The energy sector is increasingly a target for cyber attacks, from the 'Energetic Bear', or 'Dragonfly', group's attacks on critical infrastructure operators in 2014, which compromised industrial control systems for power plants in the EU as well as the US, to attacks on the Ukrainian power grid in late 2015 that resulted in blackouts, and malware infecting the Israeli Electricity Authority in 2016 where it took two days to return to business as usual.
The Network and Information Security (NIS) Directive is a piece of EU legislation that is designed to address this threat. The Directive was finalised in July 2016. It has significant implications for organisations in many sectors, not just the energy market, in respect of their cybersecurity obligations.
Although the Directive is already in force, its provisions will not take effect until they are implemented into national laws across EU member states. EU countries have until 9 May 2018 to do this, and until 9 November 2018 to "identify the operators of essential services with an establishment on their territory" that would be subject to the new rules.
The UK government confirmed it will set out "the detailed scope and security requirements for NIS implementation … in 2017", despite the country's move towards Brexit, in a report released at the end of 2016.
An overview of the Directive and its application to the energy sector
The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure. More detail on the specific rules that have to be adhered to is outlined below.
The Directive applies to operators of 'essential services' and to 'digital service providers'. Slightly different requirements apply depending on whether an organisation is considered an operator of essential services or a digital service provider.
In terms of the scope of the Directive's application to the energy sector, there is a list contained within an annex to the legislation of the types of energy sector organisations that could be considered as operators of essential services.
The Directive confirms that those organisations can be public bodies or private sector businesses.
It also sets out criteria which will determine whether organisations that fall within one or more of the definitions on the list should actually be considered as operators of essential services and, therefore, subject to the rules.
It will be up to each individual EU country to determine which organisations in their jurisdiction are operators of essential services, with reference to the list in the Directive's annex and the criteria set out in Article 5 of the legislation itself.
Which types of energy sector organisations are potentially in-scope?
Certain organisations within the electricity, oil and gas markets will potentially be subject to the NIS Directive's requirements. They include the following:
- electricity suppliers
- electricity distribution system operators
- electricity transmission system operators
- operators of oil transmission pipelines
- operators of oil production, refining and treatment facilities, storage and transmission
- gas suppliers
- gas distribution system operators
- gas transmission system operators
- gas storage system operators
- LNG system operators
The precise definitions of the types of organisations listed in the electricity and gas sub-sectors are taken from two EU directives from 2009; one which sets out electricity market rules and the other which sets out rules for the natural gas market.
The criteria for determining if entity is an 'operator of essential services'
The Directive sets out criteria for determining whether organisations that fall within one of the definitions in its annex are actually operators of essential services.
To be classed as such, an entity must:
- provide a service which is essential for the maintenance of critical societal and/or economic activities;
- the provision of that service must depend on network and information systems; and
- an incident would have to have significant disruptive effects on the provision of that service.
An 'incident' is defined in the Directive as "any event having an actual adverse effect on the security of network and information systems".
Further criteria are set out in the Directive to help national governments across the EU determine the potential significance of a disruptive effect that an incident might have on an entity.
According to the criteria, EU countries must take into account:
- the number of users relying on the service provided by the entity concerned
- the dependency of other sectors … on the service provided by that entity
- the impact that incidents could have, in terms of degree and duration, on economic and societal activities or public safety
- the market share of that entity
- the geographic spread with regard to the area that could be affected by an incident
- the importance of the entity for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service
EU countries should also, where appropriate, consider "sector-specific factors", the Directive states.
Each national government across the EU will be responsible for selecting which entities within their jurisdiction qualify as operators of essential services, with reference to the criteria and the underlying list of energy sector organisations that might be brought within scope.
What are the obligations for organisations that are within scope?
Operators of essential services will face new obligations in relation to the cybersecurity measures they will have to have in place. In addition, they will face a new duty to disclose certain cybersecurity incidents they experience.
The Directive is not prescriptive about the security measures that operators of essential services must implement.
According to the Directive, operators of essential services must "take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations".
Those operators will also need to "take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services".
It is possible that more detailed security requirements could be laid out in the national implementing legislation.
On incident notification, operators of essential services will have to "notify … incidents having a significant impact on the continuity of the essential services they provide".
Those notifications must be made to the 'competent authority' identified by the relevant EU country whose rules the entity is subject to, or that country's 'computer security incident response team' (CSIRT).
Notification to those bodies must be made "without undue delay".
Operators of essential services must take account of certain criteria laid out in the Directive to determine whether an incident has a 'significant impact' on the continuity of their services, and therefore whether they are under an obligation to notify those incidents.
The operators must take into account:
- the number of users affected by the disruption of the essential service
- the duration of the incident
- the geographical spread with regard to the area affected by the incident
The Directive provides for the potential for further guidelines to be issued by competent authorities or CSIRTs "concerning the circumstances in which operators of essential services are required to notify incidents, including on the parameters to determine the significance of the impact of an incident".
Where notification is triggered, operators of essential services must "include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident".
The competent authorities or CSIRTs will act as a single point of contact for receiving notifications and will be responsible for sharing details of the incidents with counterparts in other EU countries, and/or the public, under the terms of the Directive. Notification to the public would only take place after consultation with the notifying operator and in circumstances where "public awareness is necessary in order to prevent an incident or to deal with an ongoing incident".
According to the Directive, competent authorities or CSIRTs may also provide a notifying operator with "relevant information regarding the follow-up of its notification, such as information that could support the effective incident handling".
Penalties for non-compliance
Under the Directive, each EU country will be responsible for determining its own “effective, proportionate and dissuasive” penalties for infringement of the NIS rules.
It is not yet clear what penalties will be considered. Possible penalties could include fines, public naming of those in breach, and/or a requirement to rectify deficiencies identified with cybersecurity measures deployed.
Actions for energy sector organisations
Energy companies should, between now and November 2018, monitor for national laws implementing the NIS Directive and for relevant guidance, whether EU-wide or in the member states in which they do business, to establish whether and which of their services will be subject to the new obligations, and in which member states. They will need to know the detailed requirements that will affect them, including any stricter rules set out by member states.
Energy companies should review their systems and processes to enable compliance with the national NIS Directive security obligations identified as relevant to them. This includes not just their technical security measures for preventing and detecting security incidents and business continuity planning, but also internal governance/accountability, organisational measures (staff contracts, training etc.) and vendor management systems/procedures. Any overlaps with or differences from current security requirements under licence conditions need to be identified and addressed.
Multinationals should also devise and implement a cross-EU compliance strategy that takes account of any overlap with, or differences from, security obligations under other legislation such as the GDPR, as well as relevant national penalties for infringement.
Companies may also wish to consider cyber-insurance cover for their essential services, extending not just to direct losses including physical loss or damage, but also the costs of incident handling, including investigation and notification. The insurance market is evolving and cyber cover becoming more sophisticated.
On notification obligations…
Energy companies should review their systems and processes to enable compliance with national NIS Direcrive incident notification obligations identified as relevant to them, including monitoring for incidents and taking appropriate action. Note that authorities who must be notified under the Directive may not be the same as those who must be identified under licence conditions or data protection law.
To prepare properly for dealing with incidents, it is important not only to implement appropriate systems and processes for incident notification, but to test and rehearse hypothetical scenarios under controlled conditions with the involvement of all relevant internal functions, PR as well as IT, legal, security etc.
Pinsent Masons, the law firm behind Out-Law.com, offers clients a CyberReadiness product where stakeholders from relevant internal teams undertake a live scenario planning exercise in a simulated breach scenario tailored to the client concerned. Legal privilege, implemented correctly, will protect energy companies should such exercises highlight any systems/process shortfalls.
Energy companies' contracts with digital service providers (DSPs) relied on for essential services should be amended before the 2018 deadline to require DSPs to notify the energy company of incidents affecting the DSP, so that the energy company can evaluate the incident's impact on the essential service. This could be done as part of a general vendor management process review, again involving at least the security, IT, risk and legal functions.
Multinationals should devise and implement a cross-EU compliance strategy that takes account of any overlap with, or differences from, data/security breach notification obligations under other legislation such as the GDPR, as well as relevant national penalties for infringement.
Marc Dautlich is an expert in cyber risk and regulation at Pinsent Masons, the law firm behind Out-Law.com.