Oman’s Authority for Electricity Regulation (AER) regulates the country’s generation, transmission, distribution, export, import and supply of electricity, as well as associated water production. As part of wider work to address the cyber security risks to the nation’s energy infrastructure, the AER needed to develop regulations to protect the country’s electricity industry from cyber attack.
They asked PA to undertake a rapid and comprehensive overview of the current state of security in the sector and to engage the regulated companies with the review. The aim of the work was to help the AER develop a pragmatic and flexible regulatory approach, create a baseline standard to increase cyber security preparedness and reduce risk across the sector.
We initially undertook a detailed security assessment of cyber protection and risks across the electricity companies. At the same time, we reviewed international best practice guidelines and the options for mandatory and elective standards and regulation.
We then developed a regulatory framework and baseline standard based on the UK government’s Centre for the Protection of National Infrastructure’s SCADA security good practice guides. This meant that we were able to provide the AER with a detailed analysis of the options available, along with a recommended course of action for the implementation of new regulatory requirements.
As a result of our work the regulator now has a practical standard for the industry, which it is making a requirement of the regulated electricity companies’ licence conditions. This will ensure that this critical sector has the protection it needs against cyber threats.