SP Energy Networks, RIIO-T3 Business Plan Blog. This is how we build resilience to cyber threats. Euan Birch, Head of Cyber Security Operations.
Blog by Euan Birch, Head of Cyber Security Operations
During National Cyber Security Month, I’m pleased to share the next in the series of blogs linked to the delivery of our RIIO-T3 Business Plan in December this year. In this blog, I set out our ambition to maintain a cyber resilient network and cyber secure services through our people, processes and technology. If you’re looking for a short summary of this blog, scroll to the end or jump to the top 3 key points.
Background
As a transmission and distribution network owner, we keep electricity flowing to homes and businesses throughout Central and Southern Scotland, North Wales, Merseyside, Cheshire and North Shropshire. We play a critical role in enabling the transition to a more sustainable future and enabling Government missions of turbocharging the UK to clean power by 2030, reaching Net Zero by 2045 (Scotland) and 2050 (UK).
ScottishPower’s recent ‘Green light for Growth’ recently highlighted the need to “double down on grid investment” to “unlock investment, drive economic growth, and deliver clean energy security.”
Our next Transmission Business Plan (RIIO-T3 Business Plan), to be published in December this year, will set out our proposed investment in the transmission network in Central and Southern Scotland for the 5 years between 2026 to 2031. We will upgrade and expand our network to maximise capacity to meet increasing demands for electricity. This is critical in enhancing energy security for Scotland and beyond, alongside helping protect society from the dangers of climate change whilst delivering economic growth through good, green jobs and community benefits.
While we deliver the growth required to meet increasing energy demands we will be required to ensure that our network remains resilient to all potential risks and threats including cyber security.
What is cyber security and cyber resilience?
October is recognised as National Cybersecurity Awareness Month (NCSAM) and aims to raise awareness about the importance of cyber security.
‘Cyber security’ is the term given to describe how we secure our people, processes and technology and remain resilient to malicious attacks over the internet and within our network.
The UK Government defines ‘Cyber resilience’ as the ability for organisations to prepare for, respond to and recover from cyber attacks and security breaches. Cyber resilience is key to operational resilience and business continuity, as well as the growth and flourishing of the UK economy.
As an Operator of Essential Services, the UK Government through Competent Authorities, such as Ofgem, ensures that SPEN meets their duties with regards to the cyber security of the network. We take our duties seriously and have a plan to invest in our cyber services to meet the needs of our customers for a resilient network.
What does this mean for SP Energy Networks?
Our electricity network infrastructure is critical to ensuring power gets to where it’s needed, from homes, businesses, hospitals and busy transport hubs.
Cyber security and resilience is playing an increasingly important role in how we operate as more of the operations of our infrastructure move online, through digital services and centralised control rooms.
Investment in cyber security is an ongoing priority as we recognise that the security of our people, processes and technology is vital to the continued success of our business. In RIIO-T3, we will continue to invest in Cyber Security as part of our risk-based approach and contribution to the resilience of our transmission network. We will also be developing a Cyber Security Plan, this will not be published publicly due to the sensitivity of the content but will address 
the key challenges of the UK National Cyber Security Centre Strategy to significantly harden against cyber attacks and be resilient to threat actors by following guidance and the Cyber Assessment Framework. Whilst this plan is confidential, you can read more about our wider Digitalisation Strategy on our website.
This builds on our RIIO-2 Business Plan when we created IT and OT (Information Technology and Operational Technology) Cyber Resilience Plans to ensure the safety of the transmission and distribution networks. We built a Cyber Resilience plan which transformed cyber security in line with expectations set by the UK Government, the UK National Cyber Security Centre and Ofgem.
Common Challenges
The cyber security landscape from 2026 to 2031 is anticipated to face numerous challenges. Common initial attacks will remain widespread, continuing to pose significant threats alongside more advanced attack types from various threat actors across the globe. Resilience in the face of increasingly sophisticated cyber threats remains critical, particularly those targeting public sector organisations.
These issues are shared and require national and international collaboration to tackle the transnational nature of cyber challenges. Ensuring robust cyber defences to protect critical infrastructure and sensitive data will be essential. With the rapid pace of technological advancement, staying ahead of cybercriminals, who are constantly devising new attack methods, will be another key challenge.
Cyber Strategy
We will soon be refreshing our SP Energy Networks Cyber Security Strategy which supports our risk-based and threat-based approach. Considerations within this Strategy will include: Supporting the wider business with their journey towards Net Zero, Impact of AI and Automation on Cyber Security, Human Risk and ensuring the delivery of all our RIIO-3 commitments.
Stakeholder Engagement
As well as internal engagement across our business and with ScottishPower / Iberdrola, our Cyber team actively engages with a variety of external groups, partners, and peers to influence the direction of cyber within our industry, including the UK Cyber Security Task Group (E3CC), UK Energy Networks Association, Academia, Ofgem and the UK National Cyber Security Centre (NCSC).
Register as a Stakeholder
You can Register as a Stakeholder to be kept up to date with engagement opportunities relating to our RIIO-T3 Business Plan. Members of our Independent Net Zero Advisory Council (INZAC) will also be supporting the development of our Business Plan, scrutinising both the technical plans as well as ensuring any emerging customer issues are fully considered.
The top 3 takeaways from this blog are:
- We are developing our next Transmission Business Plan (RIIO-T3 Business Plan) which will be published in December 2024.
- Cyber security is a key part of ensuring a secure energy transition. In RIIO-T3, we will continue to invest in Cyber Security as part of our risk-based approach and contribution to the resilience of our transmission network.
- Register as a Stakeholder to be kept up to date with engagement opportunities relating to our RIIO-T3 Business Plan.
Stay up to date via our dedicated RIIO-T3 page which will be updated regularly with new blogs, our progress and opportunities for engagement. If you have any enquiries about our RIIO-T3 Business Plan, please email us on riio-t3pmo@spenergynetworks.co.uk.