Dealing with Regulation in CNI I-4 Forum 81: 10 th 12 th March 2014 - - PowerPoint PPT Presentation

dealing with regulation in cni
SMART_READER_LITE
LIVE PREVIEW

Dealing with Regulation in CNI I-4 Forum 81: 10 th 12 th March 2014 - - PowerPoint PPT Presentation

Feb 13, 2023 411 likes •614 views

Dealing with Regulation in CNI I-4 Forum 81: 10 th 12 th March 2014 Place your chosen image here. The four corners must just cover the arrow tips. For covers, the three pictures should be the same size and in a straight line. Raminder

slide-1
SLIDE 1

Place your chosen image here. The four corners must just cover the arrow tips. For covers, the three pictures should be the same size and in a straight line.

Dealing with Regulation in CNI

I-4 Forum 81: 10th – 12th March 2014 Raminder Ruprai, Security Consultant & Research Manager Digital Risk & Security

slide-2
SLIDE 2

2

Outline

 Background to National Grid  Assuring Security in CNI  The 2 main regulatory frameworks  SECONOMICS project  Assessing effectiveness of regulatory structures  Calibrating the research outcomes and ‘selling’ it

slide-3
SLIDE 3

3 3

National Grid

UK and US Electricity and Gas Transmission & Distribution

slide-4
SLIDE 4

4 4

Key facts

 Employees, consumers and customers

 ~ 28,000 employees 63% work in the US  Distribute gas on behalf of shippers and suppliers to around 11M consumers in the UK  4.4M electricity and 3.4M gas customers in the US

 Transmission:

 9,000 circuit miles of high-voltage overhead line and 420 miles of underground cable in the UK;  10,000 miles of electricity transmission in the US  60 entry points and 200 supply points to distribution companies  337 UK and 680 US substations  4,300 miles of high pressure pipeline, 106 off-take points for eight distribution networks  7 coastal terminals and 26 compressor stations

 Distribution:

 82,000 miles of pipeline covering ¼ of Britain and 32,000 miles of main and distribution pipes in the US  122,000 circuit miles of electricity distribution

 Generation

 4,150 MW of generation capacity in the US

Confidential - shared with CPNI at AMBER

slide-5
SLIDE 5

5

Critical National Infrastructure (CNI)

 Critical National Infrastructure (CNI) is key to a nation’s prosperity and wellbeing. They include (but not limited to):  Water treatment and delivery  Electricity Transmission & Distribution  Gas Transmission & Distribution  Public Transportation Systems  Telecommunication services.  In the UK the CPNI defines CNI as “those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends”.

slide-6
SLIDE 6

6

Securing CNI

 It is essential to keep CNI systems secure.  With many CNI industries privatised, how can government be assured that the CNI operators are appropriately securing their systems from vulnerabilities and threats, that may be motivated to exploit them?  Another way to look at this: How can government regulate the CNI operators to best incentivise them to be information/cyber secure?

slide-7
SLIDE 7

7

Regulation: Risk vs. Rules I

 National Grid operates electricity (and gas) transmission networks in both the UK & US.  These jurisdictions have very different regulatory regimes in place around information and cyber security:  In the UK, National Grid is regulated by DECC and has to uphold the following high level principle: ‘It shall be the duty of the holder of a licence authorising him to transmit electricity to develop and maintain an efficient, co-ordinated and economical system of electricity transmission…’.  There are no specific requirements or standards on cyber security but it can be argued that without the commensurate level of security controls in place it would be difficult to maintain an ‘efficient, co-ordinated or economical system’.

slide-8
SLIDE 8

8

Regulation: Risk vs. Rules II

 In the US, National Grid has to adhere to the North American Electricity Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards around cyber security.  There are 171 mandatory requirements within the CIP standards.  Compliance with NERC CIP:  To enforce the CIP standards, NERC utilises regional councils (NPCC) that conduct a full external audit every 3 years.  The NPCC interpret and assess compliance against these standards using Compliance Applications Notices (CANs).  Sometimes their interpretation is disproportionate against the

  • riginal aim of the requirement (security control).
slide-9
SLIDE 9

9

Regulation: Risk vs. Rules III

 We have summarised these different regulatory systems in the following diagram.

National Grid

UK

UK

High-Level Regulation Guidance

Risk/Principles Based

US

US

Regulators DECC & Ofgem CPNI Regulators DoE, FERC & NERC NERC – CIP Standards

Mandatory Audits & Fines

Rules Based

slide-10
SLIDE 10

10

SECONOMICS – Security Economics

 As regulators look to update/change regulatory systems for CNI, National Grid is keen to help drive the regulation in a direction that is best for all parties. To that end, it has got involved in a European Commission project…  Seconomics is a collaborative project, funded through the European Commission Seventh Framework Programme (FP7).  The scope of the Seconomics project is to research into the socio- economic aspects of security across a number of industries.  Aim: To develop security policy papers to inform regulators and stakeholders across Europe, in the relevant industries, on how best to regulate those industries.  The expected duration of the project is 3 years.

slide-11
SLIDE 11

11

Work Packages

Industry Case Studies

WP1: Air Traffic Management

DeepBlue SRL & Uni. of Anadolu Anadolu Airport

WP2: Critical National Infrastructure

National Grid UK Electricity Transmission

WP3: Urban Public Transport

Atos Spain & Ferrocarril Metropolita de Barcelona Barcelona Metro

Technical Work Packages

WP4: Security and Society

Institute of Sociology of Czech Republic Modelling across all Case Studies

WP5: Security Risk Models

Universidad Rey Juan Carlos Modelling WP1 & WP3

WP6: Economics and Systems Models

  • Uni. of Aberdeen

Modelling WP2

slide-12
SLIDE 12

12

SECONOMICS – Aim & Benefits

 In the CNI workstream National Grid is providing the UK’s Electricity Transmission Network as its example of CNI.  The focused aim of this workstream is: To assess which type of regulatory structure (risk-based or rules-based) best incentivises CNI operators to be secure now and in the future.  Success here, will be to provide evidence-based recommendations on the different regulatory systems to UK/US/European regulators about what type of regulation works best for CNI operators.

slide-13
SLIDE 13

13

Assessing the Effectiveness

 There are pros & cons to both types of regulatory systems (Risk- based and Rules-Based).  Through its involvement in Seconomics, National Grid hopes to assess their attributes analytically rather than anecdotally.  To answer the key question, we look at how effective each regulatory system is at ensuring that the CNI operator has the commensurate level of security.  We do this through building models with the academic partners that internalise the regulatory system, the actions of the firm, shocks, vulnerabilities etc. Then we validate/calibrate the models through expert opinion.  In the next slides we look at the modelling approaches being taken:  1st: An Economics based model  2nd: A Systems based model.

slide-14
SLIDE 14

14

Modelling Work I

 An Economic based model that takes a holistic view of sustainability and resilience of the ecosystem i.e. Electricity Transmission from a security perspective.

Nominal Operating

Capacity

Time t0 T Max Min Lower boundary of stewardship effectiveness With steward Without steward Trend Shock Shock System diverges Without steward With steward t1 t2

slide-15
SLIDE 15

15

Modelling Work II

 A Systems model which looks at how a CNI operator reacts to new vulnerabilities and attacks within different regulatory structures. Loss, LP w Vuln Reward Tr. Firm Loss Tr. τ Harm Tr. Audit Tr. spendP Rules Transmission Tr. Controls spendF Pol.-M. Loss Transform

  • Perform. Meas. Tr.

Rew

  • Loss,

LF

Transfer

+

Budget

Calculation of preferences (via losses), prior to anticipation

slide-16
SLIDE 16

16

Stakeholder & Engagement

 Building these models is only the first step.  The models need to be calibrated and validated by our key stakeholders internally, principally, but also externally to gain acceptance.  In this way the output of the models and general

  • utcomes will have value and credibility amongst the

key stakeholders.  A key set of stakeholders has been established for the CNI workstream, both for providing input into the work but also for those that would get value from the research outcomes and recommendations.  A stakeholder map is presented on the next slide.

slide-17
SLIDE 17

17

Stakeholder Map

European Commission

National Grid

Internal NGRID US Internal NGRID UK National Supra- national

CNI Networks

Regulators

DR&S CNI Networks Future Reqs European Co-ord Group DR&S

Agencies SIGs Regulators Agencies SIGs Vendors

Ofgem DECC CPNI STEG SCSIE Energy CISOs

ENTSO-E WG CSP

ENISA

  • Ext. Group 2

Smart Grid Taskforce

DG Energy DG Justice DG Connect TNCEIP ENISA Smart Grid WG

*In support of DG Connect *Sponsored by ENISA

ENA

slide-18
SLIDE 18

18

Conclusion

 Governments and Regulators are keen to ensure that CNI is appropriately secured but are not always sure how best to do this.  The CNI Workstream within the SECONOMICS project aims to provide government and regulators some (unbiased) recommendations around regulation.  There are no ‘right’ answers, instead different approaches could work better in different situations, industries and/or cultures.

slide-19
SLIDE 19

19

Thank you Any Questions?