The UK Government has published its Energy Sector Cyber Security Strategy. In the words of Michael Shanks MP, Minister for Energy at Department of Energy Security and Net Zero, the document ‘sets out what the government will do to protect the energy system and its consumers, and how we will partner with industry to mitigate cyber risks’.
The background is cyber attacks seeking to disrupt western Critical National Infrastructure (CNI). One of the authors is the UK official National Cyber Security Centre (NCSC) which has noted a ‘stark increase’ in the threat to CNI, as ‘adversaries seek to compromise these systems to achieve a range of outcomes, from financial gain and economic advantage, to pre-positioning, espionage and disruptive and destructive attacks’. The document calls for a coordinated approach by the sector; ‘private organisations and government need to work even more effectively together to secure the energy sector and will need to make the most of all the resources at our disposal to protect our national security and way of life’. Cyber security should be a board level priority, it adds.
Timings
Initial scoping work will consider baseline cyber hygiene measures such as the Cyber Essentials (CE) scheme. Proposed by the end of 2026 are ‘preliminary supply chain security principles’; by the end of 2027, the sector will have built ‘capability to engage with and assess the energy supply chain’, and supported Operators of Essential Services (OES) with managing their supply chains. Also due by the end of 2027: an assessment of the NIS Regulatory thresholds. By 2030, ‘designated critical suppliers’ will have ‘scoped appropriate maturity targets’. Also hoped for by 2030 is that ‘cyber resilience is raised across the whole DGE [Downstream Gas and Electricity] system by introducing a baseline level of cyber resilience to all’.
Comment
Jamie Akhtar, CEO and Co-Founder of CyberSmart, said: “The direction of travel from government is becoming clearer – Cyber Essentials is increasingly emerging as the baseline for supply chain cyber resilience across critical sectors. The energy strategy builds on themes weโve already seen through CYBERUK [a flagship spring conference], the Cyber Resilience Pledge, public sector procurement and wider resilience initiatives: namely that organisations need a clear, measurable minimum standard for cyber hygiene. While the strategy does not mandate Cyber Essentials universally, it reinforces the growing expectation that baseline controls and independently verified assurance will play a central role in strengthening UK supply chains and critical infrastructure resilience.”
Photo by Mark Rowe
