June 2024 - In 2023, Turkey’s energy regulator, the Energy Market Regulatory Authority (“EMRA”), introduced the Regulation on the Cybersecurity Competency Model in the Energy Sector (“Regulation”) in order to (i) improve the cybersecurity of industrial control systems used in the energy sector according to evolving needs and threats, (ii) define minimum acceptable security levels, and (iii) regulate the procedures and principles regarding the cyber resilience, competence and maturity of these control systems. The following legal entities (“Obliged Entities”) are subject to the Regulation:
- electricity distribution licence holders;
- natural gas distribution licence holders obliged to establish a dispatch control centre;
- electricity generation plant owners with a licence with an installed capacity of 100 MWe and above;
- refinery licence holders;
- natural gas storage licence holders (LNG, underground);
- natural gas transmission licence holders transmitting by pipeline;
- crude oil transmission licence holders; and
- electricity transmission licence holders.
On 27 May 2024, EMRA announced that it has prepared a draft of certain amendments to the Regulation (“Draft Amendment”) and that the Draft Amendment has been presented for public consultation.
The Regulation currently specifies the minimum acceptable security levels for electricity distribution, natural gas distribution, electricity generation and refinery activities. The main purpose of the Draft Amendment is to specify minimum levels for (i) natural gas storage, (ii) natural gas and crude oil transmission, and (iii) electricity transmission sub-sectors that were not previously envisaged in the Regulation.
Background
With the Regulation, the competence model was regulated to consist of the following items, although differing in terms of energy sub-sectors:
- industrial network security, including local network security, wide-area network security, communication security, protocol security, wireless network security, and the integration of security controls for industrial infrastructure;
- industrial client and server security, including logical and physical security controls for all clients and servers in the industrial infrastructure;
- industrial threat and vulnerability management, including threat and vulnerability management controls applied in industrial infrastructure;
- industrial cybersecurity risk management, including industrial cybersecurity risk management controls appropriate to the dynamics of industrial infrastructure;
- industrial asset, variation and configuration management, including the management of assets in industrial infrastructure, and variation and configuration management controls of components;
- industrial identity and access management, including identity and access management controls for components in industrial infrastructure;
- industrial incident management and continuity, including industrial cybersecurity incident management, continuity, backup and redundancy controls;
- smart device security, including security controls for counters and industrial infrastructure using Internet of Things (IoT) technology;
- industrial operation safety, including controls for industrial operation safety;
- human resources security, including controls that are required to be implemented before, during and after employment for all personnel working in critical energy infrastructure;
- physical security, including security controls of distributed or singular physical environments suitable for the sectors of industrial infrastructure;
- supplier management, including cybersecurity controls for technology, human and infrastructure suppliers for industrial infrastructure; and
- PLC safety, including safety controls related to PLC safety.
The Regulation regulates three basic competence levels within the scope of the competency model and states that the competence levels for Obliged Entities would be identified by the sectoral criticality levels specified by EMRA. These levels were detailed as follows:
- Level 1: Entry-level controls. Items for which relevant controls are already in place or are assessed to be easily applicable are included at this level. It is mandatory to implement the items at this level within the targeted completion time.
- Level 2: Second-stage controls. Items that require changes in the systems or processes of the Obliged Entities in order to implement the relevant controls are included at this level. It is mandatory to implement the items at this level within the targeted completion time.
- Level 3: Third-level controls. Controls at this level require a new project or long-term change. It is mandatory to implement the items at this level within the targeted completion time.
- Additional controls: Controls that are considered to be of a high degree of difficulty or that may be useful to implement. Controls at this level are not mandatory.
Amendments
As per the Draft Amendment, the minimum acceptable security levels for (i) natural gas storage, (ii) natural gas and crude oil transmission and (iii) electricity transmission sub-sectors will be as follows:
|
Sector |
Minimum Level |
|
Electricity Distribution |
Level 2 |
|
Natural Gas Distribution |
Level 1 |
|
Electricity Generation |
Level 1 |
|
Refinery |
Level 3 |
|
Natural Gas Storage |
Level 1 |
|
Natural Gas and Crude Oil Transmission |
Level 3 |
|
Electricity Transmission |
Level 3 |
Cyber security competency model technical control items were previously prepared for the electricity distribution, natural gas distribution, electricity generation and refinery sub-sectors. With the Draft Amendment, it is also foreseen that cyber security competency model technical control items will also be prepared for the (i) natural gas storage, (ii) natural gas and crude oil transmission and (iii) electricity transmission sub-sectors, and it is planned to complete the regulation of technical control items for all sub-sectors within the scope of the Regulation.
Among the amendments in the Draft Amendment, it has been clarified with a wording change regarding audits that the responsibility to have an audit performed will be on the Obliged Entities. If an Obliged Entity receives consultancy services for the controls included in its competence levels, the first sectoral audit to be performed by the Obliged Entity is not to be performed by the company providing the consultancy service. The Draft Amendment also states that self-audit/difference analysis studies will not be considered within the scope of consultancy services.
Conclusion
The Draft Amendment aims to finalise the regulation of minimum levels and technical control items for all energy sub-sectors within the scope of the Regulation and clarifies some of the above-mentioned provisions of the Regulation. Please note that the Draft Amendment may be subject to change after public consultation. EMRA’s announcement regarding the Draft Amendment is available here (in Turkish only).
Should you have any questions with regard to the above, please contact Şeyma Olğun () or Tuğberk Osman Çakırca ().