Committee publication · Correspondence · 3 June 2026

Correspondence from Chris Few relating to written evidence for energy resilience session on 3 June, dated 22 May 2026

From: Energy Security and Net Zero Committee

Summary

Written evidence from Chris Few to the Energy Security and Net Zero Committee addresses cybersecurity risks in renewable energy systems. Few identifies specific vulnerabilities in grid management—reactive power manipulation and load-balancing disruption—and argues government must define cyber risk appetite, establish security objectives (e.g., limiting economic impact to £1 billion), and implement rigorous assessment methods for critical infrastructure.

Key findings

Renewable energy systems create new cyber-attack vectors: remotely configurable inverters can manipulate reactive power to trip transmission protection relays; reduced grid inertia means attackers need less generation disruption to trigger cascading failures.
Current generic cybersecurity frameworks (NCSC, NIST) are insufficient for electricity grids; grid-specific analysis of loss scenarios through control and protection system disruption is needed.
Government and regulatory oversight lacks clarity: the NIS regulations devolve cyber risk management to Operators of Essential Services without defining what level of risk they are entitled to accept on behalf of UK citizens.
The 2025 National Risk Register shows a hundred-fold uncertainty range (0.2% to 25%) in likelihood of NETS failure from malicious scenarios, understating risk because cyber-attacks are not independent events.
DESNZ should state a high-level security objective (e.g., preventing any cyber-attack from causing economic impact exceeding £1 billion) and devolve detailed mitigation proposals to OESs through the RIIO framework.

Tone

Critical

Topics

cybersecurityrenewable-energycritical-infrastructuregrid-resilienceenergy-regulation

Key actors

Chris Few, Energy Security and Net Zero Committee, Department for Energy Security and Net Zero (DESNZ), Ofgem, National Grid, National Gas, National Electricity Transmission System Operator (NESO), National Cyber Security Centre (NCSC)

Notable line

“… government needs a method for assessing the cyber security of the electricity grid that systematically seeks out possible loss scenarios through disruption of the control and protection systems and then assesses …”

Key Quotes

“Increased use of renewable energy tends to require more dynamic management of both reactive power and load balancing. Both aspects create new opportunities for cyber-attackers and hence increase cyber risks.”
— Chris Few · identifying cybersecurity risks of renewable energy transition

“… using generic cyber security frameworks such as the NCSC Cyber Assessment Framework or the NIST Cyber Security Framework are not sufficient for managing the cyber security of electricity grids.”
— Chris Few · arguing for grid-specific cybersecurity assessment methods

“… to my knowledge, how much risk they are entitled to accept on behalf of UK citizens is not defined.”
— Chris Few · on ambiguity in NIS regulations regarding OES risk tolerance

“… it is not clear to me what types of cyber-attacker HMG now expects OESs to protect the energy networks from.”
— Chris Few · questioning government expectations on threat defence

“DESNZ should take an initial risk averse position and clearly state a security objective to prevent any cyber-attack on energy systems from causing economic impact to the UK of more than a given amount, e.g. £1billion.”
— Chris Few · proposing government security objective

“To cause the level of impact shown in Figure 1 (tens of billions of £s), a cyber-attacker must defeat multiple layers of defence in both the cyber and physical systems.”
— Chris Few · on complexity of large-scale attack scenarios

View original document →

Source · parliament.uk record ↗