There is arguably no more significant element of a nation’s critical infrastructure than its energy supply. The importance of the energy sector makes it a high profile target for threat actors. The disruption caused by the Colonial Pipeline ransomware incident in 2021 exhibited the impact of a successful cyber attack on energy infrastructure.
Therefore, it is unsurprising that increasing the resilience of the UK’s critical national infrastructure, including energy, is a pillar of the UK’s National Cyber Strategy (“NCS”). From an energy perspective, any increased focus on cyber security resilience must be studied through the lens of the Government’s efforts to achieve Net-Zero and moves towards energy independence. These proposals necessitate moves to renewable energy sources, and the introduction of new services and products to aid smart energy systems.
From a cyber security perspective, transitioning to smart energy systems will create interactions between established sectors and largely unregulated areas. These interactions, unless governed correctly, will pose additional cyber risk. The NCS acknowledges this, highlighting there must be the development of a “proportionate regulatory framework to ensure that the future smart and flexible energy system the UK requires to deliver Net Zero will be secure and resilient to cyber threats.”
Looking to this future, how is the UK Government seeking to ensure future smart energy systems are protected from cyber attack?
NIS Regulations and load controllers
The Network and Information System (“NIS”) Regulations contain a series of legal requirements directed at certain organisations, identified as Operators of Essential Services (“OES”) to ensure their cyber and physical resilience are at the appropriate level. The definition of OES includes the ‘electricity subsector’ covering those providing the services of electricity supply, transmission or distribution above certain thresholds.
As noted in our February 2023 article, following a consultation commenced in January 2022, the Government confirmed in November 2022 that updates to the NIS Regulations will be made as soon as Parliamentary time allows. These proposed changes include proposals to future-proof cyber security legislation including the NIS Regulations.
The proposals include the creation of new delegated powers allowing the Government to change the scope of the NIS Regulations to include new sectors subject to consultation and assessment. Those sectors given as possible candidates for inclusion included “organisations providing aggregation services in the energy sector, energy management and demand response services (e.g. electric chargepoint operators) [and] heat pumps…”
These proposals must be considered alongside the progression of the Energy Bill, introduced in July 2022; the Bill is currently at report stage in the House of Lords. The Bill will make enabling provisions to allow the Government to establish a new regulatory framework for smart energy. The Government commenced a consultation, ‘Delivering a smart and secure electricity system’, shortly after on how those enabling powers would be implemented.
In a smart energy system, consumers may be rewarded for using electricity at ‘off-peak’ times by saving money on their energy bills. This is termed Demand Side Response (“DSR”) and is integrated into the system via signals to Energy Smart Appliances (“ESAs”) through a process known as ‘load control’. Those carrying out this action referred to as ‘load controllers’. Load controllers will provide an essential service in smart energy systems yet increase the need for digitisation and remote energy management. This poses a cyber security risk because, as highlighted by the consultation, “there are currently little or no legislative cyber security requirements on load controllers as a whole,” with self-regulation the norm.
Within the consultation, the Government proposed to regulate load controllers depending on the size of the organisation. Organisations remotely control large amounts of load (greater than 300MW) would be brought into scope of the NIS Regulations, with the Cyber Assessment Frame used to monitor compliance. Those load controlling domestic and small non-domestic consumers will be regulated through a proportionate and flexible licensing framework.
Energy smart appliances
ESAs are communications-enabled devices able to respond to the grid by shifting their usage to times when it is less costly the energy system. This can include heat pumps, EV charge points, refrigeration, air conditioning, and ventilation devices. This include a wide range of products and the July consultation acknowledged that “different types of ESAs present different risks and opportunities to consumers and the energy system.”
From a cyber security perspective, the Government proposed the introduction of minimum cyber security and grid stability requirements, for larger domestic-scale ESAs. This would include heat pumps, heat batteries, storage heaters and batteries.
In addition, work would be carried out with the National Cyber Security Centre (NCSC) to consider what further interventions may be required to manage cyber security risks posed by increased deployment of
ESAs. It is acknowledged that delivering standards in respect of ESAs could take some time, and some cyber security mitigations could be required sooner.
The recent passage of the Product Security and Telecommunications Infrastructure Act (“PSTI Act”) has brought the issue of internet connected products firmly at the forefront of discussions around cyber security. The consultation notes that the PSTI Act could include smaller domestic-scale ESAs within scope to deliver urgent mitigations, but that larger domestic-scale ESAs highlighted above “could need to meet minimum-security [cyber] requirements prior to adoption of enduring ESA standards beyond those proposed in the Product Security and Telecommunications Infrastructure Bill.”
Some smart meters and smart EV charge points are likely to be excepted from any further regulation under the PSTI Act to avoid dual regulation, as confirmed in the explanatory notes to the PSTI Act. Those smart meters covered by the Commercial Product Assurance or relevant technical specifications through utility legislation will be excepted. EV smart charge points currently require security requirements consistent with the existing cyber security standard via the 2021 Smart Change Points Regulations.
The Government has yet to publish its response to the July 2022 consultation, with the Energy Bill still progressing through the House of Lords. It may be some time before the response is published with further detail on the proposals. Similarly, no further detail on the proposed changes to the NIS Regulations has been provided since the previous announcement.
What is apparent from the above is that a lot of work is to be done to prepare the UK for a cyber secure smart energy system. There is a wide range of existing and planned legislation and regulation to be untangled. It is, of course, welcome that the Government is mindful of the cyber security risks associated with the transition, and we will await further developments with great interest.