The NIS Directive is due to be transposed into national law on 9 May 2018. Although it has received less press coverage than the implementation of GDPR, it should be on companies' radar as it carries significant penalties. A failure to comply may lead to a maximum financial penalty of £17m. This note highlights the key provisions that may impact renewable generators and smart energy providers falling within the scope of the NIS Directive.
The NIS Directive will apply to electricity generators, suppliers and distribution and transmission network operators provided that they fall within the definition of an "Operator of Essential Service" (OES). The general thresholds to determine whether such companies will fall within the definition of an OES are as follows:
- for electricity generators, it is based on having a generating capacity greater or equal to 2GW, including standalone transmission connected generation and multiple generating units with a cumulative capacity greater or equal to 2GW;
- for energy distribution and transmission network operators, it is based on the potential to disrupt supply to greater than 250,000 consumers; and
- for energy supply businesses it is based on the use of smart metering and the potential to disrupt supply to greater than 250,000 consumers.
Distribution Network Operators, National Grid (as the system operator) and all large electricity supply companies will fall within the thresholds above and be classified as an OES. The position is less clear for owners / managers of a portfolio of renewable generation assets with an aggregate capacity of over 2 GW where the ownership of such assets may be held by various disparate project companies. The Directive and the guidance published by the National Cyber Security Centre (NCSC) is not clear on this point. However, given the supply chain principle of the NIS Directive (see below), such generators should nevertheless be aware of the implications of the NIS Directive.
An OES has to comply with the security principles set out in the NIS Directive which we have set out in Appendix 1. The principles are broad, and leave the OES to determine which security measures are appropriate, taking into account the circumstances of that organisation.
The principles place emphasis on the importance of ensuring that all levels of the organisation understand the risk of cybersecurity and the security measures the OES has in place. It is clear that superficial "fixes" will not be satisfactory under the NIS Directive; the obligation extends to ensuring that all staff and employees have the information, knowledge, and skills they need to support the security of networks and information systems.
The National Cyber Security Centre (NCSC) has published supplementary guidance here and we expect that the initial version of the NIS "Cyber Assessment Framework" (CAF), which is due to be published in Spring 2018, will provide further granularity.
BEIS and Ofgem will be responsible for publishing the incident reporting thresholds before May 2018, which will apply to OES in the electricity, oil and gas subsectors. We expect the thresholds to be based on:
- the number of users affected by the disruption of the essential service;
- the likely or actual duration of the incident; and
- the area affected by the incident.
All NIS incidents meeting the reporting threshold should be reported to BEIS and Ofgem where applicable within 72 hours.
NCSC will only be responsible for incident response support for cyber-related incidents, whereas response support for non-cyber or resilience incidents will be provided by BEIS and Ofgem.
Each OES is responsible for ensuring (through contractual arrangements such as KPIs and auditing rights) that their suppliers have in place appropriate measures. A blanket approach is unlikely to be acceptable. The NCSC guidance warns against forcing all suppliers to deliver the same set of security requirements when it is not proportionate or justified to do so.
An OES remains accountable for the protection of any essential service, even if it relies on a third party to provide technology services. Although BIES and Ofgem will not be enforcing NIS requirements on the supply chain of an OES, there is currently nothing preventing an OES from "flowing-down" liability under this regime.
As such, renewable generators, even where they themselves do not fall within the definition of an OES, may have certain contractual obligations imposed upon them following the implementation of the NIS Directive where they enter into contracts with DNOs (e.g. grid connection agreements), National Grid (e.g. providing DSR or balancing services to the National Grid) or licensed suppliers (e.g. power purchase agreements) in the context of a renewable generation project. This may require such generators to confirm certain levels of security, agree to contractual obligations relating to security and incident reporting and generally comply with other requirements of the NIS Directive. With this in mind, such generators may wish to invest in their cyber security in anticipation, regardless of whether they fall within the scope of the NIS Directive directly, to mitigate this risk.
Digital Service Providers
The transition to a smart energy system means the sector is increasingly at risk of cyber-attacks and issues caused by cyber vulnerabilities. The volume and nature of the data collected by smart meters makes them an attractive target, and the digitalisation of grids may draw hackers towards the sector due to the devastating effects of disruption.
The NIS Directive also applies (although with slightly different rules) to what are classed as Digital Service Providers (DSP), which include cloud computing service providers. The Government includes Software as a Service (SaaS) within the scope of this. As such, some smart energy providers such as aggregators of virtual power plants may be caught by the obligations of the NIS Directive. In addition to this, providers of virtualised computer resources – Infrastructure as a Service – and providers of cloud storage or email services may also fall within the scope of a DSP.
Many companies in the renewables sector may have contracts with a third party DSP as digital technologies play an increasingly vital role in the world. Given the supply chain principle set out above, these companies should also anticipate being required to agree to more prescriptive obligations regarding cyber security in their contracts and to invest in their own systems and processes. Improving resilience to cyber security attacks was highlighted by the EECSP Report as a key strategic priority for the sector, and should therefore be considered regardless of whether or not an entity will directly fall within the scope of the NIS Directive.
There is a maximum financial penalty of £17m to cover all contraventions of the NIS Directive.
The Government has proposed that the Secretary of State for Business, Energy and Industrial Strategy (BEIS) will be the Competent Authority for the energy sector, in addition to the Office of Gas and Electricity Markets (Ofgem) for the electricity and gas (downstream) subsectors, and assisted by the Health and Safety Executive for the oil and gas (upstream) subsectors.
BEIS (and Ofgem where applicable) will have a degree of flexibility in deciding what level of fine is proportionate and reasonable in the circumstances and will be encouraged to take into account the potential for "double jeopardy" under different regimes, such as the General Data Protection Regime (GDPR). That being said, the Government has acknowledged that penalisation for the same event under different regimes may be appropriate where penalties "relate to different aspects of the wrongdoing and different impacts". Further guidance is expected to be published on this point before May 2018.
Appendix 1 - High-level Security Principles
A) Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services.
- A.1 Governance: The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.
- A.2 Risk Management: The organisation takes appropriate steps to identify, assess and understand security risks to network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.
- A.3 Asset Management: Everything required to deliver, maintain or support networks and information systems for essential services is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).
- A.4 Supply Chain: The organisation understands and manages security risks to the network and information systems supporting the delivery of essential services that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
B) Proportionate security measures in place to protect essential services and systems from cyber-attack or system failures.
- B.1 Service Protection Policies and Processes: The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support delivery of essential services.
- B.2 Identity & Access Control: The organisation understands, documents and manages access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.
- B.3 Data Security: Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause disruption to essential services. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the delivery of essential services. It also covers information that would assist an attacker, such as design details of networks and information systems.
- B.4 System Security: Network and information systems and technology critical for the delivery of essential services are protected from cyber-attack. An organisational understanding of risk to essential services informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.
- B.5 Resilient Networks & Systems: The organisation builds resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the delivery of essential services.
- B.6 Staff Awareness & Training: Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the delivery of essential services
C) Appropriate capabilities to ensure network and information system security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.
- C.1 Security Monitoring: The organisation monitors the security status of the networks and systems supporting the delivery of essential services in order to detect potential security problems and to track the on-going effectiveness of protective security measures.
- C.2 Proactive Security Event Discovery: The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the delivery of essential services even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployed).
D) Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary.
- D.1 Response and Recovery Planning: (i) There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential services in the event of system or service failure; and (ii) Mitigation activities designed to contain or limit the impact of compromise are also in place.
- D.2 Lessons Learned: When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.