Turkey’s Energy Market Regulatory Authority (“Authority”) has announced new rules for IT processes in industrial control systems in certain energy facilities which are deemed critical for public services. The rules address system continuity and cyber security matters.

Under the new rules, the following organizations are defined as “Responsible Companies” and are considered responsible for critical energy infrastructure:

  • Electricity transmission license holders.
  • Electricity distribution license holders.
  • Electricity generation facility owners that have temporary acceptance and installed power of 100 MW or more.
  • Natural gas transmission license holders which undertake transmission via pipeline.
  • Natural gas distribution license holders which are obliged to establish a shipping control center.
  • Natural gas storage license holders (LNG, underground storage).
  • Crude oil transmission license holders.
  • Refinery license holders.

Among other things, these Responsible Companies must:

  • Prepare a risk inventory to monitor the information process and ensure safety of industrial control systems (“Systems”) used in critical energy infrastructure.
  • Prepare a treatment plan clearly outlining risk mitigation actions.
  • Provide the Authority with a System recognition form, outlining related processes, as well as work which has been performed for information security and source information.

The Regulation on Information Security of Industrial Systems Used in the Energy Sector was published in Official Gazette number 30123 on 13 July 2017, entering into force on 13 September 2017. Please see the link for full text of the Regulation (only available in Turkish).