The Australian energy industry, like its peers around the world and those in other critical infrastructure subsectors, faces a rising threat of cyberattacks and the financial, operational, and reputational impacts these incidents can cause.
Indeed, in 2024, a major Australian energy provider noted that it stands to lose as much as $2 billion USD per day if a major cyberattack were to completely shut down its infrastructure.
With so much at stake, energy providers must ensure their capabilities cover all risk scenarios – and digital technologies can play a key role.
The energy sector faces hazards on all fronts
Cyberattacks are unfortunately not the only threats confronting the energy industry. The 2018 National Disaster Risk Reduction Framework warned of the sector’s exposure to more frequent and intense natural hazards – and that was before the bushfire disaster of 2019–2020.
Besides natural disasters, global supply-chain pressures have also entered the resilience picture, with the renewables sector hit particularly hard by Covid-related shortages of materials.
Adding in labour shortages, increased compliance obligations, and even cyber-espionage, it’s become increasingly clear that the industry faces hazards on all fronts – not just in the ubiquitous cyber theatre.
So how can energy providers adapt their resilience management strategies to ensure that the threat picture is being appropriately captured?
An all-hazards approach to risk
The approach recommended by the Cyber and Infrastructure Security Centre (CISC) focuses on enhancing risk-management, preparedness, and planning capabilities across a full spectrum of threats and hazards. In other words: taking an all-hazards approach to handling the deteriorating risk environment.
But what would such an approach entail for energy providers?
Per the CISC, energy providers will have to consider both human-induced threats and natural and environmental hazards that could impact the entity and its operations, assessing risk and vulnerabilities to their own assets and measuring those against identified threats and hazards to the sector.
Digital technology capabilities to consider
As energy providers turn to an all-hazards approach to risk management, preparedness and planning, there are a range of technology capabilities that could enhance capacities.
Critical infrastructure protection and compliance
Critical infrastructure compliance will only become more important for energy providers.
Energy providers should, therefore, seek out technology that consolidates information about the entity and its operations – including descriptions, locations and key functions.
And with vulnerability assessments forming part of the required elements of most regulatory regimes, energy providers will also need technology to help perform vulnerability assessments to pinpoint potential gaps that can expose the entity to all types of hazards.
Incident preparedness
To ensure preparedness, technology should help energy providers build incident response plans using automated plans and checklist functionality, then leverage these capabilities to conduct exercises on an ongoing basis to ensure that plans are effective, key personnel understand their roles and responsibilities, and shortcomings are addressed.
Risk management
Energy providers should also seek out digital technology that enables them to take a proactive approach to risk management in a standardised manner, making it simple to identify risks, assess their inherent risk level, implement controls, confirm their effectiveness, and monitor residual risk levels on an ongoing basis, all in a single workspace.
Threat intelligence
Staying ahead of potential threats to assets and operators requires technology that uses real-time threat intelligence alerts. Energy providers should therefore seek out solutions that offer situational awareness dashboards that consolidate feeds from multiple sources to streamline threat detection and improve the incident response process.
Incident management
With an increasing number of incidents affecting the industry, energy providers will need to rely on technology to improve incident response times and team activation with automated emails, SMS, and voice notifications. This technology should also help energy providers to identify personnel required to update regulators, then assign tasks, record decisions, and share updates as the incident evolves before using investigations to identify controls in order to prevent reoccurrence.
Critical event management
To manage any critical event, energy providers will need technology to help keep their crisis or emergency teams following the same plans, collaborating effectively, and sharing the right information.
Physical security
Digital technology also has a place in making people and physical assets more secure for energy providers. How so? The technology proactively manages all aspects of providers’ security operations from anywhere. Energy providers will therefore be able to gain access to integrated management functionality for security incidents, shifts, logs, patrols, assets, visitors, and events.
Business continuity
Energy providers have assets and operations spanning the globe, complex supply chains, and plenty of footprint. To keep anticipating threats, responding to disruptions, and protecting people, assets, and equity, energy providers have to take business continuity and operational resilience as seriously as they take security, emergency, and crisis and incident management. To that end, energy providers must invest in technology that applies industry standards and best practices to determine disruption impacts, develop plans, and prepare recovery strategies to address risks.
Integrated resilience management software for energy providers
In sum, the risk environment for energy providers is deteriorating, with owners and operators facing a wave of cyberattacks while simultaneously fending off numerous other hazards.
How can the industry ensure proactive resilience? Integrated resilience management software like Noggin can help.
Integrated resilience workspaces give energy providers everything they need to anticipate and protect what matters, navigate all hazards with effective response and recovery, and strengthen resilience through continuous improvement.
