Providers of ‘essential services’ – including the energy sector – to tackle cybercrime

On 8 August 2017 the UK government published a consultation on the implementation of the Network and Information Systems Directive (NIS Directive). The new legislation, which is due to enter force on 9 May 2018, will apply to a wide range of ‘essential services’, including operators in the energy sector as well as in the transport, healthcare, water and digital infrastructure sectors. It will impose obligations on those players to prevent cyber-attacks. Non-compliance could result in fines of up to £20mn or 4% of global turnover.

It is proposed that the Secretary of State for Business, Energy and Industrial Strategy (BEIS) – currently The Rt Hon Greg Clark MP – will be the competent authority for the energy sector, although Ofgem may also play a role.

Amanda Hale and Michael Burns, both Partners at Ashurst law firm, note that in the energy sector, it is proposed that a wide spectrum of energy industry participants are caught in the regulatory net, including:

 In the power sector:

1. Suppliers which both use smart metering infrastructure and supply to more than 250,000 consumers.
2. Generators with a combined capacity of 2 GW or more (other than for nuclear power).
3. Distribution or transmission system operators with the potential to disrupt supply to over 250,000 consumers, and international interconnectors and the direct current converter stations with a capacity of 1 GW or more.

In the oil and gas sector:

1. Operators of upstream petroleum pipelines (both oil and gas) with a throughput of over 20mn boe/y of oil or gas.
2. Downstream oil transmission operators who provide or handle at least 500,000 t/y of fuel.
3. Operators of production, treatment, refining and storage facilities, both upstream and downstream (including gas storage facilities/LNG (above certain specified thresholds).
4. Gas suppliers which both use smart metering infrastructure and supply more than 250,000 consumers. 
5. Gas distribution and transmission system operators with the potential to disrupt supply to more than 250,000 consumers.
6. Operators of gas processing operations with a throughput of more than 20mn boe/y of gas.

A number of additional thresholds are proposed for Northern Ireland. The government intends, in addition, to include a reserve power to designate specific operators who are not caught by the above thresholds if those operators are nevertheless considered by it to provide an essential service.

 They also report that the government intends to institute two bands of penalties:

1. Band 1: maximum €10mn or 2% of global turnover for ‘lesser offences’ such as failure to cooperate with the competent authority, failure to report a relevant incident or failure to comply with an instruction from a competent authority.
2. Band 2: maximum €20mn or 4% of global turnover for failure to implement appropriate and proportionate security measures.

 In January 2018, the National Cyber Security Centre (NCSC) intends to publish the generic cross-sector security guidance. This will include a Cyber Assessment Framework (CAF) which will provide a means with which to determine the extent to which requirements are being met.

 In Spring 2018, BEIS will indicate how an ‘opertator of essential services’ (OES) should interpret the generic guidance and CAF for their own risk management procedures once the legislation comes into effect in May next year. In November 2018, BEIS will then need to produce further detailed sector specific guidance intended to reflect the unique circumstances of the sector.

 ‘Cyber security has been on the energy industry’s radar for quite some time now. It is very much a priority area for many companies in terms of their risk management strategy, and many energy sector participants are already putting in place systems to tackle this risk, as well as engaging in cross-industry initiatives, such as the Cyber Security Information Sharing Partnership.  However, implementation of the NIS Directive will mean that, from May next year, this is not just a question of risk management, but also one of regulatory compliance,’ conclude Hale and Burns. 

Photo: Shutterstock