Muscat: Authority for Electricity Regulation, Oman has announced a licence modification in all licensees, owned and operated by the Supervisory Control and Data Acquisition (SCADA) and Data Capture Systems (DCS) systems related to cyber security.
The SCADA and DCS systems fulfil a critical role in the electricity sector, enabling the safe and efficient operation of power plants and transmission and distribution networks on a round-the-clock basis that ensures customers are provided with the electricity they need, irrespective of when they need it.
Qais Saud Al Zakwani, executive director of the Authority, said: “The SCADA and DCS systems are very diverse in terms of technologies, complexity and age, with the more modern systems being highly complex and interconnected computerised systems using modern IT and data networking technologies.”
“This complexity and interconnectivity brings risk, and the identification and mitigation of the risks and hazards due to accidents or malicious activity relating to modern SCADA and DCS systems (i.e., SCADA and DCS cyber security) is not a mature practice and is not commonly covered explicitly by regulations in Oman,” he added.
“The impact of a cyber security incident could range from a minor disruption to significant impacts, such as a system shutdown or mal-operation, so that the Authority must consider carefully the options open to them to ensure that the sector takes an appropriate approach to managing SCADA and DCS cyber-security risks,” he said.
Mahmood Al Habsi, regulatory engineer, stated, “The Authority has appointed PA Consulting to assist in the development of a new standard to address the risks associated with cyber security for critical infrastructure in the electricity and related water sectors in Oman. The main conclusion identified from the audit carried out by the Authority is that the sector does not yet have a mature approach to SCADA and DCS cyber security.”
“Although there are some safeguard approaches that have been conducted by operators, the areas of concern include very little evidence that management systems are in place for SCADA and DCS cyber security, a low level of security awareness and ultimately, the impact of security threats is not only dependent on the level of protection in place, but the capability to detect and the capability to respond,” he added.
Having identified the weaknesses and the current status of cyber security for SCADA and DCS, the Authority has decided to take a proactive regulatory approach, which covers regulation by setting baseline mandatory standards, with a phased transition from regular compliance audits to audits by exception.
The expected transition period from the regular compliance audits to audits by exceptions would vary between three and five years, depending on the progress of developing management systems and capabilities.
The licensees will be required to comply with the baseline mandatory standard, which is incorporated into license conditions that would is effective from January 1, 2016.