SSES Security Governance Group

The detailed Terms of Reference for the SGG, covering its functions, duties, objectives, membership and decision-making arrangements, is set out in the SSES Governance Framework Document.  

The group will oversee and maintain the security frameworks and guidance that apply to Load Controllers and other SSES Participants, and will provide recommendations to the Government and regulators where changes are needed.  

The Security Governance Group will consider matters such as:  

• cyber security requirements and good practice for load control  

• security risk and threat assessments  

• assurance approaches that provide confidence in compliance  

• how security requirements evolve as technology and markets develop  

• how security incidents or emerging risks should be escalated .

Some discussions may involve sensitive or confidential information. Where this is the case, the group will operate appropriate confidentiality arrangements while maintaining transparency wherever possible.  

The group will help make sure that the security arrangements underpinning smart energy systems are robust, by:  

• developing and maintaining SSES Security documents and guidance documents, which may include CLF security architecture, security requirements and organisational and device-level requirements  
• assessing whether the SSES Security Framework remains proportionate, risk-based and aligned with policy set by the Government and regulatory requirements. As well as periodically review the SSES Security Framework against the SSES Objectives  
• monitoring the CLF ecosystem and landscape and updating security requirements, or proposing updates to DESNZ/Ofgem-owned documentation where appropriate
• supporting Ofgem with assessing the cyber security evidence provided as part of load control licence applications, as well as ad hoc cyber security advice and support to the sector, DESNZ and Ofgem
• supporting Ofgem with the monitoring, compliance and assurance regime for organisations in scope of the load control licence
• monitoring grid stability developments and producing any supplementary guidance to support licencees
• preparing a confidential annual State of the sub-Sector report for CLF, to feed into Ofgem’s wider STate of the Sector report
• establishing and overseeing sub–groups to explore specific issues in more detail or to support wider engagement with expert stakeholders. 

The group will bring together technical expertise from across the sector, including representatives from:   

The group will be led by an independent Chair, to ensure discussions are well-run, balanced and evidence based. Initially, the group will be chaired by a Government-appointed chair to support continuity from the existing working group to the SGG.  

Elexon does not make security policy decisions but enables the group to operate effectively within the agreed Governance Framework, supporting the Government and Ofgem on security considerations regarding ESAs and LCs.   

Candidates must be experienced cyber security professionals with the capacity, expertise and skills needed to fulfil the duties and functions of the SGG.  Members will assist with:  

• Monitoring the CLF ecosystem and landscape and updating security requirements, or proposing updates to DESNZ or Ofgem owned documentation where appropriate
• Maintaining Threat and Risk Assessments and Systems-Theoretic Process Analysis Systems-Theoretic Process Analysis documents
• Maintaining Trust Modelling and CLF Security Architecture documents
• Supporting development of Cyber Assessment Framework and proposing changes to DESNZ or Ofgem where appropriate
• Developing accompanying guidance alongside organisational and device requirements
• Supporting Ofgem with assessing the cyber security evidence provided as part of load control licence applications
• Supporting Ofgem with the monitoring and compliance regime for organisations in scope of the load control licence
• Producing an annual State of the sub-Sector report for CLF, to feed into Ofgem’s wider State of the Sector report
• Monitoring grid stability developments and producing any supplementary guidance to support licensees
• Providing ad hoc cyber security advice and support to the sector, DESNZ and regulators where appropriate.

Desirable skills and experience include:

• technical expertise – strong understanding of ESAs, security standards, cyber security measures, interoperability and governance frameworks; understanding of how flexibility markets and distributed energy resources impact network security and operational resilience; experience in risk, threat and architecture assessments; and deep experience of the sector for which the nomination relates (Load Control, Flexibility Service Provider (within the load control category), ESA Provider, Distribution Company).
• stakeholder engagement skills – good communicator with proven ability to collaborate in multi stakeholder environments and work towards consensus
• governance and analytical skills – ability to exercise sound judgement and evidence-led reasoning when assessing potential changes to security frameworks.