Ofgem has published guidance for Operators of Essential Services ("OES") in the energy sector.
The guidance aims to support OES with meeting their cyber security obligations under The Network and Information Systems Directive ("NIS Directive") and the implementing UK law, The Network and Information Systems Regulations 2018 ("NIS Regulations").
The NIS Regulations came into force for the water, health, transportation, digital and energy sectors on 10 May 2018, with the aim of increasing the overall cyber-security and cyber resilience of OES, in relation to the network and information systems that support the delivery of essential services.
Compliance by OES with the NIS Regulations will help to ensure they manage risks effectively and prevent or minimise the impact of incidents on the essential service.
To assist OES with meeting their obligations, the NIS Regulations identify relevant Competent Authorities (“CAs”), and provide them with powers and responsibilities. Ofgem is designated as a joint CA with the Department for Business, Energy and Industrial Strategy ("BEIS") for the Downstream Gas and Electricity sectors in Great Britain.
Ofgem recognises that cyber security is a developing area and as such that the guidance represents the first in a developing strategy, outlining Ofgem's initial approach.
It is expected that the guidance will assist OES with understanding their duties and ensuring compliance with the NIS Regulations. This will be further achieved through partnership and collaboration between OES and Ofgem.
The guidance is broken down into three sections: Approach, Cyber Incidents and Enforcement.
Ofgem have set out a series of activities that OES are expected to complete, to assess and demonstrate compliance with the NIS Regulations. These include:
- Scoping of self-assessment;
- Self-assessment; and
- Identifying and implementing improvement plans.
OES are expected to submit self-assessments by 15 February 2019 for each of the essential services that they provide.
If appropriate, Ofgem may review the self-assessments and seek further information or clarification from OES. The scoping performed and previously submitted to Ofgem in October 2018 should be appended to the self-assessment report to provide context, and used by OES to define the parameters of their self-assessment.
Once a self-assessment has been reviewed, OES may need to develop improvement plans to mitigate risks that require treatment. To assist with this, OES may request workshops with Ofgem. Once completed, OES should submit their improvement plan to Ofgem by 30 April 2019.
If necessary, Ofgem can develop and carry out an audit and inspection regime of the OES.
OES are expected to engage directly with Ofgem, and to raise any queries they have on how to apply the self-assessment at the earliest opportunity.
The guidance outlines procedures for incident reporting, incident recovery and post-incident investigation.
OES can use the guidance to understand which incidents they should report, why reporting incidents is useful, and the time limits and procedures they should follow.
Ofgem is in the process of developing its approach for any future enforcement action it takes when an OES fails or is failing to meet the duties set out in the NIS Regulations.
It is expected that given the collaborative approach between Ofgem and OES, enforcement actions in respect of a breach of OES’ security duties will not be an initial priority, unless it is necessary in the circumstances of a particular case.
However, the guidance concludes that any enforcement action will be dealt with on a proportionate basis, which takes account of the seriousness of any contravention(s) of an OES’ duties under the NIS Regulations.
This guidance follows more general guidance for the energy sector in respect of the NIS Regulations published by BEIS on 2 July 2018.
The publication of Ofgem guidance provides clarity and direction for OES under the NIS Regulations. OES are also now required to adhere to a timeline to demonstrate their compliance and to work with Ofgem to make any necessary changes.
Co-authored by Laura Bilinski