“Always on” is the implicit promise for essential services like energy, water, transportation and health care. It is the standard by which utilities and other infrastructure operators judge themselves.
But in a world of increasing threat vectors, especially in the realm of cybersecurity, “always on” cannot be taken for granted. While businesses and utilities are driven by performance and customer satisfaction, the British government is looking into further incentivising efforts to take a proactive stance.
Proposing to Promote Proactive Measures
In a recent press release from Minister for Digital Matt Hancock, a proposal was spelled out to introduce fines for essential service operators who fail to address cyber threats as well as other risks to resiliency, keeping the United Kingdom in line with the European Union’s imminent Network and Information Systems (NIS) Directive.
“We want the U.K. to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyberattack and more resilient against other threats such as power failures and environmental hazards,” Hancock said.
The proposal calls for fines — as a last resort — of as much as £17 million or 4 percent of global turnover, whichever is greater. Companies and utilities that have taken steps to address potential systemic weaknesses would be in much better position.
Incentivising Appropriate Investments
There’s much to be learned from the U.S. experience with the North American Electric Reliability Corp. (NERC) and its Critical Infrastructure Protection (CIP) standards. American regulations were designed and refined to encourage the necessary investment in systems and procedures to stabilise and protect critical infrastructure.
The U.K. uses the RIIO (Revenue = Incentives + Innovation + Outputs) framework of price controls for gas and electricity networks, with the intent to promote efficiencies and a unified approach to capital and operational investment. Cybersecurity, as a proactive measure maintaining network reliability and resilience, should be appropriately incentivised by that framework.
Practical experience and increasing threats have led British regulators to consider adding the stick to the carrot approach.
Maintaining Control at the Edge
As the British power market increasingly extends to distributed generation and renewable energy, the need for two-way communication infrastructure on the grid is becoming more urgent. With dispatchable energy resource penetration increasing on the edge of the grid, communications and controls have become ever more critical tools for managing the network. But the further these networks extend, the more risk the owners theoretically bear.
Successful cybersecurity programme implementation comes back to four critical concepts: processes, people, documents and systems. Grounding these concepts in an understanding of utility systems and the way their networks operate lays a foundation for a pragmatic approach. Our experience from the earliest days of regulation, helping U.S. businesses and utilities address cybersecurity and NERC CIP compliance, has given us a lot of globally applicable insights into systemic risks and suitable control options.
Appropriate risk-based analysis considers both the magnitude and likelihood of the impact from any given threat, leading to informed development of risk mitigation, business practices, training plans, tools, controls, and policies and procedures. And as a vendor-agnostic consultant, we recognize that a one-size-fits-all approach is insufficient. Our focus is on applying our breadth of knowledge to help clients quickly find the most appropriate and cohesive integrated solutions to meet the needs of their network.
Interested in learning more about identifying and addressing your systemic cybersecurity risks?