Delivering Defensible OT Cyber Resilience in the UK: Meeting Ofgem Expectations For Electricity and Gas Networks

Ofgem, the UK’s energy regulator, has responded by strengthening its expectations around cyber resilience. Regulatory scrutiny is no longer limited to verifying whether security controls exist. Instead, Ofgem expects operators to demonstrate a clear understanding of their operational risks, implement proportionate and defensible controls, and maintain confidence in resilience as systems evolve. The emphasis has shifted from compliance to demonstrable operational capability and preparedness.

For electricity and gas operators, this requires treating OT cyber security not as an isolated compliance function, but as an integrated operational discipline aligned with safety, engineering, and resilience objectives.

Context & Operational Need: Ofgem’s Outcome-Based Approach to OT Cyber Security

Ofgem’s regulatory framework recognises that cyber threats to OT systems pose a direct risk to the safety, stability, and continuity of electricity and gas supply. A cyber incident affecting control systems could lead to loss of operational visibility, unsafe operating conditions, or prolonged service disruption.

To address this risk, Ofgem evaluates operators against several key resilience criteria:

• Understanding of OT systems, dependencies, and critical operational functions
• Implementation of proportionate, risk-based security controls
• Demonstrated preparedness to respond to cyber incidents
• Ability to sustain resilience as systems and threats evolve

These expectations reflect a shift toward outcome-based regulation. Operators must demonstrate not only that controls are in place, but that those controls are appropriate, operationally effective, and aligned with system safety and resilience requirements.

This places operational understanding and defensible decision-making at the centre of cyber resilience.

Key Considerations: Building Cyber Security That Withstands Regulatory Scrutiny

Meeting Ofgem’s expectations requires operators to address several critical operational and governance challenges.

Understanding System Dependencies and Operational Risk

Resilience begins with understanding the OT environment and how its components interact. Electricity and gas networks consist of complex, distributed control systems, communication networks, and field devices. Failures in specific components or communication pathways can have cascading effects across the wider system.

Ofgem expects operators to demonstrate a clear understanding of:

• Critical operational systems and assets
• Communication paths and system interdependencies
• Trust boundaries and remote connectivity risks
• Operational consequences of system compromise

Without this understanding, operators cannot prioritise cyber risk effectively or justify security decisions under regulatory scrutiny.

Implementing Proportionate and Operationally Safe Security Controls

Ofgem does not mandate specific technologies. Instead, it expects operators to implement controls that are proportionate to operational risk and compatible with engineering and safety requirements.

This is particularly important in OT environments, where inappropriate controls can introduce operational instability. Security controls must therefore be designed specifically for OT systems, ensuring they strengthen resilience without disrupting operational continuity.

Examples of operationally aligned security capabilities include:

• Secure remote access for maintenance and vendor support
• Passive monitoring that does not interfere with live operations
• Recovery capabilities aligned with operational recovery objectives
• Governance frameworks that integrate cyber risk into engineering decision-making

Controls must support operational safety—not compromise it.

Demonstrating Preparedness for Incident Response and Recovery

Ofgem scrutiny increasingly focuses on how organisations respond during incidents. It is not sufficient to have documented procedures; operators must demonstrate that personnel can respond effectively under operational pressure.

Preparedness requires:

• Role-specific cyber training aligned with operational responsibilities
• Scenario-based exercises that simulate realistic incidents
• Validation of incident response and recovery procedures

These activities provide confidence that operators can maintain safe and continuous operation during cyber disruption.

Preparedness must be demonstrated—not assumed.

Sustaining Resilience as Systems and Threats Evolve

Electricity and gas networks are continuously evolving. New assets are deployed, systems are upgraded, and operational requirements change. At the same time, cyber threats continue to evolve.

Resilience must therefore be maintained through continuous validation and assurance, including:

• Security testing aligned with operational constraints
• Validation of system changes before deployment
• Ongoing assessment of cyber resilience capabilities

This ensures security controls remain effective throughout the system lifecycle.

Practical Guidance: From Regulatory Compliance to Operational Confidence

Electricity and gas operators seeking to meet Ofgem expectations should focus on building cyber resilience as an operational capability.

Establish a Clear Understanding of Operational Cyber Risk

• Operators must maintain accurate, operationally relevant visibility into their systems, including dependencies, communication pathways, and critical functions.
• This understanding enables risk-based prioritisation and defensible decision-making.

Integrate Cyber Security Into Operational Governance

• Cyber risk must be considered alongside engineering and operational risk. Governance frameworks should ensure cyber security supports safety and operational continuity.
• This alignment strengthens both resilience and regulatory assurance.

Validate Preparedness Through Realistic Operational Testing

• Training and exercises ensure personnel can respond safely and effectively during incidents.
• Operational validation builds confidence in response capability.

Maintain Continuous Assurance of Cyber Resilience

• Ongoing testing and validation ensure security controls remain effective as systems evolve.
• Resilience must be sustained—not assumed.

Case Study Insight: Validating Cyber Resilience Through Operational Simulation

A key example of operationally grounded resilience are the CNI cyber resilience labs located at Thales Ebbw Vale which have been built with gas operators. The labs replicate the operational environment of the UK gas transmission network, including physical infrastructure, operational monitoring systems, and cyber security capabilities.

This environment enables teams to simulate realistic cyber incidents and validate response procedures in a safe, controlled setting. By exercising operational response under realistic conditions, operators can ensure preparedness, strengthen resilience, and protect continuity of supply.

This approach demonstrates the importance of validating cyber resilience through operational practice.

Conclusion: Operational Cyber Resilience Is Now Central to Ofgem Compliance

Ofgem’s regulatory expectations reflect a fundamental shift in how OT cyber security is assessed. Compliance alone is no longer sufficient. Electricity and gas operators must demonstrate that cyber security controls are operationally effective, proportionate, and aligned with system safety and resilience.

Cyber resilience must be embedded into operational governance, engineering design, and lifecycle management. Operators that develop this operational capability will be better positioned to maintain safe and reliable energy supply, demonstrate regulatory assurance, and withstand evolving cyber threats.

In today’s regulatory environment, cyber security is not simply about meeting compliance requirements—it is about ensuring electricity and gas networks can continue to operate safely, reliably, and confidently in the face of cyber risk.

Download the white paper below for more information.