Operators of essential services are under a legal obligation to protect themselves from cyber attack, but some utilities are sleepwalking into non-compliance, as Rachel Willcox reports.

The magnitude, frequency and sophistication of cyber attacks is increasing, so the introduction of legislation to beef up the resilience of essential services, including utilities, is welcome. However, experts are warning that the growing interconnectivity of systems across the supply chain means that many will likely struggle to gauge the true extent of the risks they face.

The network and information systems (NIS) regulations – the first formal cyber security regulations for the utilities sector – were adopted into law on 10 May last year.

Under these regulations, operators of essential services should have submitted a self-assessment on their state of readiness to the relevant competent authority by 15 February this year (Ofgem in the case of the energy sector; the DWI for water companies). Those will be judged against the 14 principles outlined by the cyber assessment framework developed by the National Cyber Security Centre, and operators may be required to develop plans for better risk mitigation.

The need to protect against cyber-attacks reached new levels of urgency after a study published by Corero Network Security in May last year found that more than two-thirds of UK critical infrastructure organisations had suffered service outages on their IT networks in the previous two years. A third of these outages were believed to have been caused by cyber attacks.

Mary-Jo de Leeuw, director of cyber security advocacy EMEA at not-for-profit cyber security certification consortium (ISC)2, warns that lack of awareness across the utility sector is a huge challenge, “both in terms of what parts of their operations the NIS regulations apply to, and what specifically needs to be done to comply with the regulations”.

Recent studies suggest that only 16 per cent of cyber security professionals overall are fully aware of the NIS regulations.

The deadline for submitting improvement plans is 30 April, although Andrew Harts­horn, partner and information law specialist at law firm Shakespeare Martineau, warns that the response of each of the competent authorities has varied, so the rules may not be interpreted consistently across sectors.

“Operators of essential services also need to update their governance and processes to ensure that any changes to networks and information systems are considered from a risk perspective,” he says. “However, all organisations need to understand data flows both inside and outside of their business to ensure that sensitive data is appropriately protected and access limited.”

The initial assessment of vulnerabilities and processes is a huge task. As with GDPR (the Europe-wide general data protection regulation, which came into force last year), it’s likely that many organisations are finding that the closer they look into their systems and processes, the more challenges they find, Hartshorn warns.

He believes some organisations will struggle to pull together information about data flows and understand how subcontractors and complex supply chains can expose vulnerabilities. “Compliance also relies on understanding within the employee base,” he points out. “Not everyone will understand from the outset what the impact of the regulations is, and the importance of following processes, procedures and policies.”

Best practice

Justin Lowe, digital trust and cyber security expert at PA Consulting, says operators should make sure they understand which parts of their operation fall within the scope of the regulations, and which systems and assets directly or indirectly support these operations, including in their supply chain.

“Operators should then understand what security controls are in place for those critical systems and assets, what gaps there are against best practice, and what risk these present to the essential services they provide,” he adds. “This will provide a good foundation for defining a regulation compliance programme, together with the associated costs that would need to be included within their regulatory price control business planning activities.”

Ofgem and the DWI remain tight-lipped about how advanced utilities are in meeting the requirements of the regulations, prompting some experts to speculate that progress has been patchy. Energy companies are particularly alive to the threat of a security breaches because there have been a number of high-profile attacks, such as the power outages that affected hundreds of thousands of people in Ukraine in 2015 and 2016 following a cyber attack by the Dragonfly cyber espionage group. However, there are concerns that the water industry may be trailing in its preparations.

Paul Knott, a security strategist at cyber security software and service provider Symantec, warns that the operational technology within critical infrastructure companies usually presents the highest risk. “Some systems that were never intended to be connected have now been connected, and that presents risks,” he says.

Meanwhile, the security risks posed by the proliferation of Internet of Things devices relating to smart energy, such as light
bulbs, white goods, batteries and electric vehicle chargers, pose a growing risk to the stability of the transmission and distribution systems.

Skills shortages

Another likely challenge to meeting the requirements of the regulations is the availability of suitably skilled cyber security professionals. Government-commissioned research published in December found that more than half of businesses and charities have a basic cyber security skills gap, and the Center for Cyber Safety and Education forecasts a global shortfall of 1.8 million workers in the information security sector by 2022.

Organisations also need a fall-back plan in case their personnel and technology fail to repel an attack on infrastructure, de Leeuw says. “Organisations must have a clear response and recovery planning – and plans for continuous improvements to current systems.”

Mo Ahddoud, chief information security officer at gas distributor Scotia Gas Networks, says he believes the regulations are 100 per cent fit for purpose and have helped organisations to reflect on whether they have the appropriate controls to protect against the threats they face.

“Conceptually, when you look at what they are trying to achieve, we can only advocate it,” he says. “The challenge boils down to specific interpretation. Can you show evidence that you are complying with your acceptable risk threshold? If not, that’s something you could be criticised for.”

What are NIS regulations?

NIS regulations set out broad principles that require the operators of essential services to put “appropriate and proportionate” measures in place to implement and proactively manage cyber security.

A spokeswoman for Ofgem tells Utility Week: “Operators will be required to engage in appropriate cyber risk management, report major cyber incidents that threaten supply, and take action to rectify those incidents. To fulfil this role, we have been given new powers to request information, to audit operators of essential services, to assess their security and resilience, to issue binding instructions on operators, and to fine operators if appropriate.”

The regulations also cover other threats affecting IT, such as power outages, hardware failures and environmental hazards. Organisations need to understand vulnerabilities and points of weakness not just in their own systems but also in any supply chain systems that interface with their own. A reporting system has also been set up to make it easier to report cyber breaches and IT failures.

In the energy sector, the regulations apply to suppliers with more than 250,000 customers, transmission and distribution network operators with the potential to cause disruption to more than 250,000 final customers, and generators with more than 2GW of capacity. There are also provisions for operators of interconnectors.

“So far we have more than 50 operators captured, varying from generation, transmission, distribution, supply and gas storage,” an Ofgem spokeswoman says.

The threshold requirement set by the Drinking Water Inspectorate (DWI) applies to any UK company that supplies potable water to 200,000 or more people.