Brought to you by
SHEPHERD AND WEDDERBURN
Businesses supplying essential energy services must ensure they comply with IT security regulations to avoid financial penalties, writes Jamie McRorie, Partner in Shepherd and Wedderburn’s Regulation and Markets team businesses to achieve these aims by applying for financial assistance
CYBER security threats can cripple those businesses we rely on for our everyday necessities. Recent figures show one in three firms have suffered a cyber breach in the past year.
In the energy sector alone, 90% of the world’s largest energy companies suffered breaches in 2023, and coordinated cyber-attacks were made against critical energy infrastructure throughout Europe.
In 2022, an IBM Security Report identified the energy sector as the UK’s top target for cyber-attacks, with 24% of all cyber-attacks in the UK made in the energy sector.
In the UK, the Network and Information System Regulations 2018 were introduced in response to the increased reliance on technology by businesses delivering essential services.
The Regulations apply to those operating in the energy, oil, transport, health care, drinking water and digital infrastructure sectors.
The Regulations contain duties on those delivering those services:
■ to take appropriate measures to manage risks and minimise the impact of incidents affecting their systems; and
■ to notify any incident which has a significant impact on essential services to the relevant competent authorities.
Failure to comply with the Regulations can lead to regulatory enforcement, including financial penalties ranging between £1 million to £17 million.
Importantly, the measures Operators of Essential Services (OES) are expected to take must have regard to “the state of the art” to ensure the level of security provided is appropriate to the risk provided.
As cyber threats evolve in a changing world, so must the protections deployed to manage those risks, including the increasing risks posed by Artificial Intelligence (AI).
In January 2024, the NCSC published the results of its assessment focusing on the potential impacts of AI on cyber operations.
The assessment concluded that AI will almost certainly increase the volume and heighten the impact of cyber-attacks over the next two years. All types of cyber threat actors – state and non-state, skilled and less skilled – are already using AI to varying degrees.
Data handling will become more complex as the system will need to understand and react to increasingly complex information and energy flows.
The digitised exchange of data is needed to facilitate an energy system that can accelerate, automate, plan and anticipate processes better than at present.
For example, consumer data from smart meters provides a granularity of data which can support operators’ planning and maintain their networks.
Balancing the electricity system relies on the System Operator using increasingly complicated information flows and systems to balance electricity generation and demand, when that generation is increasingly decentralised and intermittent.
It is concerning that Elexon (which handles the data for that balancing) was the victim of a ransomware attack on its internal systems in 2020.
We can expect a step change in the sophistication of cyber security attacks at just the time when the UK’s energy system is increasingly reliant on and developing the utility of the systems subject to attack.
Those in the energy sub-sector will need to constantly assess and reassess their systems and compliance processes if they are to comply with the Regulation’s requirements to be “state of the art” in the age of AI.
■ Jamie McRorie is a confirmed speaker at All-Energy, the UK’s largest renewable and low-carbon energy exhibition and conference in Glasgow on 15-16 May. Visit Shepherd and Wedderburn’s All-Energy hub at: www.shepwedd-allenergy.com
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here