In order to ensure the security and reliability of the informatics systems used in the industrial control systems (ICS) of the organizations determined as critical infrastructure by EMRA, the risks should be assessed and reduced or eliminated. EMRA has made a regulation to ensure informatics security and has issued an Informatics Security Regulation in Industrial Control Systems Used in the Energy Sector.
Critical infrastructures are energy networks that will disrupt the social order and / or negatively affect the provision of public services when they do not fulfill their functions partially or completely.
These organizations; electricity transmission license holder, electricity distribution license holder excluding organized industrial zone (OIZ) distribution license holders, except for the owner of the OIZ generation license, each owner of an electricity generation facility whose temporary acceptance has been made and has a license of 100 MWe or more, natural gas transmission license holder transmitting via pipeline, natural gas distribution license holder obliged to establish a shipment control center, natural gas storage license holder (LNG, underground storage), crude oil transmission license holder and refinery license holder legal entities.
These organizations have the obligation to submit to EMRA when requested by EMRA to fill in the ICS recognition form by the Authority, and the organizations are required to report the results of the security analysis and tests they have made to determine the risks for ICS
In the risks determined by EMRA and determined by these organizations themselves, the institution decides which ones should be reduced and which ones are accepted. For the risks that are decided to be reduced, a treatment plan with risk-reducing actions that will be the responsibility of the organization is created. The organization is obliged to ensure that the risks determined by EMRA and the risks determined by itself are evaluated once a year. The institution prepares a risk treatment plan and carries out a study that includes updating the risk treatment plan every six months. At the same time, it ensures that risks are prioritized according to their likelihood of occurrence and that high-grade risks are treated first.
EMRA audits whether these organizations fulfill their obligations, either ex officio or upon complaint. EMRA imposes administrative sanctions and penalties on unfulfilled obligations.