03 August 2015
MUSCAT:  The Authority for Electricity Regulation Oman, the Sultanate's regulator for the power and related water sector, plans to introduce guidelines making it mandatory for companies operating within this strategically vital sector to secure their critical infrastructure from potential cyber attacks. The new regulations, due to be issued during the course of 2015, will be part of the licensing obligations of water desalination firms, as well as power generation, transmission and distribution companies operating under the Sector Law.

Ensuring security of electricity and water supply, says the regulator, is a key part of its statutory functions under the Sector Law. This is articulated in Article 22 of the law, which enjoins the Authority to secure and develop the safe, effective and economic operation of the electricity and related water sector.  Also a key part of its remit is to secure the preparation of technical specifications and criteria and performance security standards for the sector.

According to the Authority, current cyber security legislation in the Sultanate, as enshrined by the Oman e-Transaction and Cyber Crime laws, pertains to general IT crimes per se, and does not address potential cyber threats to industrial automation control systems.

"The Authority has confirmed that there are presently no regulations in Oman dealing with Supervisory Control and Data Acquisition systems (SCADA) and Distributed Control System (DCS) cyber security," the regulator said in its newly released 2014 Annual Report.

An audit also found "very little evidence that management systems are in place for SCADA and DCS cyber security, a low level of security awareness and ultimately, the impact of security threats is not only dependent on the level of protection in place, but the capability to detect and the capability to respond," the regulator noted.

As a first step in the development of regulations to help combat potential cyber attacks, the Authority signed up well-known UK-based international consulting and technology firm PA Consulting to assist in the effort.

It also organised a seminar at which licensees and exemption holders were given an overview of the Authority's plans for cyber security regulation, the benefits accruing to the sector and the national economy upon their successful implementation, and the importance of compliance.

While licensees will be required to comply with the baseline mandatory standard as part of the Authority's licensing requirements, it will not be made immediately obligatory to Exemption Holders -- organisations like Sohar Aluminium, Petroleum Development Oman, and so on, which generate electricity primarily for internal use. However, Exemption Holders connected to licensed systems or networks will be required to put in place adequate measures to secure their systems from cyber security threats, the regulator added.

Significantly, the Information Technology Authority (ITA) has welcomed the regulator's efforts to secure the critical infrastructure of the electricity sector, which continues to attract hundreds of millions of dollars in new investment each year in trend with rising power and water demand growth in the Sultanate.

© Oman Daily Observer 2015