Energy companies and utilities could face fines of up to £17 million if they are found to have insufficient cyber defences, the government has warned.
New measures and guidance published today by the National Cyber Security Centre (NCSC) seek to address what has been determined to be an “increasing number of threats”. Companies that operate vital services in fields such as energy, transport and health will be held accountable if they do not have appropriate defences in place.
The new guidance follows on from a consultation launched last August and comes on the back of numerous warnings from defence officials over cyber attacks targeting vital industries.
The NCSC has published new guidance this morning on the back of the consultation and new regulators will be appointed to assess infrastructure defence plans. Cyber defences will be assessed alongside measures to prevent other instances such as power outages, hardware failures and environmental hazards.
But, crucially, cyber attacks are to fall under the Network and Information Systems Directive (NIS), a piece of EU legislation pertaining to IT security which entered into force in August 2016. Member states were given 21 months to transpose the directive into national law.
The NCSC guidance focuses on the 14 key principles that exist within the directive. These fall within four objectives, namely managing security risk; defending systems against cyber attack; detecting cyber security events, and minimising the impact of cyber security incidents.
Further documentation on the NCSC’s Cyber Assessment Framework, which will underpin how so-called operators of essential services are delivering against the 14 NIS principles, is to be published by the end of April 2018.
The government has said that fines would be a last resort, with £17 million standing at the maximum potential fixed fine. The government has also stressed that the new legislation will be made clearer to companies to ensure they know whether they have to comply with the directive.
Margot James, minister for digital and the creative industries, said the new guidance was part of “robust cyber security measures” designed to ensure the UK is the “safest place in the world to live and be online”.
“We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services,” she said.
In October 2017 Bird & Bird’s Simon Shooter wrote for Clean Energy News on the subject of the NIS Directive and what energy companies need to be aware of prior to its implementation.