The voice of the networks

Managing cyber security

Working with our members, cyber security experts and the UK Government, we're helping to develop standards and guidance which maintain safe and reliable energy supplies as our networks adapt for the future.

Laptop denoting cyber security
Philipp Katzenberger

We support the development of documents and specifications to assist our members in complying with relevant statutory obligations, such as the EU Network and Information Security (NIS) directive.

We provide guidance on the procurement and specification of cyber security systems:

  • The Energy Delivery Systems
  • Distributed Energy Resources (DER) Cyber Security Connection Guidance: Guidance and standards produced by us are developed using input from a combination of experts within our membership, the use of appointed specialist external consultants, relevant UK and GB trade associations and industry bodies, manufacturers, suppliers and users of the documents
  • The Cyber Security Task Group (CSTG)

    The Cyber Security Task Group (CSTG) is a sub-group of the UK government's Energy Emergencies Executive. The group liaises with our members and other bodies in the management of the administrative, engineering and technical aspects of cyber security issues impacting the operation of the UK energy networks.

    The Cyber Security Task Group:

    • works in close collaboration with our Strategic Telecommunications Group (STG) and other committees and task groups as appropriate
    • liaises with the Department for Business, Energy & Industrial Strategy (BEIS), Ofgem, the National Cyber Security Centre (NCSC), the Energy Sector Cyber Security Group (E3CC), the Centre for the Protection of National Infrastructure (CPNI), policymakers and others as appropriate to inform the work of the task group
    • shares cyber threats and incident information to our members
    • researches, compiles and publishes cyber security standards and best practice
    • represents members and government bodies and influence government policy on cyber security
    • conducts periodic benchmarking of cyber security maturity anonymously across the energy transmission and distribution sector
  • Distributed energy resources - cyber security guidance

    While not currently meeting the ‘essential service’ criteria laid out in the NIS regulations, the growth of distributed energy resources (DER) means that they are becoming increasingly important to the UK’s energy supply.

    We've worked with the Energy Emergencies Executive Cyber Security Task Group (E3CC) and BEIS to address cyber security controls across the increasing amount of DER connected to distribution networks.

    This guidance is a result of collaboration between BEIS, ENA, DNOs and DER operators who have provided industry insight, shared challenges and made suggestions to improve DER connection security across the industry.

    The guidelines have been closely aligned to the four objectives and fourteen principles from the NCSC Cyber Assessment Framework (CAF), which is itself intended for use by organisations responsible for services and activities that are of vital importance such as those designated as critical national infrastructure.

    Adoption of these cyber security connection guidelines, developed from the CAF, will support delivery of end-to-end security for our DER, at an industry accepted level that will help manage the risk of a cyber-attack. It will also enable DNOs and operators to effectively and consistently implement an industry baseline for cyber security when connecting new DER assets to the distribution networks.

    The guidance should ideally be followed prior to connection, however it can also be retroactively applied afterwards for legacy connections.

    In summary this guidance aims to:

    • Promote cyber security throughout the design and implementation of new DER projects
    • Provide a consistent approach to cyber security for DER connections across the UK
    • Provide a baseline level of security that is required for new DER connections
    • Enable BEIS, NCSC and us to address short-term and long-term threats and promote standardisation
    • Provide cyber security guidelines that are flexible enough to apply to any DER, regardless of size, maturity or location
    • Provide guidance that encourages technology providers to improve security for their devices out of the box