New cybersecurity legislation is coming soon, and those in the energy sector must be up to speed, warns David Varney

Last year, various cyberattacks in the UK made headlines around the world: Equifax, the NHS WannaCry ransomware attack, hackers preventing MPs from accessing emails, and threats from state-sponsored hackers.

Cybersecurity is a topic that is high on the agenda of businesses in the energy sector. Growing reliance upon online and smart technologies is leading to greater risk of vulnerabilities to critical infrastructure.

From a policy and legislative perspective, the European Commission published a cybersecurity package in September 2017 which proposed more scrutiny of software and other components used to monitor industrial control systems.

More specifically, the Commission released a paper titled ‘Cybersecurity in the Energy Sector’ in February last year which identified the strategic challenges and specific needs for cybersecurity in the energy sector.

The energy sector is an area of particular concern for cybersecurity authorities as the industry continues to embrace the Internet of Things with smart metering and other networked technologies which bring about potential vulnerabilities.

The ‘Cybersecurity in the Energy Sector’ report was published in 2017 by the Energy Expert Cyber Security Platform (EESCP), an expert group which provides guidance or recommendations to the European Commission in respect of the energy sector. This report stressed the need for the energy sector to address the major challenges of cyber threats and the requirements for cybersecurity to be appropriately addressed.

The report confirmed that two major pieces of European legislation implement the baseline for cybersecurity across member states: the Directive on security of Network and Information Systems (NIS Directive) and the General Data Protection Regulation (GDPR).

The EESCP Report concluded with four key strategic priorities, but highlighted that success hinged on the ability and willingness of different stakeholders to cooperate and collaborate. Key recommendations for energy providers related to implementing a threat and risk management system, establishing an effective cyber-incident response network, improving resilience to cyberattacks and ensuring technical and human capacity and competence to address cybersecurity issues in the energy sector.

The NIS Directive

The energy sector should also be aware of the Network and Information Systems (NIS) Directive, which is due to be implemented into national law across Europe in May this year.

The UK government is yet to publish its draft implementing legislation, but has confirmed that, regardless of Brexit, it will still implement the NIS Directive into UK law.

To catch the attention of organizations whose activities fall within the scope of the NIS Directive, the government consultation paper proposed fines of up to €20 million euros or 4 per cent of global turnover (whichever is higher) for breach of the NIS regime, mirroring the more-widely publicized significant sanctions of GDPR.

Along with certain other regulated sectors, the energy industry will need to be aware of the impact of the NIS Directive, which is due to come into force in the UK by 9 May. The NIS Directive requires that operators of “essential services” will need to increase the security of network and information systems.

As with other legislation (such as the Bribery Act 2010 and Modern Slavery Act 2015), there will be an onus on providers to ensure compliance through their supply chains and so necessary due diligence must be carried out to ensure compliance when appointing subcontractors.

To satisfy obligations relating to security, businesses must ensure that appropriate and proportionate technical and organizational measures are taken in respect of managing any risks to the network and information systems. Operators are required to report incidents which affect the security, provision, confidentiality and integrity of the service: there are thresholds which limit the reporting of incidents to only those which have a “significant impact of the continuity of essential services”.

When considering what a ‘significant impact’ is, various factors including the number of users of the affected services, any impact on economic activities or public safety, the market share of the affected entity and the geographic spread of the area that could be affected by an incident will need to be considered.

The government proposes to delegate supervisory cybersecurity powers to the Department for Business, Energy and Industrial Strategy (BEIS), and possibly Ofgem. Supported by the National Cyber Security Centre, these authorities will be responsible for publishing cybersecurity guidance as it applies to the energy sector, incident reporting, taking decisions as to publicizing incidents and taking enforcement action against cybersecurity breaches.

The NIS Directive also requires that the UK establishes a national Cyber Emergency Response Team, which (in cooperation with other European national response teams) will be responsible for monitoring incidents at a national level, providing warnings, alerts and announcements, and responding to risks, threats and incidents. The government has confirmed that the National Cyber Security Centre will also take responsibility for providing this UK cyber response team.

In contrast to GDPR, which will be directly implemented into UK law, the NIS Directive provides the UK government with some flexibility around implementation. With regards to fines for non-compliance, the government’s proposals have mirrored the sanctions provided for under GDPR for failing to ensure effective security.

Further, the Department for Culture, Media and Sport (DCMS) published a press release which suggested that any fine issued for breach of the NIS Directive would be separate from, and in addition to, any fines issued under GDPR. This has the potential for operators of essential services that suffer a serious loss of personal data through a cybersecurity incident to be fined twice for the same breach and highlights the paramount importance of ensuring appropriate organizational security.

Protecting data

One of the aims of the General Data Protection Regulation (GDPR) is to update and improve cultural attitudes towards data protection. In respect of the energy sector, progression is being propelled by technology, which opens a raft of opportunities (such as smart meters) aiming to provide consumer benefits by increasing competition and revealing accurate records of consumer data.

The increase in the availability of data must be afforded with adequate protection. This is likely to mean a significant increase in data protection standards for most organizations within the energy sector. The increased focus on ‘accountability’ under GDPR requires organizations to not only comply with the legislation but to demonstrate their compliance. This will require careful consideration to ensure that security is not a one-off ‘tick-the-box’ compliance exercise but is an active, ongoing and managed process.

In line with the NIS Directive, GDPR also puts obligations on organizations to ensure that appropriate technical and organizational measures are put in place with regards to protecting personal data. As well as preventing any cybersecurity issues, the aim is also to promote confidence through transparency which would be extremely beneficial for utility providers in the energy sector to build trust.

Implications for the energy sector

As technology used in the energy sector continues to progress and develop, adherence to cyber-security law will continue to be a significant issue. Utilizing technologies such as smart metering or responsive grid switching and management systems brings new efficiencies.

However, as such technologies require network connectivity, ensuring cybersecurity will be of paramount importance. The trend towards decentralized power plants, small-scale flexible gas power plants and solar panels on homes could create issues.

This could be because there are possibly less sophisticated cyber defences in place. Others note the digitalization of the electricity grid and proliferation of renewable energy which has tempted hackers with new opportunities.

The sheer volume of data that is available now through connected devices such as smart meters installed in houses, and solar panels which connect to satellites and monitor energy usage, has made the energy industry appear more lucrative and prone to cyberattack. The damage to business reputation will also be a key reason for energy companies wanting to protect themselves.

A recent PricewaterhouseCoopers survey found that of 500 businesses questioned,
65 per cent of UK businesses were “significantly concerned” over cyber risks to energy technology and three out of five would switch energy supplier if they suffered a cyber breach.

Upcoming challenges

2018 will be an important year for the energy sector as it seeks to address compliance with both the NIS Directive and GDPR. The big challenges will stem from the proliferation of end user data in the sector, its allure and appeal to attackers and compliance with new legislation. IT teams will need to continue to be aware of, and responsive to, cybersecurity risks and should seek to ensure that any cybersecurity strategies are compliant with both the NIS Directive and GDPR.

With regards to opportunities, this is a good time for organizations to carefully consider their obligations and transparently present action plans for cybersecurity and data protection compliance.

As highlighted above, transparency will lead to greater trust, investment and rapport with consumers. This is important as the traditional position of consumers being wedded to one utility provider is shifting, enhanced regulation of competition making it easier for consumers to switch providers and receive the best
deals.

Organizations in the energy sector should now keep watch for the government’s draft NIS legislation, and ensure that internal processes and security standards are compliant.

David Varney is Senior Associate in the corporate team at independent UK law firm Burges Salmon