chapter 11

I want you to protect the transmission system from cyber and external threats

Here you can find out about cyber and other external threats facing the gas transmission system, and how we’re responding.

I want you to protect the transmission system from cyber and external threats  

UK infrastructure is subject to many security threats and they are increasing in sophistication and persistence.

These threats include terrorism, criminality and vulnerability in information technology (IT) and operational technology (OT) systems.

Our network is part of Great Britain’s Critical National Infrastructure (CNI) and appropriate protection from threats is therefore essential to underpin the safety, security and reliability of the nation’s energy supply. The UK government sets the requirements for the appropriate levels of physical and cyber resilience that are to be achieved in the national interest.

Download Chapter
Golden Thread

Golden Threads demonstrate how the voice of our stakeholders is reflected in our business plan outputs. And how our business plan delivers value for consumers.

I want you to protect the transmission system from cyber and external threats

 

Engagement Log

End to end description of stakeholder engagement and how it has influenced our plan

Engagement Log External Threats 

Our proposal

What our stakeholders have told us:

Protect the system from increasing cyber threats in line with government and HSE requirements

Commitment

Output type

Comply with obligations as an operator of essential services (OES) pursuant to the NIS regulations 2018.Commitment

Implement a prioritised programme of replacement and security hardening of our operational technology (e.g. industrial control systems, telemetry, metering, gas analysers and boundary control) for our compressor, terminal and above ground installation sites, including;

  • Replace xx station control systems across xx sites, making interventions on xx remote operable valves.
Deploy RIIO-1 innovation learning to enhance our SCADA system, as a faster and lower cost cyber resilience mitigation in tandem with the prioritised asset replacements.

Confidential PCD

(£417.4m) 

 

We propose ex-ante funding plus totex incentive mechanism for well-defined scope (rather than use it or lose It) regulatory treatment.

Our business IT security plan will:

  • implement a suite of initiatives to improve cyber resilience across our enterprise IT environment and implement new capabilities in line with NIS guidelines.
deliver 5 cyber resilience projects specific to the CNI services operated by the SO, including enhanced vulnerability management to enable better prevention and detection of cyber-attacks.

Confidential PCD (£43.3m).

We propose ex-ante funding plus totex incentive mechanism for well-defined scope.

Consumer benefit:

We improve the safety and resilience of the network to ride through and recover from malicious events that threaten to disrupt continuity of GB energy supplies.

Our plan delivers security enhancements that the government has identified as being in the national interest. This reduces the risk of actual events that could have severe societal consequences for GB consumers.

Applying a security innovation is a consumer value proposition valued at £9.2m


Proportionate deployment of the enhanced SCADA solution leverages maximum future consumer benefit from a project already funded in RIIO-1 by a Network Innovation Allowance.


 What our stakeholders have told us:

Use a risk-based approach to enhance cyber resilience

Commitment Output type

We will use site specific risk-based criticality and security levels to determine a proportionate response.

We will optimise our programme having regard to wider considerations of network capability, compressor fleet strategy, and possible future decommissioning of units/sites e.g. in response to emissions legislation.

 

We will always consider least functionality options such as removal of remote control functionality.
Commitment

Consumer benefit:  

This approach ensures we do not ‘gold plate’ our solutions. For example, we avoid investing in measures that are excessively costly or complex compared to the level of risk reduction obtained, or where there is a high chance of regret (e.g. if the site in question might be decommissioned within the next ten years).


 What our stakeholders have told us:

Adjust priorities, scope and work delivery inside RIIO-2 period in light of changing threat landscape

Commitment Output type

We will actively monitor potential changes in (i) intelligence on threats, (ii) site criticality security levels.

We will discuss such changes with the relevant competent authorities and, where appropriate, seek changes to our programme and price control allowances through two uncertainty mechanisms.

Uncertainty mechanism

Cyber resilience.

Trigger: Proposing 2 reopener windows (start of RIIO-2 and mid period).

Physical security

Trigger: Proposing 2 reopener windows (at mid period and end of RIIO-2).

Consumer benefit:  

Including uncertainty mechanisms involving the security agencies to monitor and adjust our delivery during RIIO-2 will ensure our effort and expenditure continues to be directed at maximising consumer benefit even when circumstances change.

The use of reopeners avoids the possibility of windfall gains/losses associated with us being over/under-funded for the appropriate level of work.


 What our stakeholders have told us:

Facilitate policing at gas sites

Commitment Output type

Comply with our legislative requirements (the Counter-Terrorism Act 2008).

Uncertainty mechanism

Pass-through cost

Consumer benefit:  

Consumers benefit from the enhanced security deemed appropriate by government. Consumers pay no more or less than the actual cost incurred.


Consumers are assured that relevant sites are secured to the level deemed appropriate by government. Monitoring and audit processes ensure compliance.

Hands on table working on National Grid Gas RIIO-2 business plan

How you shaped our business plan

Here you can find information about how we consulted with our stakeholders on our business plan.

This includes webinars, reports and consultation documents and blogs supporting our business planning activities.

Find out more

Explore our other chapters