UK's 'Energy Cyber Quad' seek to future proof the resilience of national power infrastructure

Operators of Essential Services (OES) in the UK are being advised to attend upcoming workshops run by the UK's energy regulator Ofgem as it starts to develop a 'whole-system approach' to strengthening gas and electricity cyber resilience.

Energy systems are transforming rapidly across the world, and the UK is included in the move away from centralised power generation to distributed systems that include a range of renewable energy sources and micro generation capabilities spread across cities and operated by smaller entities.

The UK's Net Zero commitment is driven by clean power ambitions that will see an evolution to decentralised energy operations that may introduce new cyber risks.

The country's energy cyber strategy sets clear expectations for the cyber resilience of all operators, not just the largest, with the aim of improving the security of the whole system. Where current regulations - NIS driven - focus on critical operators, this may leave smaller and emerging operators to fall outside the current scope of regulation.

A new Energy Quad partnership

Ofgem and the government's Department of Energy Security and Net Zero (DESNZ) are now working alongside NCSC UK and the National Energy System Operator (NESO) on a new approach to cyber resilience through the Energy Cyber Quad partnership. This teaming of four specialist agencies will be focused on strengthening cyber resilience and security across the UK's energy system.

DESNZ recently launched a new Energy Security and Resilience Taskforce with CEOs of the country's critical operators as a key forum to collectively discuss threats. The agency is joint Competent Authority with Ofgem under the Network and Information Systems (NIS) Regulations, driving cyber resilience standards for the country's most critical operators

Current and future energy sector regulations

The existing NIS Regulations place legal obligations on energy providers to protect the UK's critical services by improving cyber security. These came into force on 10th May 2018 and a necessary updated replacement - the Cyber Security and Resilience Bill - is currently working its way through the legislative process in Parliament.

OFGEM's objectives are threefold: to protect the interests of consumers, to ensure a secure, sustainable and affordable energy system, and to promote competition and innovation.

OFGEM regulations mandate the operational standards that must be met and include rigorous requirements for energy supply security and infrastructure resilience.

The regulator has placed increased emphasis on cybersecurity efforts to prevent the disruption of energy supply which could impact national security.

Adapting to a future energy reality

Unless transformation is delivered securely, the future energy system’s high interconnectivity can see a single vulnerability rippling across the whole system if successfully exploited by an attacker.

As the energy sector evolves, there is increased risk from this interconnectedness and the growing number of smaller operators that may not have necessary protective measures in place.

Ofgem and the Energy Quad partners are now looking to address this need to evolve through early thinking that includes:

✅ Baseline requirements for all Ofgem licensees to protect operators from the most common cyber attacks

✅ Targeted standards for significant operators which will be proportionate to the system impact of different sized operators

These proposals align with the cybersecurity model adopted by the Australian energy sector where an initial Criticality Assessment Tool is used to place operators into bands which determine the security investment and effort required.

The Australian Energy Sector Cyber Security Framework (AESCSF) is a voluntary self-assessment tool used by Australian companies to measure and improve their cybersecurity maturity and resilience against cyber threats.

Regulation is tailored to operators based on risk profile and includes guidance for so-called Low Criticality Organisations.

Learn how CNI operators may be impacted by future changes in regulation by signing up to workshops available on the Ofgem website. Attendees will be asked to assess if the current regulatory approach is adequate for the energy system of the future and then collaborate to make UK energy supply more resilient.