Hardening critical national infrastructure against cyber security threats has become a top priority for countries around the globe, and in the UK there’s new urgency for the energy sector to achieve NIS Regulations (Network Information Systems) compliance.
As the UK's independent energy regulator, the Office of Gas and Electricity Markets (OFGEM) has set a deadline of the end of the year for operators to meet the Energy Sector baseline profile of NIS compliance. OFGEM has the power to require the disclosure of information, impose fines, and enact enforcement orders on energy companies they find to be non-compliant with NIS.
This has put many risk and compliance leaders in the sector under pressure, but rest assured there’s no reason to panic. Not only do you have time to prepare, but NCC Group can help energy operators achieve NIS compliance way ahead of the deadline. We're here to help ensure the lights stay on not just across the UK, but across the globe - as these types of regulations proliferate across boundaries.
To help UK energy operators get a handle on NIS compliance, we’ve compiled an easy-to-follow guide with five key considerations around UK energy sector NIS compliance, along with some tips to set you on the right path.
Step 1: Understand that compliance = business resiliency
Beyond compulsory compliance, securing critical power infrastructure against cyberattacks is also just good for business. As typical targets like banking and financial services have hardened their defences, threat actors, including both state and criminal are moving on to the next tier of targets including energy, utilities, Critical National Infrastructure (CNI), manufacturing and more. This risk is compounded by the ‘Energy War’ occurring across Europe right now as a result of the ongoing Ukraine conflict.
For many industries that experience an attack, it's easy enough to isolate the affected systems and take them offline for two or three days to remediate the problem. That's not the case in a power station, where people’s lives, global commerce, and the security of social order depend on the availability of electricity.
Not to mention, the consequences of non-compliance with NIS regulations include fines of up to £17million. That’s in addition to the heightened potential for regulatory scrutiny, reputational damage, and increased risk of a physical, or cyber attack on operational technology assets.
That means achieving NIS compliance is more than just a "tick-box exercise". It can- and should be- part of a broader approach to improving system reliability, protecting core assets, and ensuring business resilience and continuity.
Step 2: Finding "bi-lingual" support is critical
Everyone is aware of cyber security risks—no one wants to have their email hacked or fall victim to a phishing attack. As a plant operator or engineer, we understand that cyber security isn’t necessarily your primary language, nor your top priority. Your job is to keep the power flowing.
This is where we come in. Our Operational Technology (OT)/Industrial Control Systems (ICS) Practice team is well-versed in all things cyber security, including the latest on threat intelligence, attack vectors, cyber defense strategies, incident response, remediation, and of course, compliance. Going beyond cyber domains, however, we also speak your language: power generation and transmission.
With over 30 years of experience working across all industries and sectors, our risk and governance experts understand the technical challenges, limitations, and business priorities across the energy sector.
Working with a “bi-lingual” compliance partner like NCC Group can put your mind at ease through clear communication and knowledgeable guidance. We'll help you achieve NIS compliance and improve critical infrastructure security faster... without disrupting your entire operation.
Step 3: Take a risk-based approach
Achieving NIS compliance is based on meeting the NCSC’s Cyber Assessment Framework (CAF), which covers four main objectives and a wide range of controls from governance, policies, and procedures to asset and supply chain management, from access and identity controls to data security, from staff training and backups to incident alerting, response, and recovery.
There’s a lot to cover, but not every control applies to every part of your operation. For example, a substation with no network connectivity may not need two-factor authentication, but it would need to prioritize physical security.
NCC Group’s OT/ICS team can help you create and execute a customized, risk-based compliance plan based on your infrastructure, assets, and requirements, then support you in presenting and justifying that plan to a competent authority. Our comprehensive approach includes a complete inventory of your network infrastructure, devices, systems, policies, and procedures to build a compliance-based program that makes sense and provides cost-effective, risk-driven, and pragmatic recommendations.
Step 4: Cover the entire technology lifecycle
IT advancements tend to progress a bit slower in power stations compared to other industries. By association, cyber controls also tend not to be as advanced as they could be. That means it’s highly likely that some power stations and transmission sites have significant and often critical systems running on unsupported legacy hardware. Every new, costly piece of hardware or rebuild introduces new vulnerabilities on top of existing ones.
The introduction of the Industrial Internet of Things (IIoT) and cloud computing has made things even more complicated; what was once air-gapped from the outside world now must be connected as we move to IT/OT convergence.
For instance, network access is required on every single wind turbine to allow third parties to perform predictive maintenance—not to mention cloud-based systems that enable remote monitoring access on generation and transmission infrastructure. The priority for those connections is all about system uptime, but there are also attack vectors that result in additional and often significant risks to the availability of critical systems.
With such a wide range of hardware and systems to cover, it might feel overwhelming to bring all these systems into compliance, but we have you covered. Our team has the depth of experience to retrofit controls into systems that pre-date these modern requirements.
Step 5: Think beyond compliance
Certainly, meeting the impending mandate should be the top priority, yet scrambling to achieve compliance and then letting it all fall apart until the next audit is not only risky but also very inefficient. That’s especially true considering the requirements now in place to achieve baseline profile compliance have been subsequently enhanced.
Instead of feeling as though you’re in a constant race to catch up, a more beneficial strategy is to use this mandate as an opportunity to implement proactive programs that maintain your security posture and periodically test your defences.
Compliance means business resiliency, and now is a great time to implement sound policies to lower your risk, increase assurance, and maintain operational continuity.
NCC Group’s OT/ICS Practice team has the certified expertise and solutions to not only conduct compliance assessments but provide ongoing support from routine penetration testing to incident response. We become an extension of your team, delivering the critical cyber security support you need so you can concentrate on what you do best- powering the nation.
About the author
We're helping our clients make downtime unimaginable.
Start a discussion with one of our experts to learn more about NIS compliance and NCC Group’s OT/ICS practice.