View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 3, 2020

Ofgem’s Cybersecurity Chiefs Want To Trial An Automated Analysis Model

"Wishes to reduce the cyber risk of disruption to essential services "

By CBR Staff Writer

Citing the need for new tools and techniques, the UK’s regulator for gas and electricity markets is heading to market to trial the latest automated cybersecurity model that will help it reduced the vulnerability of Operators of Essential Services (OESs), and fulfill its NIS Directive obligations.

Ofgem is concerned about its understanding of the level of security within its cyber-physical systems (CPS) as securing these assets involves tackling a number of components across IT and OT, the security architecture of OES’ and Ofgem itself, not to mention the physical design of its systems.

In its market tender, valued at a modest £20,000- £52,000 for a trial run, Ofgem states “Typically, no individual has a full understanding of all aspects but the CPS security depends upon how they integrate together.”

“Good models also provide a way of capturing system information such that it is retained within a security team even as the team members change over time,” the tender adds, noting that “no individual has a full understanding of all aspects but the CPS security depends upon how they integrate together.”

Models can also support constructive debate between OESs and regulators on the level of system security and how best to reduce cyber risk,” states Ofgem.

Ofgem Cybersecurity and Network and Information Systems (‘NIS’) Directive

On the tenth of May 2018 the Network and Information Systems (‘NIS’) Directive became UK law. These regulations laid out new requirements and duties for OES’ that aim to shore up the cybersecurity of the operators to a common level of network security.

Part of that directive is that regulators for each subsector of critical industry are appointed. In its annual report Ofgem notes that working with the Department for Business, Energy and Industrial Strategy it has: “Agreed to be the UK joint Competent Authority (CA) to regulate cyber resilience for downstream gas and electricity, while maintaining our Competent Authority role for the UK Smart Energy Code.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

While a ‘digital infrastructure subsector’ has not been correctly defined as of yet; Ofgem is tasked with ensuring that OES are submitting the correct self-assessment reports to the authority. If an incident occurs OES have to report to the NCSC, but they are also required to file a report to Ofgem if the breach escalates into a NIS reportable incident.

A major part of that directive for Ofgem is the requirement to map out critical network and information systems such as distributed control systems, supervisory control and data acquisition systems, gas turbine control system, water treatment plant system and communication systems to name but a few.

In its annual report Ofgem states that: “Our strategy is to establish a consultative and collaborative partnership with the Operators of Essential Services (OES)… in order to encourage engagement, innovation and improvement.

“Additionally, we are strengthening our internal capabilities for data governance and protection, cyber operations, assurance and architecture.”

See Also: Police Warning: Cyber Criminals Are Using Cleaners to Hack Your Business

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.