Implementing a cybersecurity regulation: the OFGEM approach

This document is an appendix to "Evaluating the prudency of cybersecurity investments: Guidelines for Energy Regulators". It presents a case study of the real approach adopted by a European Regulator to tackle the problem of the cybersecurity stance of the power system. EU countries (and the individual states in the U.S.) have adopted different regulatory strategies; some of them are still in an early phase of initial prospection on the problem. In that context, the Ofgem (UK) experience is a very interesting example, because its process to establish a comprehensive regulatory approach for cybersecurity is at a very advanced state. The Office of Gas and Electricity Markets (Ofgem), supporting the Gas and Electricity Markets Authority (GEMA), is the government regulator for the electricity and downstream natural gas markets in Great Britain. We will review here some recent updates concerning cybersecurity. As Ofgem is still working on the legislation for the next regulatory period (called RIIO-22 starting in 2021 for all the sectors except Electricity Distribution which will start in 2023), our analysis covers the main principles used and the process of consultation with the stakeholders. As stated in the conclusion of the guidelines, several tools and approaches may be adopted while designing a cybersecurity regulation, but it must be clear that no turnkey solutions are available. The guidelines suggest that the contents and features of the regulation should be defined not through a one-step decision, but through a process, including for each step the collection of information, the consultation of relevant stakeholders, and time for internal reflection. For this reason, it is interesting to show an example of this process, even though it is not yet concluded.