Charlotte Clayson, Partner, Trowers and Hamlins
The UK’s energy sector is in the midst of substantial change as it transitions to deliver Clean Power 2030, with a significant uplift in wind, solar, storage technologies and supporting infrastructure driving those goals. Offshore wind capacity is expected to rise by 30GW by 2030, requiring the contracting of as much capacity in the next one to two years as in the last six combined. The country must deliver first-of-a-kind technologies such as carbon capture and storage, and hydrogen-to-power, and build twice as much transmission network in the next five years as was built in total over the last decade.
Alongside this transition, there is another key change needed to ensure that the UK energy sector remains resilient in the face of a challenging global landscape: can the nation’s energy ambitions be delivered at pace without compromising security?
What is the risk?
The security risk comes from two key areas. First, from the rapidly evolving cyber threat landscape, and the attractiveness of the energy sector and other Critical National Infrastructure (CNI) as a target for sophisticated and nation-state threat actors. Secondly, from the fact that a rapid transition to a more digitised, diverse and interconnected system brings with it its own inherent risks and vulnerabilities which can be exploited by threat actors.
The Department for Energy Security & Net Zero, has partnered with Ofgem, the National Cyber Security Centre (NCSC) and the National Energy System Operator (the so-called Quad Partners) to publish the Energy Sector Cyber Security Strategy. The 4 year Strategy looks ahead as the government seeks to assess and manage those risks, to ensure that cyber security and resilience increases at pace, that response and recovery plans are properly tested and to implement and expand baseline cyber requirements in ways that are proportionate to the risks faced in the current threat landscape.
As we rapidly transition the energy sector, build new networks and deploy renewable technologies we must ensure cyber security is built in from the start. This is the essence of ‘security by design’: the principle that cyber resilience is not retrofitted onto new energy infrastructure but is embedded into its architecture from the very first stage of planning.
What approach is needed to face this risk?
The NCSC has noted a stark increase in the threat to CNI systems, as adversaries seek to compromise these systems for financial gain and economic advantage, for pre-positioning, espionage, and deploying disruptive and destructive attacks that can derail the fundamentals of business – and life – as usual. The energy sector, sitting at the heart of national life, is an especially attractive target and the impact on the UK from a successful attack could be catastrophic.
If security is not embedded throughout the transformation of the energy sector, with new assets being designed with security and resilience in mind, and without considering and managing the impacts and risks that come with complex supply chains, then adversaries are likely to exploit emerging vulnerabilities.
Security by Design in Practice
So, what does this look like for new energy projects? Early cyber engagement in new energy infrastructure is essential to ensure that key assets are secure by design.
For developers, investors, and operators bringing new assets to market, cyber security considerations must be integrated into procurement decisions, contractual arrangements, and technical specifications at the outset. Whether that is an offshore wind farm, a battery storage facility, or a hydrogen production plant, how the asset will be protected against cyber-attacks in an evolving threat landscape, and ensuring that the sector can detect, respond to and recover from attacks, must be front and centre. Those questions must be answered and be kept under review throughout the project lifecycle.
As new entrants join the market, there is a risk that organisations and sectors crucial to the transforming energy system lack proportionate cyber resilience requirements or are not developed to be secure by design. The Strategy directly addresses this gap. The Quad partners aim to increase resilience across the whole energy system through evidence-gathering and prioritisation, legislative reforms, and consideration of appropriate regulatory tools.
By the end of 2027, the Quad partners state that they will have engaged with industry to promote security by design in new infrastructure, consulted on reshaping cyber regulation, and shaped proposals for introducing baseline cyber resilience requirements for all Ofgem licensees — with an initial proposal for the Cyber Essentials programme to be used as the starting point.
By 2030, they aim to have designated critical suppliers under the Cyber Security and Resilience Bill, which will have an expanded reach and the flexibility to quickly respond to new cyber threats, including within complex supply chains.
The Shared Responsibility
One of the most significant tools the Strategy discusses is cultural. Cyber security should be a board-level priority, recognising that it is a critical enabler of public trust, resilience, and competitive advantage. Security by design cannot be delegated to a technical team and forgotten: Boards, executives, and leaders across the energy sector are expected to treat cyber risk with the same seriousness as safety and reliability. Cyber threats and resilience should feature on board agendas, along with an increased focus on the Cyber Code of Practice. Alongside this cultural shift, there is also a structural change to overcome, not least the current skills gap of those who have the relevant cyber and engineering skills – and sufficient security clearance – to lead the way on delivering a secure, resilient and rapid energy transition.
The future of the UK’s energy sector is transforming, but without focussing on security by design being in bringing on stream new technologies and expanding supply chains, the resilience and security of our national energy sector could be at risk.
