New cybersecurity legislation is coming soon and those who work in the energy sector must be up to speed.
Last year, various cyberattacks in the UK made headlines around the world: Equifax; the NHS WannaCry ransomware attack; hackers preventing MPs from accessing emails; and threats from state-sponsored hackers.
Cybersecurity is a topic that is high on the agenda of businesses in the energy sector. Growing reliance upon online and smart technologies is leading to greater risk of vulnerabilities to critical infrastructure.
From a policy and legislative perspective, the European Commission published a cybersecurity package in September 2017 which proposed more scrutiny of software and other components used to monitor industrial control systems.
More specifically, the Commission released a paper titled ‘Cybersecurity in the Energy Sector’ in February last year which identified the strategic challenges and specific needs for cybersecurity in the energy sector.
The energy sector is an area of particular concern for cybersecurity authorities as the industry continues to embrace the Internet of Things with smart metering and other networked technologies which bring about potential vulnerabilities.
The ‘Cyber Security in the Energy Sector’ report was published in 2017 by the Energy Expert Cyber Security Platform (EESCP), an expert group which provides guidance or recommendations to the European Commission in respect of the energy sector. This report stressed the need for the energy sector to address the major challenges of cyber threats and the requirements for cybersecurity to be appropriately addressed.
The report confirmed that two major pieces of European legislation implement the baseline for cybersecurity across the Member States, and which are discussed below; the Directive on security of Network and Information Systems (NIS Directive) and the General Data Protection Regulation (GDPR).
The EESCP Report concluded with four key strategic priorities but highlighted that success hinged on the ability and willingness of different stakeholders to cooperate and collaborate. Key recommendations for energy providers related to implementing a threat and risk management system, establishing an effective cyber-incident response network, improving resilience to cyberattacks, and ensuring technical and human capacity and competence to address cyber-security issues in the energy sector.
The energy sector should also be aware of the Network and Information Systems Directive, which is due to be implemented into national law across Europe in May 2018. The UK government is yet to publish its draft implementing legislation, but has confirmed that, regardless of Brexit, it will still implement the NIS Directive into UK law. To catch the attention of organisations whose activities fall within the scope of the NIS Directive, the government confirmed in its response to a public consultation paper (published in January 2018) proposed fines of up to 20 million euro.
Along with certain other regulated sectors, the energy industry will need to be aware of the impact of the NIS Directive, which is due to come into force in the UK by May 9. The NIS Directive requires that operators of “essential services” will need to increase the security of network and information systems.
As with other legislation (such as the Bribery Act 2010 and Modern Slavery Act 2015), there will be an onus on providers to ensure compliance through their supply chains and so necessary due diligence must be carried out to ensure compliance when appointing subcontractors.
To satisfy obligations relating to security, businesses must ensure that appropriate and proportionate technical and organisational measures are taken in respect of managing any risks to the network and information systems. Operators are required to report incidents which affect the security, provision, confidentiality and integrity of the service: there are thresholds which limit the reporting of incidents to only those which have a “significant impact of the continuity of essential services”. When considering what a ‘significant impact’ is, various factors including the number of users of the affected services, any impact on economic activities or public safety, the dependency on other sectors on the services provided by the affected entity and the geographic spread of the area that could be affected by an incident will be relevant. Operators are expected to be given 72 hours for incident reporting, mirroring the reporting requirements for data breaches under GDPR.
The government proposes to delegate supervisory cybersecurity powers to the Department for Business, Energy and Industrial Strategy, and supported by Ofgem in the electricity and gas (downstream) sectors and the Health & Safety Executive in the gas (upstream) and oil (both upstream and downstream) sectors.
These powers are to include designating operators of “essential services”, publishing guidance, auditing operators, investigating the causes of an incident and notifying the public about an incident. The authorities will have sole responsibility for enforcement. The National Cyber Security Centre will continue to be the UK’s centre of excellence for all cyber-security matters; publishing guidance and assessment tools to support authorities and operators.
The NIS Directive also requires that the UK establishes a national Cyber Emergency Response Team, which (in co-operation with other European national response teams) will be responsible for monitoring incidents at a national level, providing warnings, alerts and announcements, and responding to risks, threats and incidents. The government has confirmed that the National Cyber Security Centre will also take responsibility for providing this UK cyber response team, which will be known as the Computer Security Incident Response Team.
In its response to consultation, the Government has stressed that operators “will be given the time to implement necessary security measures” with the main responsibility of authorities being to get a clear picture of cyber-security during the first year of the NIS Directive being in force. However, operators are expected to have begun reviewing their existing cyber-security capability in order to understand where further work is required. Operators will be directed to the National Cyber Security Centre’s Cyber Assessment Framework as the basis of such assessments.
In contrast to GDPR, which will be directly implemented into UK law, the NIS Directive provides the UK government with some flexibility around implementation. With regards to fines for non-compliance, the government’s initial proposal mirrored the sanctions provided for under GDPR (up to €20 million or 4 per cent of global turnover, whichever is higher) for failing to ensure effective security.
Following “significant feedback” during consultation on the proposed penalty regime potentially being disproportionate to other European member states, the percentage of global turnover element has been removed. The government’s revised proposal is an upper limit of €20 million to cover all NIS Directive contraventions.
The Department for Culture Media and Sport (DCMS)’s published press release suggesting that it may be possible for an operator to be fined under the NIS Directive and the GDPR for the same event, has been affirmed by the government as ‘the penalties might relate to different aspects of the wrongdoing and different impacts’. This has the potential for operators of essential services that suffer a serious loss of personal data through a cybersecurity incident to be fined twice for the same breach and highlights the paramount importance of ensuring appropriate organisational security.
General Data Protection Regulation
One of the aims of the General Data Protection Regulation (GDPR) is to update and improve cultural attitudes towards data protection. In respect of the energy sector, progression is being propelled by technology, which opens a raft of opportunities (such as smart meters) aiming to provide consumer benefits by increasing competition and revealing accurate records of consumer data.
The increase in the availability of data must be afforded with adequate protection, this is likely to mean a significant increase in data protection standards for most organisations within the energy sector. The increased focus on ‘accountability’ under GDPR requires organisations to not only comply with the legislation but to demonstrate their compliance. This will require careful consideration to ensure that security is not a one-off ‘tick-the-box’ compliance exercise but is an active, ongoing and managed process.
In line with the NIS Directive, GDPR also puts obligations on organisations to ensure that appropriate technical and organisational measures are put in place with regards to protecting personal data. As well as preventing against any cyber-security issues, the aim is also to promote confidence through transparency which would be extremely beneficial for utility providers in the energy sector to build trust.
Implications for energy sector
As technology used in the energy sector continues to progress and develop, adherence to cyber-security law will continue to be a significant issue. Utilising technologies such as smart metering or responsive grid switching and management systems bring new efficiencies.
However, as such technologies require network connectivity, ensuring cybersecurity will be of paramount importance. The trend towards decentralized power plants, small-scale flexible gas power plants and solar panels on homes could create issues.
This could be because there are possibly less sophisticated cyber defences in place. Others note the digitalisation of the electricity grid and proliferation of renewable energy which has tempted hackers with new opportunities.
The sheer volume of data that is available now through connected devices such as smart meters installed in houses, and solar panels which connect to satellites and monitor energy usage, has made the energy industry appear more lucrative and prone to cyber-attack. The damage to business reputation will also be a key reason for energy companies wanting to protect themselves.
A recent PricewaterhouseCoopers survey found that of 500 businesses questioned, 65 per cent of UK businesses were “significantly concerned” over cyber risks to energy technology and three out of five would switch energy supplier if they suffered a cyber breach.
2018 will be an important year for the energy sector as it seeks to address compliance with both the NIS Directive and GDPR. The big challenges will stem from the proliferation of end user data in the sector, its allure and appeal to attackers and compliance with new legislation. IT teams will need to continue to be aware of, and responsive to, cyber-security risks and should seek to ensure that any cyber-security strategies are compliant with both the NIS Directive and GDPR.
With regards to opportunities, this is a good time for organisations to carefully consider their obligations and transparently present action plans for cyber-security and data protection compliance.
As highlighted above, transparency will lead to greater trust, investment and rapport with consumers. This is important as the traditional position of consumers being wedded to one utility provider is shifting, enhanced regulation of competition making it easier for consumers to switch providers and receive the best deals.
Organisations in the energy sector should now keep watch for the government’s draft NIS legislation, and ensure that internal processes and security standards are compliant.
David Varney is Senior Associate in the corporate team at independent UK law firm Burges Salmon