Critical infrastructures are functional structures that provide the essential services that enable the smooth operations of every kind of activities we take for granted. They are the functional foundations of a nation’s economy, security, welfare, and health. We use critical infrastructures in a range of activities, from the transportation we use to the water we drink till the electricity we use to light a lamp in the kitchen. They are of vital importance so that the processes of all these lively activities do not come to be interrupted in any case. Industrial control systems of critical energy infrastructures are the basis to the functions of the working processes of these infrastructures. Basically, they are also supervised and observed through digital systems and virtual networks. The network systems then report back about the working processes in the infrastructures. In the case of some disruption in the control systems, no feedback data can be transmitted back to the supervisory figures of concerned bodies, causing the response time to extend and increase the impact of the disruption in the process. For the extensive supervision and protection of these control systems; law enforcement activities and intelligence abilities should be conducted hand in hand. Being aware of the fact, on 13.07.2017, Information Security By-Law on Industrial Control Systems of Energy Sector by Energy Market Regulatory came into effect.
The by-law aims the provision and implementation of some rules on how to protect and secure industrial control systems against threats and risks that can arise in case of any attacks; in this way removing any kind of space of weakness that can be perceived and taken advantage of as a threat. In this way, the resilience of the control systems can be sustained in a reliable and more of a foreseeable way. The control systems then can adapt to certain conditions met in the aftermath of an executed attack, so that the recovery time can be reduced to minimum amount of time; because any disruption realized will lead not only to the failure of the critical infrastructure plant that has encountered the attack; but since the plants function in interconnected and mutually bound processes especially in the energy sector; also to the failure of the overall system of networks, bringing the normal flow of things in daily life to a halt.
Some of the parties under the obligation of acting in accordance with the provisions introduced in the by-law, are electricity, gas and petroleum suppliers that have a valid license. Obligated parties, first of all, have to determine their inventory of industrial control systems and report it to the Energy Market Regulatory. Obligated parties conduct penetration tests on a regular basis to determine and understand the risks associated with processes. The attributes of the tests and the grounds on which they will be conducted are also designated by Energy Market Regulatory. By reporting the understandings of the test results, Regulation authorities follow up on the parties whether the obligations are performed. Also, Energy Market Regulatory provides a guide to the methodology and risk evaluation for the security controls of industrial control systems inventories in question. Obligate parties shall perform according to the specific and well-composed guide for the sake of the security of the critical infrastructures.
Once risks associated with the structure at hand are determined for good, the suppliers make of a plan in which the measures to be taken against possible threats and the ways the measures are to be performed. The time limit set in the guide provided by Energy Market Regulatory puts forward 6 months intervals for risk plans to 1-year intervals for the implementation of the plans. Accordingly, it is obligated to provide the necessary labor and monetary resources.
Turkish Energy Market Regulatory, then, has the capacity and ability to audit the obligated infrastructure plants whether the duties specified in the by-law are being performed in an unmistakable manner. The audit can be carried out on further notice, on the basis of a complaint or a marked malfunction in the processes.