1. Overview
When OT is mentioned, automation systems and EKSs, which constitute the continuation of the life cycle in electricity production, natural gas transportation and shipment, health sector, refineries and production sector, come to mind first. In fact, its role in our lives and in the modern economy is much more critical than we anticipated. It is a well-known fact today that a successful attack targeting automation technologies will have a heavy economic and social balance sheet.
The level of security in ICSs is alarming, and a large proportion of remotely-controlled ICSs have vulnerabilities against cyber attacks. On the other hand, there are very different fields in terms of IT and OT security architecture, and the trained human resources for EKS security are really limited.
In the light of all these developments, EMRA (Energy Markets Regulatory Board) completed a very important study on cyber security in the energy sector and published the Cyber Security Competency Model Regulation in the Energy Sector in the Official Gazette.
Accordingly, the procedures and principles have been determined to improve the cyber security of industrial control systems used in the energy sector according to the constantly evolving needs and threats, to define the minimum acceptable security level, and to the cyber resilience, adequacy and maturity of these control systems. In addition, the Regulation on Information Security in Industrial Control Systems Used in the Energy Sector has been repealed.
With the said regulation, the organizations included in the scope of ensuring the safety and reliability of industrial control systems are determined as follows.
- Organizations holding electricity transmission licenses.
- Organizations holding electricity distribution licenses.
- Organizations that own each electricity generation facility with a license of 100 MegaWatt and above, whose temporary acceptance has been made.
- Organizations holding natural gas transmission licenses that transmit through pipelines.
- Organizations holding natural gas distribution licenses responsible for establishing a delivery control center.
- Organizations holding a natural gas storage license (LNG, underground).
- Organizations holding crude oil transmission licenses.
- Organizations holding refinery licenses.
OIZ distribution license holders and OSB generation license holders are excluded from the scope.
It was aimed to take the Information and Communication Security Guide prepared by the Presidency's Digital Transformation Office as a reference for the information systems infrastructure compatibility of the obliged institutions and to continue the TS ISO / IEC 27001 compliance within the scope of the competence model, and new inclusive and EKS-oriented controls were added to the model.
2. Competency Model and Key Control Heads
Although the competency model differs in energy sub-sectors, it consists of the following Main Control Titles. In addition, each main control heading is discussed by dividing it into sub-control headings.
Main Control Head | Explanation |
|---|---|
Industrial Network Security | It includes local network security, wide area network security, communication security, protocol security, wireless network security, integration security controls for industrial infrastructures. |
Industrial Client and Server Security | It includes logical and physical security controls for all clients and servers in the industrial infrastructure. |
Industrial Threat and Vulnerability Management | It includes threat and vulnerability management controls applied in industrial infrastructures. |
Industrial Cyber Security Risk Management | It includes industrial cyber security risk management controls appropriate to the dynamics of the industrial infrastructure. |
Industrial Asset, Change and Configuration Management | The management of assets in industrial infrastructures includes change and configuration management controls of components. |
Industrial Identity and Access Management | It includes identity and access management controls for components in industrial infrastructure. |
Industrial Incident Management and Continuity | Industrial cybersecurity incident management includes continuity, backup and redundancy controls. |
Smart Device Security | It includes security controls for industrial infrastructures using counter and IoT technology. |
Industrial Operations Security | It includes controls for industrial operation safety. |
Human Resources Security | It includes the controls that must be applied before, during and after employment for all personnel working in critical energy infrastructures. |
Physical Security | It includes security controls of distributed or singular physical environments suitable for industrial infrastructure sectors. |
Supplier Management | It includes cybersecurity controls for technology, people and infrastructure suppliers for industrial infrastructures. |
PLC security | It contains security controls related to PLC security. |
Table 1: Competency Model Main Control Headings
While three basic competency levels are determined within the scope of the competency model, the competency level required by the obliged institutions will be determined by the sectoral criticality levels determined by EMRA.
Explanation | Mandatory Completion Time (TUS) | ||
|---|---|---|---|
Electric | Natural Gas | ||
Level 1 | Entry level controls are located at this level. Items that have already been implemented or that are considered to be easily implemented are aggregated at this level. | 12 Months | 18 Months |
Level 2 | The second stage controls are located at this level. Items that require changes in the systems or processes of the liable institutions in order to apply the relevant controls are collected at this level. | 18 Months | 24 Months |
Level 3 | Third level controls are located at this level. The controls at this level require a new project or long-term change. | 24 Months | 30 Months |
Additional Control | Controls that are considered to be of high difficulty or useful to implement are collected at this level and are not required to be implemented.. | – | – |
DIP: Defined Implementation Period
Table 2: Basic Competence Levels
Targeted completion time for the implementation of controls at each level; differ according to the energy sub-sectors.(See Table-2))
With the updates to be made by EMRA, the competence levels determined for control substances and control substances will be changed in 3-year periods.
The classification in the tables below will be used when determining the control items that must be carried out by the liable institutions.
Sector | Minimum Level | Criticality Degree |
|---|---|---|
Electricity Distribution | Level 2 | Yükümlü kuruluşun kritiklik derecesine göre A, B veya C olabilir. |
Natural Gas Distribution | Level 1 | Yükümlü kuruluşun kritiklik derecesine göre A, B veya C olabilir. |
Tablo 3: Sektörel Asgari Seviyeler Tablosu
Criticality Degree | Minimum Level | Explanation |
|---|---|---|
A | Level 3 | It refers to the class of obliged institutions with the highest degree of criticality in the relevant sector. |
B | Level 2 | It refers to the class of liable institutions with medium criticality level in the relevant sector. |
C | Level 1 | It refers to the class of liable institutions with medium criticality level in the relevant sector. |
Table 4: Criticality Table
The minimum level parameter is determined by the sector and the obliged institutions act in accordance with this level. The criticality level is determined by EMRA using various parameters, and new controls can be added to the minimum control items applied according to the determined criticality levels.
With the updates to be made by EMRA, the parameters used in the criticality rating of the sectors and the criticality degrees of the obliged institutions will be changed in 3-year periods.
3. Competency Model Application Principles
The obligation to implement the competency model will begin when the criticality levels are determined by EMRA and notified to the obliged institutions.
Obliged institutions will fulfill their obligations within the scope of the competency model minimum level controls, which are prepared specifically for their criticality levels and sectors. An important point here is that after the criticality of the Competence Level is declared, the corresponding minimum level in Table 4 and the highest of the corresponding minimum level in Table 3 should be selected.
For example, the criticality level of an organization operating in the Electricity Distribution sector is declared as C. Although the minimum competency level corresponding to this criticality level is Level 1, since the minimum competency level is Level 2 specifically for the Electricity Distribution Sector, the controls that will be mandatory for the organization will be both Level 2 and Level 1 controls.
Obliged institutions will use the following compliance classification when evaluating the controls they are obliged to implement within the targeted completion time.
Explanation | |
|---|---|
Full Fit | It is the situation where the requirement for each control item in the main control headings within the scope of the competency model is met as written in the model. |
Partial Compliance | It is a situation where the requirement for each control item in the main control headings within the scope of the competency model cannot be fully met and temporary or remedial measures are applied. |
Incompatible | It is the situation where the requirement for each control item in the main control headings within the scope of the competency model cannot be met in any way. |
Out of Scope | In the event that there are alternative technologies or methods in the sub-control headings within the scope of the competency model, it is the implementation of controls in accordance with the technology and method available in the obligatory organization, and the exclusion of control items regarding other alternative technologies and methods. |
Obliged institutions must comply fully with the control items they are liable for at the end of the targeted completion period..
4. Compliance and Audit Activities
Obliged institutions will comply with the competency model in three stages;
4.1. Self Audit/Gif Analysis
Self-audits are the process of inspecting the relevant control items with their own internal resources. This stage is considered a difference analysis. This process must be completed within three months of the commencement of obligations.
4.2. Sectoral Audit
Sectoral audits are the works carried out by the company and its personnel that comply with the conditions determined by EMRA. These studies are considered as independent audits.
4.3. EMRA Inspections
by EMRA; These are the studies in which it audits the auditor companies and obliged institutions with its own resources. These studies are considered as cross-checking or control-checking. The institution can always make these audits during the process..
4.4. Obligatory Institutions;
- After completing the self-audit/difference analysis, it submits its reports to EMRA via the Energy Market Notification System within one month at the latest.
- For the controls at each competency level; At the end of the defined implementation periods, it submits the progress reports to EMRA through the Energy Market Notification System.
- After reaching the determined minimum competency level, they have to repeat their sectoral audits in the targeted completion time periods included in the competency model documents prepared specifically for the sectors..
Activity | Responsible | Duration | Explanation | |
0 | Declaration of Criticality Degree(T0)0) | EMRA | T0 | – |
1 | Competency Level Determination | II | – | Tables 3 and 4 will be used. |
2 | Self-Control and Difference Analysis | II | T2: T0 +3 Month | – |
3 | Self-Audit/Difference Analysis Report EPBS Entries | II | T3: T2 + 1 Month | Within a month at the latest. |
4 | Reaching the Specified Minimum Competency Level | II | T5 : T0 + DAT (bkz. Tablo 2) | They must be in full compliance with the control items they are responsible for at the end of the targeted completion time. |
5 | Progress Reports EPBS Entries | II | T4: T0 + DAT (bkz. Tablo 2) | Progress reports for the controls at each competency level will be sent via EPBS at the end of TUS. |
6 | Sectoral Audit (Independent Audit) | II + AUF | T6 : T5 + 12 Month | It is done within twelve months from the completion of the level processes in accordance with the competency model. |
7 | Sectoral Audit Results EPBS Entries | II + AUF | T7 : T6 + 1 Month | – |
II: Incumbent Institution
AUF: Authorized Audit Firm
DIP: Defined Implementation Period
Table 5: Implementation Plan
4.5. Authorized Audit Firms;
- It carries out sectoral audits within twelve months following the completion of the level processes in accordance with the competency model, and submits the audit reports to EMRA within one month at the latest via the Energy Market Notification System.
- In case the obliged institutions receive consultancy services during their self-audit/difference analysis studies, they cannot perform the sectoral audit with the firm from which they receive consultancy services.
Consultancy and sectoral audit services cannot be performed by using subcontractors. - Sectoral audit can be carried out with the same firm no more than three times in a row..
5. Audit Firm and its Staff
In addition to the criteria determined for the audit team formed with the service procurement in the Information and Communication Security Audit Guide, the company personnel who will conduct the competency model audits will be required to obtain a certificate of achievement after the EKS training given by the Critical Infrastructures National Test Bed Center.
Currently, studies are continuing between EMRA and Merekez on training content, certificate of achievement, training dates and related issues. It is expected that all necessary information will be shared after its completion.
5.1. Granting the Authority to Inspect
Firms applying for competency model inspection will be given a certificate of authorization to conduct an inspection, if they are determined to have the required competence as a result of the professional and technical qualifications evaluation by EMRA, and this firm will be added to the list of "competence model inspection organizations".
Firms have to ensure the continuity of the elements that ensure the authorization to conduct audits. EMRA will always be able to control the existence of these elements when it deems necessary. The titles of the companies authorized to conduct audits will be published on the EMRA website.
5.2. Removal of Authority to Control
The auditor firm will be obliged to officially submit the information and documents showing the required qualifications to EMRA at six-monthly intervals.
If the auditor company loses one or more of the qualifications it should possess, it is obliged to inform EMRA officially within one week at the latest. If it is determined that the aforementioned notification is not made in due time, the authority of the relevant firm to carry out the inspection will be terminated and the relevant firm will not be able to obtain the authorization of the inspection firm for three years from the date of the determination.
If the auditor company does not provide the information and documents required by EMRA, its authority to conduct audits will be terminated. The titles of companies whose audit authority has been terminated will be published on the Institution's website.
5.3. Evaluation
With the aforementioned regulation, it is aimed to improve the cyber security of EKSs, which constitute the continuation of the life cycle in electricity generation, natural gas transportation and shipment, refineries and production sector, according to the constantly evolving needs and threats, to define the minimum acceptable security level, and to the cyber resilience, adequacy and maturity of these control systems. The Information Security Regulation in Industrial Control Systems Used in the Energy Sector was abolished by determining the procedures and principles regarding the issue.
EMRA clearly reveals that it has taken the DDO Information and Communication Security Guide as the base model in the Regulation. From this point of view, DDO Information and Communication Security Guide Compliance Audits, which are mandatory for energy companies in the critical infrastructure category, have become even more important.
EMRA also notified all relevant companies of the obligation last year. It is of great benefit to plan and carry out the BIGR Compliance Audit study, which should be carried out once a year, for 2023 before the end of the year.
Within the scope of this audit work, the pre-audit preparatory studies (penetration tests, self-audits, difference analyzes, etc.) to be carried out by the obliged institutions, the compliance action plans that emerged during the audit and the actions taken after the audit, as well as meeting the requirements of the EMRA "Cyber Security Competency Model Regulation in the Energy Sector" will provide significant benefit.
You can find detailed information about the EMRA Regulation and its Annexes on the official website.
