Project Summary

In response to Aim 4 of Challenge 3, this innovation project focuses on development of a repeatable measure of the effectiveness of active cybersecurity controls. We will use these measures to derive a robustness score.

Additionally, innovation and technological advancement is delivered through developing software applications that will provide this trusted assessment automatically and at scale. These applications will be delivered, across hundreds of geographically distributed assets, as part of the Phoenix ecosystem at the site edge and in the cloud. Phoenix, built and maintained by deltaflare, is a software-defined security platform currently in use within the Critical National Infrastructure.

Enabling a deep understanding of the network robustness will underpin the cybersecurity required for secure digitalisation towards reaching Net Zero.

SGN, the project Energy Network Licensee, is one of the largest utility companies, distributing natural and green gas safely and reliably through our 74,000km of pipes to 5.9 million homes and businesses across Scotland and southern England. SGN's plans to transition to digitalised future networks requires robust and resilient networks.

Deltaflare, the industrial partner, are recognized within the UK utility and cybersecurity domains for their innovative approach and expertise. They support Ofgem on NIS inspections and deliver cybersecurity guidance to the industry through the NCSC. Our founders are elected by the UK gas industry to act as the Competent Design Authority for OT cybersecurity.

SGN has been working with deltaflare and has trialled the use of Phoenix to deliver enhancements to its network resilience and robustness. SGN will provide access to their facilities and resources as required across the life of the project.

The Ministry of Defence (MOD) is a government department led by the Secretary of State for Defence. Nested within Strategic Command and Defence Digital, the Cyber Resilience Programme (CRP) aims to substantially reduce risk, protect critical assets and systems and develop a cyber-aware workforce that will allow MOD to make cybersecurity part of the DNA of its business and operations.

The MOD CRP are a non-funded partner in this project who will provide cross-domain expertise during the Discovery phase of the project and will disseminate the learning during later phases.

This project challenge is shared between all operators of essential services. When successfully exploited, the outcome of this innovation project could be used by all gas and electricity operators to gain live view of their network robustness in their journey to Net Zero.

Innovation Justification

Following the enactment of the Network & Information System (NIS) regulations in 2018, the cybersecurity regulators have been working with Operators of Essential Services (OESs) to increase the resilience and robustness of their networks. The operators have adopted security controls based on their risk exposure.

Selecting of appropriate and proportional cybersecurity controls, and the assessment of their effectiveness is challenging. The skill-sets, time, and technologies required to carry out these assessments place a large burden on the operators. Lack of resources leads to such assessments not being carried out adequately or at all.

This project will create formal methodologies to derive a quantitative score of active security controls' effectiveness. Our Phoenix platform will ingest operational and security data to use in its analytics and machine learning engine to measure the effectiveness of each active security control.

This will be translated into resilience and robustness and would provide SGN with real time knowledge to make decisions on how to best maintain and increase the security of their facilities.

This project is novel as it provides a change of mindset around the way OT cybersecurity is viewed and procured. It challenges the current approach that assumes security until failures occur. Instead, it provides the tools to adopts an assurance and pre-emptive mindset. It delivers new technologies to practically measure the effectiveness of cybersecurity controls through hardware and software monitoring, human behaviour, and big data analytics.

Our project will provide the techniques and technological advancement to assess, maintain and procure cybersecurity controls in a way that has not been carried out before. This will reduce costs to the operators and create economic value for the UK.

Due to the innovative approach, this style project would normally have a risk profile that is too high for BAU or other funding methods. In addition, if the project were funded under BAU or other methods, it would take significantly longer, and the solutions would arrive too late to enable effective transition to net zero. This project addresses a current challenge by the gas and electricity operators and the outcome would benefit the networks and Ofgem.

The staged approach from feasibility to trial and to full roll-out makes it suitable for the SIF funding mechanism. It allows SMBs to deliver innovation to large operators such as SGN.

Project Benefits

The net value to the Consumers would be measured against a number of Key Performance Indicators (KPIs) associated with the selected benefits. During the Discovery Phase these KPIs would be evolved and tuned to provide a more accurate assessment.

The industry is widely believed to be on the verge of a life-threatening cyber-attack (reference Gartner prediction by 2025 study). The measure of avoided cybersecurity-related losses would be established by taking into account:

• quantified cost of losses as considered within SGN OT cyber risk assessments
• quantified cost of losses as captured in SGN hazard and consequence analysis
• global moving average of industrial cyber events
• risk avoidance cost associated with currently unmonitored cybersecurity controls

During the Discovery phase, the above would provide a justified quantitative measure of the costs saved by the networks and consumers. We would also carry out a market study on the value that would be generated by offering this new technology to the national and international market as a measure of economic value.

During the Alpha phase, we will use the existing Phoenix install bases to measure the demand put on each security control and calculate the cost to the network associate with the failure of those controls. This would provide an empirical justification and tuning of the potential for cost savings.

The full extent of the cost savings related to the avoided losses would be realised during the Beta phase when the entire network is protected.

The overall spend on smart technologies and OT cybersecurity enhancements in the RIIO-2 regulatory period is estimated to be more than £1b across all the regulated gas and electricity operators. This forecast is based on current cybersecurity monolithic procurement model.

We anticipate being able to rollout this solution across the entire SGN network by the end of RIIO-GD2 period. During the Beta phase, we will measure the effectiveness of controls selected in the RIIO-GD2 to provide an analysis of potential cost saving that would have been achieved by selecting the right controls. We would use this learning to enable SGN to select addition controls during RIIO-GD3.

At this stage we would be able to show that a considerable cost saving (estimated at 15%) would be achieved in funding request in the new funding period.