Citing the need for new tools and techniques, the UK’s regulator for gas and electricity markets is heading to market to trial the latest automated cybersecurity model that will help it reduced the vulnerability of Operators of Essential Services (OESs), and fulfill its NIS Directive obligations.
Ofgem is concerned about its understanding of the level of security within its cyber-physical systems (CPS) as securing these assets involves tackling a number of components across IT and OT, the security architecture of OES’ and Ofgem itself, not to mention the physical design of its systems.
In its market tender, valued at a modest £20,000- £52,000 for a trial run, Ofgem states “Typically, no individual has a full understanding of all aspects but the CPS security depends upon how they integrate together.”
“Good models also provide a way of capturing system information such that it is retained within a security team even as the team members change over time,” the tender adds, noting that “no individual has a full understanding of all aspects but the CPS security depends upon how they integrate together.”
Models can also support constructive debate between OESs and regulators on the level of system security and how best to reduce cyber risk,” states Ofgem.
Ofgem Cybersecurity and Network and Information Systems (‘NIS’) Directive
On the tenth of May 2018 the Network and Information Systems (‘NIS’) Directive became UK law. These regulations laid out new requirements and duties for OES’ that aim to shore up the cybersecurity of the operators to a common level of network security.
Part of that directive is that regulators for each subsector of critical industry are appointed. In its annual report Ofgem notes that working with the Department for Business, Energy and Industrial Strategy it has: “Agreed to be the UK joint Competent Authority (CA) to regulate cyber resilience for downstream gas and electricity, while maintaining our Competent Authority role for the UK Smart Energy Code.”
While a ‘digital infrastructure subsector’ has not been correctly defined as of yet; Ofgem is tasked with ensuring that OES are submitting the correct self-assessment reports to the authority. If an incident occurs OES have to report to the NCSC, but they are also required to file a report to Ofgem if the breach escalates into a NIS reportable incident.
A major part of that directive for Ofgem is the requirement to map out critical network and information systems such as distributed control systems, supervisory control and data acquisition systems, gas turbine control system, water treatment plant system and communication systems to name but a few.
In its annual report Ofgem states that: “Our strategy is to establish a consultative and collaborative partnership with the Operators of Essential Services (OES)… in order to encourage engagement, innovation and improvement.
“Additionally, we are strengthening our internal capabilities for data governance and protection, cyber operations, assurance and architecture.”