Policy paper

Government Response to the National Infrastructure Commission report ‘Anticipate, React, Recover: Resilient Infrastructure Systems’

Published 15 September 2021

Applies to England

Government Response to the National Infrastructure Commission report ‘Anticipate, React, Recover: Resilient Infrastructure Systems’

Introduction

In 2018, HM Government asked the National Infrastructure Commission (NIC) to conduct a study on the resilience of the nation’s economic infrastructure. This review covered a subset of critical national infrastructure (CNI) sectors - namely the energy, water, digital, road and rail sectors. The results of this review were published in May 2020 in the NIC report Anticipate, React, Recover: Resilient Infrastructure Systems.

This report emphasised the need to consider resilience in the round within a framework that addresses six aspects of resilience - anticipate, resist, absorb, recover, adapt and transform - as identified by NIC. NIC summarises the findings and recommendations in the report as follows (full recommendations are included in the response below):

“To deliver resilient infrastructure, a framework for resilience is required that:

• better anticipates future shocks and stresses by facing up to uncomfortable truths
• improves actions to resist, absorb and recover from shocks and stresses by testing for vulnerabilities and addressing them
• values resilience properly
• drives adaptation before it is too late

Much of what is needed is already in place, but improvements can still be made:

• government should publish a full set of resilience standards every five years, following advice from regulators, alongside an assessment of any changes needed to deliver them
• infrastructure operators should carry out regular and proportionate stress tests, overseen by regulators, to ensure their systems and services can meet government’s resilience standards, and take actions to address any vulnerabilities
• infrastructure operators should develop and maintain long term resilience strategies, and regulators should ensure their determinations in future price reviews are consistent with meeting resilience standards in the short and long term”

The publication of the NIC resilience report occurred at a pivotal time in the nation’s approach to resilience. The UK was in the early stages of the Covid-19 outbreak and the opportunities as well as challenges of this period were emphasised in the National Infrastructure Strategy and the Prime Minister’s commitment in Autumn 2020 to build back better, greener and faster from the pandemic. In the National Infrastructure Strategy, the government also agreed with the primary findings of another NIC study on economic regulation, that the UK’s system of economic regulation needed updating to rise to 21st century challenges such as floods, droughts and climate change.

In March 2021, HMG published the Integrated Review which sets the overarching vision and strategic framework for building the UK’s security and resilience on a global scale. The Integrated Review incorporates a strong emphasis on the need for resilience and includes an increased commitment to resilience by defending the UK’s CNI, including the economic infrastructure sectors, as well as the UK’s people and way of life which directly depend on these sectors.

The Integrated Review also includes a government commitment to develop a comprehensive National Resilience Strategy that will establish a ‘whole-of-society’ approach to resilience, consider threats and hazards in the round, develop greater capabilities that can be used across a range of scenarios, review the approach to risk assessment, and strengthen HMG tools to better assess cross-cutting, complex risks. Development of this resilience strategy is now underway, with a final strategy to be published in the first half of 2022.

HMG are considering the recommendations outlined in this NIC report within the wider resilience context. This includes using these recommendations to help guide the ongoing development of the National Resilience Strategy - the outcome of which will influence how and to what extent HMG implements the specific elements of the recommendations. Furthermore, while the report specifically considers economic infrastructure sectors - energy, water, digital, road and rail - the findings and recommendations are relevant across other CNI sectors. So throughout this response and the development of the National Resilience Strategy, HMG are considering the implications right across wider CNI policy.

As the development of the National Resilience Strategy is ongoing it would not be right to pre-empt the outcomes of this Strategy and how this would affect specific HMG infrastructure and CNI policy. In this response, we have outlined where HMG agrees or accepts the core elements of the recommendations (recommendations 1 and 2). The details of how HMG would implement these recommendations would not be finalised until after the development of the Strategy. The approach taken by HMG may differ from that recommended by NIC in terms of the specific details of implementation, such as for timings. For the final recommendation, HMG will not accept or reject it until after the outcome of the Strategy. This is due to the need to assess the requirements placed on infrastructure operators in the wider context of the Resilience Strategy. Throughout the response, we have provided high level comments on each of the elements of the NIC resilience recommendations with a commitment to continue considering the recommendations as part of the development of the Strategy.

HMG will offer a follow-up response after the National Resilience Strategy has been published and work to implement measures and priorities outlined in the Strategy is underway. This follow-up response will outline in greater detail the extent to which HMG will follow these recommendations. HMG will consult with industry stakeholders before introducing any new cross-cutting requirements for CNI and other infrastructure operators.

Response

To draw the three primary recommendations together, the NIC suggests HMG develops a “framework for resilience should deliver infrastructure that is resilient to a range of future challenges”.

HMG agrees with this statement.

As outlined in the Integrated Review, HMG has committed to “improv[ing] our ability… to anticipate, prevent, prepare for, respond to and recover from risks to our security and prosperity” (p.22). This will be delivered through the development of a comprehensive National Resilience Strategy which is underway.

This work will establish an enduring framework to improve the UK’s resilience to emergencies and adapt to new and/or evolving risks. These risks include both malicious and non-malicious risks such as climate change, emerging technology, state threats, cyber attacks and interdependencies between sectors on both a national and global scale.

The National Resilience Strategy will specifically consider the roles and responsibilities of CNI owners and operators to ensure high levels of resilience across our most essential sectors. The strategy will also consider how to integrate the roles of CNI owners and operators within a wider framework that also incorporates all levels of government, the wider private sectors, civil society and the public.

• Recommendation 1:

“Government should introduce a statutory requirement by 2022 for Secretaries of State to publish:

• clear, proportionate and realistic standards every five years for the resilience of energy, water, digital, road and rail services
• an assessment of how existing structures, powers and incentives enable operators to deliver these standards or where changes are needed.
• Regulators should introduce obligations on infrastructure operators to meet these resilience standards by 2023.”

HMG accepts the recommendation to establish and thereafter maintain clear, proportionate and realistic resilience standards for CNI sectors, subject to the outcome of the current National Resilience Strategy call for evidence. Establishing these standards will help ensure a stronger common understanding of the resilience expected including between sectors, identify gaps in resilience measures and drive forward improvements. The details of this will be finalised after the outcome of the National Resilience Strategy. This includes considerations of which stakeholders would be in scope, content, timeframes, the legal status of such standards, how they would align with existing standards and appropriate measures to ensure compliance.

This would build on work conducted in recent years to improve standards and confidence in the resilience of key industry and local response partners. In 2020, HMG published resilience standards for Local Resilience Forums following a commitment in the Strategic Defence and Security Review. HMG is also currently consulting on government proposals regarding reporting, audits and corporate governance of FTSE 350 companies following the impact of major insolvencies such as Carillion in 2018. HMG are proposing new statutory objectives and powers to ensure the regulators, the Financial Reporting Council, are able to effectively hold companies to account for implementing these standards. These proposals would affect several companies that play key roles within the UK’s economic infrastructure and other CNI sectors.

In the National Infrastructure Strategy, HMG supported the adoption of a coherent approach across economic regulators towards resilience, and committed to reviewing the most appropriate measures to ensure that regulators make the necessary contributions to achieve long-term resilience. This includes a consideration of the role played by regulator duties, and the potential merits of a cross-sector strategic policy statement and the role it could play in setting a consistent resilient standard across utilities. Further details on this will be set out in an overarching economic regulation policy paper later this year.

Building on what the NIC outlined in the report, some sectors already have outcome-based resilience standards. This is the case in the electricity sector which has the Quality of Service Guaranteed Standards. These Standards are set and monitored by the energy regulator Ofgem and outline the level of service that electricity distribution network operators are expected to deliver in all cases, which cover 12 key service areas, including supply restoration, connections and voltage quality.

Setting agreed standards is key to effective assurance regimes that ensure that the UK’s most critical systems and organisations are resilient across a broad range of risks, that operators, regulators and stakeholders have confidence in that assurance and have clarity on what further resilience improvements are necessary and desirable. In recognition of this, HMG has committed in the Integrated Review to “consider strengthening the role and responsibilities of CNI owners and operators to ensure a consistent resilience standard across CNI sectors” during the development of the National Resilience Strategy.

Further work to examine how to ensure a consistent resilience standard across economic infrastructure and other CNI sectors will be taken forward alongside the development of the National Resilience Strategy. These decisions will take into consideration consumer expectations, the range of risks faced by CNI and how these risks are likely to evolve, and the extent to which these should be set by individual Secretaries of State or central government. Any new cross-sector standards would be assessed to ensure that they would be effective across the relevant sectors and complement existing standards. Where appropriate, existing structures will also be assessed to ensure they operate effectively alongside and support the delivery of any new standards.

The relative responsibilities of HMG and regulators would also be considered to ensure industry operators understand and are confident in implementing any new requirements. Furthermore, proposals for new standards would be assessed to ensure the costs of implementing them are proportionate to the expected outcomes in terms of risk mitigation. HMG would work in collaboration with industry partners to develop any new resilience standards and they would be reviewed regularly once implemented.

• Recommendation 2:

“Regulators should require a system of regular stress testing by 2024 for energy, water, digital, road and rail infrastructure operators, to ensure that infrastructure operators’ systems and decision-making can credibly meet resilience standards for infrastructure services.

Regulators should introduce obligations by 2023 on infrastructure operators to require them to participate in stress tests and to require remedial action in case of failure of stress tests.”

HMG agrees with the need to establish expectations for stress testing against resilience standards and the validation of resilience capabilities and arrangements, including regular testing and exercising, to ensure strong resilience across infrastructure sectors. HMG agrees that more should be done to test the resilience of infrastructure to a wide range of threats and hazards as well as testing capabilities throughout the risk management lifecycle (anticipate, prevent, prepare, respond and recover). In the Integrated Review, HMG has committed to improve the ability to test and develop capabilities through contingency planning and regular exercises that bring together government, industry, the emergency services, the armed forces and other local responders.

Through the introduction of any new requirements for validation, testing and exercising, HMG would seek to complement and build on existing requirements. Some regulations already require stress testing in order to identify and address vulnerabilities of CNI operators’ resilience measures relating to specific risks.

This is currently assessed for cyber risks for operators who undergo the Cyber Assessment Framework (CAF) which includes operators of essential functions in the drinking water, energy, transport and digital infrastructure sectors. Testing for cyber risks and vulnerabilities is required for an operator to achieve several of the CAF criteria such as B4.d - use of third-party testing to assess vulnerabilities of network and information systems, B5.a - appropriate use of different test methods to assess the effectiveness of disaster recovery plans, and D1.c - test all parts of the response cycle relating to their essential functions.

Furthermore, industry operators within some sectors undertake regular disaster recovery exercises, such as in the telecoms (digital) and gas sector. The Electronic Communications Resilience & Response Group currently runs an annual telecoms industry-wide scenario based desk exercise usually over two days that also tests the activation of the National Emergency Alert for Telecommunications (NEAT). The Gas sector holds an annual industry exercise as part of their regulatory obligations. This aims to demonstrate that the gas industry is prepared and able to meet its obligations should there be a Gas Supply Emergency.

The nature and shape of any new requirements for exercises and testing will be influenced by the development of the National Resilience Strategy to ensure they align with the wider strategic framework. When establishing new resilience standards (see response to recommendation 1), HMG will implement appropriate assurance mechanisms to support these. These assurance mechanisms will take into consideration the roles, responsibilities and obligations of different stakeholders, including regulators, and ensure that the standards-based requirements placed on stakeholders are proportionate to the risks and benefits they would expect to bring. Appropriate mechanisms will be put in place to ensure that the outcomes of any exercises and testing are used to better understand vulnerabilities, learn and implement improvements in resilience.

• Recommendation 3:

“Energy, water, digital, road and rail infrastructure operators should develop and maintain strategies to ensure infrastructure services can continue to meet resilience standards in the long term. To ensure this, regulators should: introduce obligations by 2023 on infrastructure operators to require them to develop and maintain long term resilience strategies (where there is no current requirement) set out, in future price reviews, how their determinations are consistent with meeting standards of resilience in both the short and long term.”

HMG is committed to improving long-term resilience across the UK including within the economic infrastructure and other CNI sectors, as demonstrated by development of the National Resilience Strategy which will explicitly consider the roles and responsibilities of CNI operators.

In recent years, there has been a strong focus from HMG, regulators and industry to improve levels of resilience in these sectors. Standards are not static and where established they need to develop in step with changes in the risk environment, evolving technology, lessons identified and stakeholder expectations. Any further cross-cutting requirements of CNI and other infrastructure operators will be determined following the National Resilience Strategy.

To improve the resilience of water supply, water companies are required to develop statutory Water Resource Management Plans to outline how they will manage their water supplies to ensure resilience to water shortages over a minimum of 25 years. This requirement was further enhanced in 2020 as the Environment Agency published a National Framework for Water Resources which introduced regional groups comprising water companies and other major water abstractors, supported by government and regulators. Each regional group must produce a single plan that builds resilience in water supply to a range of uncertainties and future scenarios. Measures in the Environment Bill will make long term Drainage and Wastewater Management Plans a statutory duty. This is in addition to Ofwat having considered ‘resilience in the round’ as a key factor when assessing water company business plans and budgets through the 2019 Price Review.

Within the Transport sector, the independent regulator the Office of Rail and Road (ORR) has requested Network Rail produce Weather Resilience and Climate Change Adaptation (WRCCA) plans as part of the previous two Periodic Reviews. Each Periodic Review determines the settlement for Network Rail for each corresponding contiguous 5-year Control Period and allows the Secretary of State for Transport to set the strategic direction of rail infrastructure. The implementation of the WRCCA plans is monitored by the ORR. Discussions are currently ongoing regarding the strategic intentions for the upcoming Periodic Review 2023.

Furthermore, the ongoing Rail Resilience Improvement Programme is designed to look at how the rail industry plans for and responds to major disruptive events. The Programme Board and Working Group comprise members of Network Rail, the Rail Delivery Group, train and freight operating companies, and HMG. This work is ongoing but will lead to a number of recommendations for industry to improve the resilience of the railway.

To improve resilience within the Energy sector, BEIS and Ofgem are currently leading a project to ensure that the institutional arrangements governing the energy system are fit for purpose over the long term considering evolving risks, hazards and the changing operational context as the UK aims for Net Zero by 2050. This project will consult in 2021 about system operation and energy code governance to ensure that roles and responsibilities, including those of the operators, are appropriate for building resilience in the long-term.

Within the Telecommunications sector, the Telecommunications (Security) Bill was introduced to Parliament in November 2020. This Bill seeks to protect public telecoms networks from cyber-attacks by establishing a new telecoms security framework. This would help increase the resilience of telecoms infrastructure against threats that may compromise the availability of networks or services or that may cause signals or data to be lost. As part of this framework, Ofcom would be given a range of new powers including a power to require public telecoms providers to test their network security for potential weaknesses that could result in future security compromises.