The NIS Directive takes effect on 10 May. Now is the time for power generators and smart energy organisations to check they meet cybersecurity requirements, argues law firm Bird & Bird. By Levent Gurdenli, senior associate and co-head of energy management team, and Simon Shooter, cybersecurity lead.
The EU Directive on the Security of Networks and Information Systems (NIS Directive) will become law on 9 May 2018. It should be on companies’ radar, because it carries significant penalties. A failure to comply can incur a financial penalty of up to £17 million. The NIS Directive will apply to electricity generators, suppliers, smart energy providers and network operators if they fall within the definition of an “operator of essential service” (OES).
- electricity generators with capacity of 2GW or more, including those whose cumulative capacity from multiple units reaches that threshold;
- energy network operators where supply to more than 250,000 consumers could be disrupted; and
- energy supply businesses using smart meters and where supply to more than 250,000 consumers could be disrupted.
The position is less clear for owners or managers of a portfolio of generation assets with an aggregate capacity of over 2GW, where ownership is held by disparate project companies. The directive and the guidance published by the National Cyber Security Centre (NCSC) is not clear on this point. However, such companies should be aware of the directive given its supply chain principle.
An OES has to comply with the security principles set out in the NIS Directive, which are broad and leave the OES to determine which security measures are appropriate.
The principles emphasise that all levels of the organisation should understand cybersecurity risks and the security measures in place. Superficial “fixes” will not be satisfactory; companies must ensure that all staff and employees have the knowledge and skills necessary.
The NCSC has published guidance and an NIS Cyber Assessment Framework (CAF) will provide further granularity.
BEIS and Ofgem will be responsible for publishing incident reporting thresholds for OESs in the electricity, oil and gas subsectors. We expect the thresholds to be based on the number of users affected by the disruption of the essential service, the likely or actual duration of the incident, and the area affected.
All NIS incidents meeting the threshold must be reported to BEIS and Ofgem within 72 hours. NCSC will only be responsible for incident response support for cyber-related incidents, whereas response support for non-cyber or resilience incidents will be provided by BEIS and Ofgem.
An OES is responsible for ensuring – through contractual arrangements – that their suppliers have in place appropriate measures. A blanket approach is unlikely to be acceptable because the NCSC guidance warns against forcing all suppliers to deliver the same set of security requirements when it is not proportionate or justified to do so.
An OES remains accountable for the protection of any essential service, even if it relies on a third party to provide technology services. Although BIES and Ofgem will not be enforcing NIS requirements on the supply chain of an OES, there is currently nothing preventing an OES from “flowing-down” liability. As a result, even where they do not fall within the definition of an OES, generators may have contractual obligations when they enter into contracts with DNOs (grid connection agreements, for example), National Grid (providing demand-side response or balancing services) or licensed suppliers (power purchase agreements).
Generators may wish to invest in their cybersecurity in anticipation – regardless of whether they fall within the scope of the NIS Directive directly – to mitigate this risk.
Digital service providers
The transition to a smart energy system means the sector is increasingly at risk of cyberattack. The volume and nature of the data collected by smart meters makes them an attractive target, and digitalisation may draw hackers towards the sector.
Senior associate and co-head of energy management team
The NIS Directive also applies (although with slightly different rules) to what are classed as digital service providers (DSPs) and those providing software as a service. This may catch some smart energy providers, such as aggregators of virtual power plants or providers of virtualised computer resources (“infrastructure as a service”).
Many companies in the renewables sector have contracts with a third-party DSP. Given the supply chain principle set out above, these companies should anticipate more prescriptive obligations regarding cybersecurity in their contracts and invest in their own systems and processes. Improving resilience to cybersecurity attacks is a key strategic priority for the sector, and should therefore be considered regardless of whether or not an entity will directly fall within the scope of the NIS Directive.
There is a maximum financial penalty of £17 million to cover all contraventions of the NIS Directive.
BEIS and Ofgem will be competent authorities for the energy sector, assisted by the Health and Safety Executive. They will have some flexibility in deciding how large a fine is proportionate and reasonable in the circumstances and will be encouraged to take into account the potential for “double jeopardy” under different regimes, such as the General Data Protection Regime. But the government says multiple penalties for the same event under different regimes may be appropriate.
First published in the May 2018 issue of New Power Report.