How to use UK Cyber Essentials to reduce cyber risk in energy and water providers

The UK's 'Cyber Essentials' is a government-backed scheme designed to help organisations protect themselves against common cybersecurity threats.

Cyber Essentials represents the UK Government's minimum baseline standard for cyber security.

The UK's National Cyber Security Centre (NCSC) recommends Cyber Essentials as the minimum standard for every organisation - from micro businesses to large corporations. One statistic alone demonstrates the return on your effort: "92% fewer insurance claims are made by organisations with the Cyber Essentials controls in place."

Companies take part in an annually renewable certification programme aligned to five technical controls designed to prevent the most common internet-based threats.

At the first level of Cyber Essentials, organisations assess themselves against the five controls. Once you have passed Cyber Essentials you can then apply for Cyber Essentials Plus (Level Two), which is a hands-on audit of your in-scope systems to verify the controls in place.

Going beyond the Essentials

Cyber Essentials certification helps prove to customers that cyber security is a priority in your organisation. It's now required for any company tendering for central and local government contracts and is required for Ministry of Defence suppliers for all of their supply chain that handles defence information.

For energy and water providers classified as Operators of Essential Services (OES) under UK law, Cyber Essentials is just a starting point for reducing cyber risk and ensuring compliance with broader regulatory requirements such as the Network and Information Systems (NIS) Regulations.

For organisations unsure about these types of certification schemes, the central body IASME provides a Cyber Essentials Knowledge Hub to learn about the five security controls and how they apply to a business of any size.

The five controls are:

1. Firewalls

2. Secure Configuration

3. Security Update Management

4. User Access Control

5. Malware Protection

CNI sector-specific considerations

Energy and water providers face unique risks due to the convergence of IT and OT systems, complex supply chains, and the critical nature of their services.

Compliance with Cyber Essentials supports alignment with the far more complex NIS Regulations, with both frameworks requiring a risk-based approach to cyber security.

The Network and Information System Regulations 2018 were introduced in response to the increased reliance on technology by businesses delivering essential services. The Regulations apply to those Operators of Essential Services (OES) operating in the energy, oil, transport, health care, drinking water and digital infrastructure sectors.

The Regulations contain two core duties for OES:

1. To take appropriate and proportionate technical and organisational measures to manage risks and minimise the impact of incidents affecting their network and information systems; and

2. To notify any incident which has a significant impact on the continuity of essential services to the relevant competent authorities.

Failure to comply with the Regulations can lead to regulatory enforcement, including financial penalties ranging between £1 million to £17 million. Regulators also have the power to take steps to inspect compliance.

In the energy sector, compliance with the Regulations, and subsequent enforcement, is handled by the regulator Ofgem. They have published guidance on using the NCSC Cyber Assessment Framework (CAF) to assess compliance. Ofgem released a 'CAF Overlay' which provides more detail on how general principles relate specifically to the actions and behaviours demonstrating compliance in the energy sector.

By systematically applying Cyber Essentials, energy and water providers can reduce their exposure to common cyber threats, improve resilience, and begin to demonstrate compliance with UK regulatory expectations for critical national infrastructure.

‍