The law in question is the Network & Information Systems Regulations and is designed to boost the cybersecurity resilience of the UK energy sector by obliging electricity and gas supplier to report a cybersecurity breach.
The law puts incidents in several threshold categories such as whether an incident had the potential to disrupt the supply of energy to more than 250,000 consumers.
Also read: Elexon Hit by Cyber Attack
Since the introduction of the law, not a single report of a hacking incident has been successfully made despite numerous successful cyberattacks on energy companies over the last three years by criminal gangs and hostile states.
The main cause for this is that the thresholds used to determine whether an incident is worth reporting is too high, which in turn prevents any reports from being made.
According to the Sky News report, just one energy supplier has tried to file a report with Ofgem, but it was dismissed due to the incident not meeting the threshold required to being reported.
This is an issue as it means that the true extent of the cybersecurity challenges faced by energy suppliers is not being reported and instead many are being swept under the carpet by companies too afraid to publicly disclose a breach.
Ransomware attacks are common with Elexon suffering a major cyberattack last year and only recently Npower was forced to abandon its customer service app after hackers breached it and used it as a way to steal sensitive customer data.
Cyber-attacks on energy companies and electricity systems are a substantial and growing threat, according to the International Energy Agency (IEA).
Also read:
Cyberattack forces Npower to permanently withdraw its mobile app
The Sky investigation goes on to say that because of the high thresholds required for a cyber attack to be recorded is leaving Ofgem blind to the true scale of the problem and how energy suppliers are coping.
Currently, the thresholds depend on the impact of the hacks on the continuity of a company’s services, something that doesn’t record the energy sector’s ability to tackle cyber threats.
"Most of the concern around cybersecurity has been focused on operational technology (OT) networks that interact with physical processes and machinery, such as power plant equipment or water treatment facilities. Yet the traditional information technology (IT) networks that involve the flow of data - such as file storage or email - should not be neglected. This is because whilst the impact of malicious activity can be far more severe against OT systems, these attacks typically start out on IT networks. It is therefore vital to consider security across an entire service provider's infrastructure,” said Dr Jamie Collier, a threat intelligence consultant at FireEye.
Also read: Energy Supply companies most vulnerable to cyber-attack says new report
The government will be reviewing the Network & Information Systems Regulations within the next 12 months.
‘Green’ Tariffs to come under increased government scrutiny over growing ‘Greenwashing’ concerns
Busting the Cybersecurity Myths in the Energy Sector
Dyball Associates Achieves ISO27001 Certification
Dyball Associates are proud to help new supply businesses successfully launch in the UK market.
Through our energy market consultancy services, and the software we've developed, we're supporting new UK electricity and gas suppliers get set up and start supplying.
Follow us on LinkedIn to keep up to date with the latest news and updates in the energy industry.