more decentralised and distributed way of delivering electricity to consumers and businesses, cybersecurity has more and more become a topic worthy of discussion and importantly, action.
In 2016 the European Commission produced the Network and Information Systems (NIS) Directive, with the objective of ensuring a selection of ‘operators of essential services’ better manage cybersecurity risk, by adhering to a set of outcome-based security principles, and being assessed to ensure compliance and ultimately, improvement. The NIS Directive goes further, to impose more stringent incident reporting obligations and a penalty regime, for non-compliance.
Whilst we are in the very early stages of NIS Directive implementation, it has become clear that as an industry we are relatively late to the game. This piece of legislation is the first of its kind, aiming to develop more entrenched processes around the management of risk which a lack cybersecurity poses. With threats originating from a range of sources, from state sponsored attacks to hackers sending emails infected with malware, the NIS Directive provides a much needed consistent and stable approach to managing such threats.
However, we cannot become complacent. This is just the beginning of a long road towards more stable regulation and legislation around cybersecurity protections for critical industries. We need sector-specific guidance and direction from the specialists who can transfer experience and knowledge to industries where such intelligence and skills are, unfortunately severely lacking. It is only with support from the Government, the Regulator and national organisations can we hope to build on top of this regulatory foundation in the NIS Directive, to ensure the UK is and will continue to be safe from cybersecurity attack.