We support the development of documents and specifications to assist our members in complying with relevant statutory obligations, such as the EU Network and Information Security (NIS) directive.
We provide the following guidance(s):
- Energy Delivery Systems Cyber Security Procurement Guidance.
- Distributed Energy Resources (DER) Cyber Security Connection Guidance.
-
The Cyber Security Working Group (CSWG)
The Cyber Security Working Group (CSWG) is an industry led group working in conjunction with UK government's Energy Emergencies Executive. The group liaises with our members and other bodies in the management of the administrative, engineering and technical aspects of cyber security issues impacting the operation of the UK energy networks.
The Cyber Security Working Group:
- works in close collaboration with our Strategic Telecommunications Group (STG) and other committees and task groups as appropriate
- liaises with the Department for Energy Security and Net Zero (DESNZ), Ofgem, the National Cyber Security Centre (NCSC), the Energy Sector Cyber Security Group (E3CC), the E3C Security Task Group, policymakers and others as appropriate to inform the work of the working group
- shares cyber threats and incident information to our members, identifying common challenges and developing and sharing industry good practice and guidance through an agreed workplan
- researches, compiles, updates and publishes cyber security standards and best practice, considering how codes of connections, standards and guidance can be updated to include clear and robust cyber-security guidance that support a secure smart grid network
- Engage with the supply chain and understand and manage risk from individual components and equipment
- represents members and government bodies and influence government policy on cyber security
-
Distributed energy resources (DER) cyber security connection guidance
While not currently meeting the ‘essential service’ criteria laid out in the NIS regulations, the growth of distributed energy resources (DER) means that they are becoming increasingly important to the UK’s energy supply.
We've worked with the Energy Emergencies Executive Cyber Security Task Group (E3CC) and BEIS to address cyber security controls across the increasing amount of DER connected to distribution networks.
This guidance is a result of collaboration between BEIS, ENA, DNOs and DER operators who have provided industry insight, shared challenges and made suggestions to improve DER connection security across the industry.
The guidelines have been closely aligned to the four objectives and fourteen principles from the NCSC Cyber Assessment Framework (CAF), which is itself intended for use by organisations responsible for services and activities that are of vital importance such as those designated as critical national infrastructure.
Adoption of these cyber security connection guidelines, developed from the CAF, will support delivery of end-to-end security for our DER, at an industry accepted level that will help manage the risk of a cyber-attack. It will also enable DNOs and operators to effectively and consistently implement an industry baseline for cyber security when connecting new DER assets to the distribution networks.
The guidance should ideally be followed prior to connection, however it can also be retroactively applied afterwards for legacy connections.
In summary this guidance aims to:
- Promote cyber security throughout the design and implementation of new DER projects
- Provide a consistent approach to cyber security for DER connections across the UK
- Provide a baseline level of security that is required for new DER connections
- Enable BEIS, NCSC and us to address short-term and long-term threats and promote standardisation
- Provide cyber security guidelines that are flexible enough to apply to any DER, regardless of size, maturity or location
- Provide guidance that encourages technology providers to improve security for their devices out of the box
Read the DER cyber security connection guidance for more about improving cyber security and where to send your feedback or comments.
-
Energy delivery systems cyber security procurement guidance
The UK Energy System is amongst our most Critical National Infrastructure (CNI), underpinning many of our essential services. Improving cyber security will help ensure that the UK has a secure and resilient energy system, avoiding disruption through cyber-attack that could have a severe impact on the country’s national security.
The Network and Information Systems Directive (NIS Directive) came into force 10th May 2018, placing an additional legislative requirement on organisations deemed operators of essential services (OES) to protect against and respond to cyber-attacks and wider incidents affecting Energy Delivery Systems (EDS).
ENA in conjunction with the BEIS Energy Cyber Security Team and the National Cyber Security Centre (NCSC) have focused efforts on collaboration with CNI Operators to ensure that they have appropriate technical advice and guidance to manage the cyber risks that they are exposed to. Vendors and operators have provided industry insight, shared challenges and made suggestions to improve procurement processes and requirements across the industry.
Adoption of these guidelines will support delivery of end to end security for our systems, at an industry accepted level. It will also enable our users to effectively and consistently articulate an industry baseline for cyber security in the software, hardware and services they purchase across the supply chain.
Read the Energy delivery systems cyber security procurement guidance