Robust cybersecurity is an enabler of Net Zero
This article was first published in Utility Week
The drive towards Net Zero intensified in 2021 with representatives of countries from around the world descending on Glasgow for COP26 and closer to home we have seen a number of UK Government policies gaining momentum. The ban of new sales of petrol and diesel combustion engines by 2030 has seen a five-fold increase in the number of electric vehicles sold, and discussion around the use of heat pumps in the home to replace gas boilers is gaining momentum.
Whilst these are all positive steps to meet Net Zero targets, in the same breath there is also an underlying and growing reference to the virtual 2050 ticking clock and challenges of the infrastructure needed to support the UK energy transition roll out.
Delivering innovation in a fragile UK energy market
As we embark on 2022, there appears to be no immediate answer to the increasing rise in energy prices, and sadly what became the almost weekly announcement of failing energy suppliers is likely to continue – at what pace will only be understood in time. The Price Cap in April 2022 is likely to see a further upwards spike in energy costs for end consumers and a further squeeze on margins for service providers in the utilities market. A subsequent review by the Regulator is not planned to be undertaken until October 2022 (based on current timetables) resulting in an energy market where cost and associated risk of service delivery continue to increase.
Against this backdrop, energy service providers are expected to deliver new innovative services at pace to maintain the Net Zero momentum, and at the same time attract end user appetite through price sensitive delivery. The move to digital platforms and Cloud services has been rapid driven by perceived efficiencies and benefits, however, as more innovative services are rolled out it is paramount that the services developed include a proportionate level of ‘Security by Design’. The undertaking of a comprehensive risk assessment to identify the protections needed for both the service organisations and end consumers is essential against a backdrop of an ever increasing number of sophisticated malicious attacks. Alternatively, an ill conceived route to market is to identify the vulnerabilities of a service or solution as you go. Whilst this approach may seem attractive, the potential for subsequent significant cost and PR exposure is high where best practice security controls were not implemented in the drive for low cost, rapid market entry to undercut competitors.
As the drive for innovation intensifies we are likely to see an on-going increase of new solution providers entering what is an extremely complex, competitive and increasingly price sensitive energy market. There is a risk that return on investment is less focussed on security risk management and driven more by rapid, low cost go-to-market strategies where operational risk and security by design is deprioritised due to time, cost and complexity to embed and maintain best practice standards.
Counter to this temptation, malicious attacks on organisations and services are increasing as innovative services become more complex, and the UK energy infrastructure is increasingly interconnected; for example, the combination of demand for EV charging points, the required Operational Technology (OT) systems and desirable smart end user apps on mobile devices. This trajectory also raises a wider question over whether the definition of the UK’s Critical National Infrastructure (CNI) and current defined scope of Operators of Essential Services (OES) need to be revisited and expanded as we accelerate the UK energy transition. If Security by Design and the active implementation of best practice security controls is not robustly maintained and managed end-to-end, the UK energy market and the infrastructure upon which the UK energy transition is being built will be become more fragile. The cost to retrofit security best practices will far outweigh the costs associated with implementing and embedding proportionate security and risk management best practice controls, from the outset.
Security by Design should be regarded as an enabler and not a barrier
This year, we are likely to see increasing cyber security regulatory activity by Competent Authorities due to the on-going demands on UK infrastructure and a growing expectation that the scope of cyber security regulation may increase as well as potentially a raising of the bar in terms of security expectations. Security by Design therefore must be regarded as an integral component of the race to Net Zero and regarded as an enabler and not a barrier.