What our stakeholders have told us:
Protect the system from increasing cyber threats in line with government and HSE requirements
Commitment | Output type |
Comply with obligations as an operator of essential services (OES) pursuant to the NIS regulations 2018. | Commitment |
Implement a prioritised programme of replacement and security hardening of our operational technology (e.g. industrial control systems, telemetry, metering, gas analysers and boundary control) for our compressor, terminal and above ground installation sites, including; - Replace xx station control systems across xx sites, making interventions on xx remote operable valves.
Deploy RIIO-1 innovation learning to enhance our SCADA system, as a faster and lower cost cyber resilience mitigation in tandem with the prioritised asset replacements. | Confidential PCD (£417.4m) We propose ex-ante funding plus totex incentive mechanism for well-defined scope (rather than use it or lose It) regulatory treatment. |
Our business IT security plan will: - implement a suite of initiatives to improve cyber resilience across our enterprise IT environment and implement new capabilities in line with NIS guidelines.
deliver 5 cyber resilience projects specific to the CNI services operated by the SO, including enhanced vulnerability management to enable better prevention and detection of cyber-attacks. | Confidential PCD (£43.3m). We propose ex-ante funding plus totex incentive mechanism for well-defined scope. |
Consumer benefit:
We improve the safety and resilience of the network to ride through and recover from malicious events that threaten to disrupt continuity of GB energy supplies.
Our plan delivers security enhancements that the government has identified as being in the national interest. This reduces the risk of actual events that could have severe societal consequences for GB consumers.
Applying a security innovation is a consumer value proposition valued at £9.2m
Proportionate deployment of the enhanced SCADA solution leverages maximum future consumer benefit from a project already funded in RIIO-1 by a Network Innovation Allowance.
What our stakeholders have told us:
Use a risk-based approach to enhance cyber resilience
Commitment | Output type |
We will use site specific risk-based criticality and security levels to determine a proportionate response. We will optimise our programme having regard to wider considerations of network capability, compressor fleet strategy, and possible future decommissioning of units/sites e.g. in response to emissions legislation. We will always consider least functionality options such as removal of remote control functionality. | Commitment |
Consumer benefit:
This approach ensures we do not ‘gold plate’ our solutions. For example, we avoid investing in measures that are excessively costly or complex compared to the level of risk reduction obtained, or where there is a high chance of regret (e.g. if the site in question might be decommissioned within the next ten years).
What our stakeholders have told us:
Adjust priorities, scope and work delivery inside RIIO-2 period in light of changing threat landscape
Commitment | Output type |
We will actively monitor potential changes in (i) intelligence on threats, (ii) site criticality security levels. We will discuss such changes with the relevant competent authorities and, where appropriate, seek changes to our programme and price control allowances through two uncertainty mechanisms. | Uncertainty mechanism Cyber resilience. Trigger: Proposing 2 reopener windows (start of RIIO-2 and mid period). Physical security Trigger: Proposing 2 reopener windows (at mid period and end of RIIO-2). |
Consumer benefit:
Including uncertainty mechanisms involving the security agencies to monitor and adjust our delivery during RIIO-2 will ensure our effort and expenditure continues to be directed at maximising consumer benefit even when circumstances change.
The use of reopeners avoids the possibility of windfall gains/losses associated with us being over/under-funded for the appropriate level of work.
What our stakeholders have told us:
Facilitate policing at gas sites
Commitment | Output type |
Comply with our legislative requirements (the Counter-Terrorism Act 2008). | Uncertainty mechanism Pass-through cost |
Consumer benefit:
Consumers benefit from the enhanced security deemed appropriate by government. Consumers pay no more or less than the actual cost incurred.
Consumers are assured that relevant sites are secured to the level deemed appropriate by government. Monitoring and audit processes ensure compliance.