Five key factors influencing a utility’s cybersecurity journey

Due to increasingly complex threat profiles, cybersecurity risks in utilities are evolving at an unparalleled pace.?As power and gas distribution networks becoming progressively interconnected, the need to stay?ahead of?these risks is critical. Our Head of Cyber Services Esther Phillips summarises five key factors utilities must consider.?

1. The dynamic landscape of cybersecurity threats.?Attackers relentlessly seek ways to exploit vulnerabilities, continually reinventing their methodologies,?in particular targeting Operational Technology (OT) systems. This, coupled with the interconnectivity of IT and OT systems in the utilities sector, demands an updated grasp of direct and indirect cyber threats.?

2. Proportionate and effective cybersecurity oversight. Distribution networks are expected to strike a balance in managing cybersecurity risks, ensuring neither safety, security or resilience are compromised. A foundational step is the clear identification and documentation of the critical network and information systems. This enables the precise application of security measures commensurate to the critical assets they protect.

3. Determine the scope of critical systems. What do you decide to safeguard and how? Ofgem's guidelines steer organisations towards a well-informed, competent decision-making process regarding the scope of critical systems. To ensure the adequate protection of key systems and information, this process should be rooted in logic, with stakeholder consultations, board-level discussions and business impact assessments integral.?

4. Legal measures. The Network and Information Systems (NIS) Regulations have been introduced to bolster the cyber and physical security of network and information systems which support the delivery of ‘essential services’ ie. those vital to sustaining critical societal or economic activities. NIS Regulation 10 defines the responsibilities of Operators of Essential Services (OES):?

• Regulation 10(1): The OES are tasked with adopting technical and organisational measures which are proportionate and apt to manage associated risks.
• Regulation 10(2): OES are required to implement measures that not only prevent but also minimise the aftermath of incidents, with a focus on maintaining the continuity of the essential services they provide.

5. Document and follow a defined process. Utilities are urged to adopt a uniform approach when defining and maintaining their NIS scope. Following established best practices, like those presented within ISA 62443-3-2 Security Risk Assessment and System Design Standard, is highly recommended. All scoping decisions,?whether it’s for the inclusion and exclusion of systems,?need to be meticulously documented?and follow a defined process, supported by underlying rationale and assumptions.?

Conclusion?

In an era where cybersecurity dynamics are continuously?evolving, it’s essential for utilities to define a new criticality scope that’s aligned with the UK’s National Cyber Security Strategy. It's a journey of proactive adaptation, where understanding legal NIS obligations and determining the scope of critical systems effectively will be instrumental in ensuring a secure and resilient future.

If you’d like to discuss the issues raised in this article, contact Esther at [email protected]. For further insights from Esther on safeguarding OT in utilities, visit:?

https://www.enzen.com/global/insights/enzen-news/viewpoint-utiliies-roadmap-cybersecurity-success/

About the author

Esther Bellingham has more than 30 years of industry experience across energy, utilities and manufacturing.?

Her specialist areas include cybersecurity, OT security, risk management, cloud security and IT/OT convergence, focused on preparing organisations for Industry 4.0 and beyond.

As Head of Cyber Services at Enzen, she is responsible for developing best-practice cyber solutions for our utility customers so they become the digital utilities of the future.