A Wake-Up Call for Energy Sector Cybersecurity
In a bold move to bolster national security, the UK government has proposed new legislation that will significantly impact the energy industry's cybersecurity landscape. This development comes at a critical juncture as the country ramps up its scrutiny of cyber threats.
The Cyber Security and Resilience Bill, unveiled this week, aims to fortify the existing Network and Information Systems Regulations (NIS) by imposing stricter penalties for serious cybersecurity breaches. But here's where it gets controversial: the bill expands its scope to include 'large load controllers', a move that has taken many by surprise.
The Impact on Energy Smart Appliances
Providers of energy smart appliances (ESAs), such as electric vehicles, charging points, and battery storage systems, will now be classified as 'operators of essential services' (OESs). This means they must demonstrate robust cyber attack response plans and adapt their reporting processes to promptly notify regulators and customers of significant incidents.
The proposed changes to notification requirements are particularly noteworthy. Regulators and the National Cyber Security Centre must be informed within 24 hours of an incident, with full reporting due within 72 hours. However, the triggers for notification have also been expanded to include near-miss incidents and those with the potential to cause adverse effects.
A Challenge for the Energy Industry
Stuart Davey, a cyber readiness expert, highlights the unexpected inclusion of large load controllers, which was not initially mentioned in the consultation exercise. He emphasizes the government's commitment to clean tech and electronic charging infrastructure, underscoring the importance of these new security requirements.
The bill also introduces a new category of OESs known as 'critical suppliers'. These are organizations that provide goods or services to OESs and rely on network and information systems for supply. The emphasis on supply chain management is a key aspect of the bill, and it's likely to lead to further engagement between OESs, potential designees, and competent authorities.
Implications for Supply Chain Contracts
Chris Martin, another expert at Pinsent Masons, suggests that the bill will prompt essential service operators and their key suppliers to reevaluate how cyber security and resilience are addressed in supply chain contracts. Existing good practices in the energy sector will need to be enhanced to ensure appropriate cyber security obligations are imposed on key suppliers.
Martin adds that suppliers to the energy sector must prioritize strong cyber resilience in their goods and services to ensure fair risk allocation in contractual agreements. Existing contracts will require a thorough review to align with the bill's proposed changes to NIS, and regulators are expected to demand demonstrable cyber resilience that goes beyond generic security obligations.
Strengthening Competent Authorities
The bill also empowers competent authorities by enhancing their powers and obligations. Davey suggests that this may be a response to the lack of guidance introduced under NIS, and the bill outlines expectations for the publication of such guidance. Additionally, competent authorities will have more information-gathering powers, with potential penalties for non-cooperation.
The government has released a guide accompanying the bill, which outlines its intention to simplify the penalty band structure under NIS, consider additional factors for proportionate penalties, and introduce new maximum penalties, including a top band of up to £17 million or 4% of a regulated entity's worldwide turnover.
The Bigger Picture
While some changes may not make headlines, the increased powers granted to the government to instruct regulators and organizations within their remit to take preventative measures when national security is at risk could have significant implications for operators facing cyber attack threats.
This bill follows warnings from the National Cyber Security Centre in October, urging companies to enhance their preparations in light of a rise in significant attacks. The energy industry must now adapt to these new cybersecurity requirements to ensure the resilience of its critical infrastructure.
