The Regulation on Cyber Security Competency Model in the Energy Sector (“Regulation”) was published by the Energy Market Regulatory Authority (“Authority”) in the Official Gazette dated 06.06.2023 and numbered 32213. The Regulation has entered into force on the publishing date and the Regulation on Information Security in Industrial Control Systems Used in the Energy Sector (“Repealed Regulation”) dated 13.07.2017 was repealed with the Regulation and that all references to the Repealed Regulation would be deemed to have been made to the Regulation.
The Regulation regulates that provisions to be applied to ensure the safety and reliability of the industrial control systems (“ICS”) of the institutions consisting of legal entities holding a license in accordance with the energy market[1] (“Obligated Institutions”).
In the Regulation, ICS is defined as “the system that enables the monitoring and sometimes management of processes such as the production of energy, the processing of crude oil, hard coal and similar raw materials that provide energy, and the transfer of energy through transmission or distribution layers, from one or more centers, and/or management and control systems with a special operating system whose components work on known operating systems or have known vulnerabilities” and the provisions stated below regarding the competence model have been brought into line with the ICS:
- Information and Communication Security Guide
- Safety Analysis and Test Procedures and Principles for Industrial Control Systems Used in the Energy Sector
- TS ISO/IEC 27001
- TS EN ISO/IEC 27019
- ICS security controls in the energy sector
Although the competency model differs according to the energy sub-sectors, it is regulated that it will consist of the following headings:
- Industrial network security including local network security, wide area network security, communication security, protocol security, wireless network security, integration security controls for industrial infrastructures
- Industrial prompt and server security, including logical and physical security controls for all clients and servers in the industrial infrastructure
- Industrial threat and vulnerability management including threat and vulnerability management controls applied in industrial infrastructures
- Industrial cyber security risk management including industrial cyber security risk management controls appropriate to the dynamics of the industrial infrastructure
- Industrial asset, change and configuration management including management of assets, change and configuration management controls of components in industrial infrastructures
- Industrial identity and access management including identity and access management controls for components in industrial infrastructure
- Industrial incident management and consistency, including industrial cyber security incident management, continuity, backup and redundancy controls
- Smart device security, including security controls for industrial infrastructures using counter and IoT technology
- Industrial operation security
- Human resources security, including controls to be applied before, during and after employment for all personnel working in critical energy infrastructures
- Physical security, including security controls of distributed or singular physical environments, suitable for sectors of industrial infrastructures
- Supplier management, including cyber security controls for technology, people and infrastructure suppliers for industrial infrastructures
- Programmable Logic Controller (PLC) security
The Regulation regulates that the competency model consists of three basic competency levels and the competency model of the Obligated Institutions will be contemplated by the sectoral criticality degrees determined by the Authority. The criticality levels set out by the Regulation are as follows:
Level 1: Entry level controls are located at this level. Provisions that have already been implemented or that are considered to be easily implemented are aggregated at this level.
Level 2: Second stage controls are located at this level. Provisions that require changes in the systems or processes of the Obligated Institution in order to implement the relevant controls are collected at this level.
Level 3: Third level controls are located at this level. The controls at this level require a new project or long-term change.
Accordingly, the Obligated Institutions are obliged to fulfill the items in which the basic competency levels as “level 1, level 2 and level 3” within the targeted completion time. In addition, the following classification will be used when determining the control items that the Obligated Institutions must perform, and these parameters are determined separately by the sector and are updated by the Authority periodically.
| Sector | Minimum Level | Criticality Degree |
| Electricity Distribution | Level 2 | Specific to the Obligated Institution |
| Gas Distribution | Level 1 | Specific to the Obligated Institution |
| Criticality Degree | Explanation | Minimum Level |
| Class A | It refers to the class of the Obligated Institutions with the highest degree of criticality in the relevant sector. | Level 3 |
| Class B | It refers to the class of Obligated Institutions with medium criticality in the relevant sector. | Level 2 |
| Class C | It refers to the class of Obligated Institutions whose criticality level is at the expected level in the relevant sector. | Level 1 |
In this respect, the obligation to implement the competency model begins when the criticality levels are determined by the Authority and notified to the Obligated Institutions. Obligated Institutions are obliged to perform the controls they are obliged to implement in accordance with the criticality levels determined by the Authority, within the targeted completion time, and the following compliance classification is used when evaluating these controls:
- Full compliance: It is the situation where the Obligated Institutions has met the requirements for each control item in the main control headings as written in the model.
- Partial compliance: It is the situation where the Obligated Institutions has met the requirements for each control item in the main control headings within the scope of the competency model and applied temporary or remedial measures.
- Incompatible: It is the situation where the requirement for each control item in the main control headings within the scope of the competency model cannot be met in any way.
- Out of scope: It is the application of controls appropriate to the technology and method available in the Obligated Institutions, and the exclusion of control items regarding other alternative technologies and methods in case there are alternative technologies or methods in the sub-control headings within the scope of the competency model.
Obligated Institutions that carry out the controls regarding the substances to be complied with that compliance with the competency model will be carried out by auditing in three stages:
- Self-audit/difference analysis
- Sectoral audits
- Authority audits
Self-audits are the process by which Obligated Institutions audit the relevant control items with their own internal resources. This stage is considered as difference analysis. This process must be completed within three months as of the commencement of obligations.
Sectoral audits are the audits carried out by the company and its personnel that comply with the conditions determined by the Authority within the scope of the Regulation. These are considered as independent audits.
Institution audits are the audits in which the Authority audit the self-audits carried out by the Obligated Institutions, and auditor firms. These are considered as cross-checking or control-checking. The institution can always make these audits during the process.
With the Regulation, it is aimed to provide adequate and effective protection in terms of cyber security for organizations operating in the energy market sector in which provisions such as multi-stage audits, the creation of competency models that differ according to the sector, and the critical rating of sectors by the Authority. The details of cyber security principles which were not previously included in the Repealed Regulation, reflect the cyber security schemes and the measures to be taken in terms of Obligated Institutions in the Regulation and its annexes, and aim to implement the said measures fully and completely through multi-staged audits.
You can access the full text of the Regulation here.
[1] Electricity transmission license holder, electricity distribution license holder, each electricity generation facility whose provisional acceptance has been made and has an installed capacity of 100 MWe or more, holder of natural gas transmission license transmitting via pipeline, natural gas distribution license responsible for establishing a shipment control center holder, holder of natural gas storage license (LNG, underground), holder of crude oil transmission license and refiner license. Organized industrial site distribution license holders and organized industrial site generation license holders are out of the scope.
Authors: Burak Özdağıstanli, Ebru Gümüş