We support the development of documents and specifications to assist our members in complying with relevant statutory obligations, such as the EU Network and Information Security (NIS) directive.
We provide the following guidance(s):
- Energy Delivery Systems Cyber Security Procurement Guidance.
- Distributed Energy Resources (DER) Cyber Security Connection Guidance.
The Cyber Security Task Group (CSTG)
The Cyber Security Task Group (CSTG) is a sub-group of the UK government's Energy Emergencies Executive. The group liaises with our members and other bodies in the management of the administrative, engineering and technical aspects of cyber security issues impacting the operation of the UK energy networks.
The Cyber Security Task Group:
- works in close collaboration with our Strategic Telecommunications Group (STG) and other committees and task groups as appropriate
- liaises with the Department for Business, Energy & Industrial Strategy (BEIS), Ofgem, the National Cyber Security Centre (NCSC), the Energy Sector Cyber Security Group (E3CC), the Centre for the Protection of National Infrastructure (CPNI), policymakers and others as appropriate to inform the work of the task group
- shares cyber threats and incident information to our members
- researches, compiles and publishes cyber security standards and best practice
- represents members and government bodies and influence government policy on cyber security
- conducts periodic benchmarking of cyber security maturity anonymously across the energy transmission and distribution sector
Distributed energy resources (DER) cyber security connection guidance
While not currently meeting the ‘essential service’ criteria laid out in the NIS regulations, the growth of distributed energy resources (DER) means that they are becoming increasingly important to the UK’s energy supply.
We've worked with the Energy Emergencies Executive Cyber Security Task Group (E3CC) and BEIS to address cyber security controls across the increasing amount of DER connected to distribution networks.
This guidance is a result of collaboration between BEIS, ENA, DNOs and DER operators who have provided industry insight, shared challenges and made suggestions to improve DER connection security across the industry.
The guidelines have been closely aligned to the four objectives and fourteen principles from the NCSC Cyber Assessment Framework (CAF), which is itself intended for use by organisations responsible for services and activities that are of vital importance such as those designated as critical national infrastructure.
Adoption of these cyber security connection guidelines, developed from the CAF, will support delivery of end-to-end security for our DER, at an industry accepted level that will help manage the risk of a cyber-attack. It will also enable DNOs and operators to effectively and consistently implement an industry baseline for cyber security when connecting new DER assets to the distribution networks.
The guidance should ideally be followed prior to connection, however it can also be retroactively applied afterwards for legacy connections.
In summary this guidance aims to:
- Promote cyber security throughout the design and implementation of new DER projects
- Provide a consistent approach to cyber security for DER connections across the UK
- Provide a baseline level of security that is required for new DER connections
- Enable BEIS, NCSC and us to address short-term and long-term threats and promote standardisation
- Provide cyber security guidelines that are flexible enough to apply to any DER, regardless of size, maturity or location
- Provide guidance that encourages technology providers to improve security for their devices out of the box
Energy delivery systems cyber security procurement guidance
The UK Energy System is amongst our most Critical National Infrastructure (CNI), underpinning many of our essential services. Improving cyber security will help ensure that the UK has a secure and resilient energy system, avoiding disruption through cyber-attack that could have a severe impact on the country’s national security.
The Network and Information Systems Directive (NIS Directive) came into force 10th May 2018, placing an additional legislative requirement on organisations deemed operators of essential services (OES) to protect against and respond to cyber-attacks and wider incidents affecting Energy Delivery Systems (EDS).
ENA in conjunction with the BEIS Energy Cyber Security Team and the National Cyber Security Centre (NCSC) have focused efforts on collaboration with CNI Operators to ensure that they have appropriate technical advice and guidance to manage the cyber risks that they are exposed to. Vendors and operators have provided industry insight, shared challenges and made suggestions to improve procurement processes and requirements across the industry.
Adoption of these guidelines will support delivery of end to end security for our systems, at an industry accepted level. It will also enable our users to effectively and consistently articulate an industry baseline for cyber security in the software, hardware and services they purchase across the supply chain.