by Glen Gooding, EY Australia Partner, Cyber Security
The fragility of the energy sector has been well known in cyber circles for many years. Technology across the sector has become more interconnected, where the once ‘isolated’ legacy systems of old have been merged with contemporary corporate networks. This convergence has grown a new set of vulnerabilities on both physical and digital-based assets. Combine this with the well-documented lack of skills in the cyber realm, amplified more so in the energy sector, an ever-growing reliance on third-party cloud providers, and you have an idyllic environment for proactive criminal organisations and nation-state actors to target.
In a post-COVID world, we have seen an increased rate of technology adoption to suit the needs of remote virtual working, and this has not made the stretched responsibilities of overworked cyber support personnel any easier.
In fact, recent audit statistics from an appropriately regulated sector showed that organisations had not improved their cyber maturity levels at all, so much so that 2019 recommendations still have not been addressed.
It’s not all bleak however, the Federal Government has taken well-defined steps to best reduce the impacts of cyber risk. This has come in the form of regulatory stopgaps; SOCI, Cyber Security Strategy 2020, ESB 2025.
These measures are by no means comprehensive, nor will be that elusive silver bullet, but collectively there has been an attempt to provide a cohesive framework across a gaping range of capabilities within the sector.
Along with these regulations, organisations need to not only address cyber risks as we have traditionally thought of them, but they also need to take a forward-looking, ten-year outlook and put a lens on the threats specific to how we will generate and consume energy in the future.
Considering the uptake of renewables
The proliferation of renewables and the distributed nature of the energy grid will expose an issue that will be hard to come back from.
For those in the industry for the past three decades, we will begin to witness history repeating itself. At the turn of the century, with the growing acceptance and reliability of the internet, eCommerce systems were deployed with very little design thinking around security.
This brought about a need to bolt security onto existing applications, which sured up some gaps, but still left many open. Forward the clock to more recent times, as we rely on third-party cloud providers to initiate a hybrid on-premise/cloud strategy.
Again, we should have learned from our mistakes and looked to build in the correct security controls, and yet in some instances this improved, but mostly we continue to consider security as an afterthought.
These examples are an effect more broadly around technology adoption for all industry sectors. Here is an opportunity in the energy sector, to adopt a secure by design approach when growing the new paradigm of energy generation.
Consider a 2030 Australia, where we have a high percentage of PV panels supplying electricity for a large part of our population and there is a vulnerability exposed in that ecosystem. Taking out solar farms, and millions of household panels would put undue stress back onto the grid, which could bring a large city to its knees.
To break this down simply, the IoT devices being installed and configured at our homes need to have security by design thinking right upfront.
Cyber best practices need to be considered during installation, and the inverters and panels themselves need to have a published bill of materials that comprise the makeup of such devices. Shame on us if we are unable to right the wrongs of the past and instill a best practice cyber mentality correctly from the beginning.
Regulation is key
In light of the pending disaster above, we are progressing, and to ensure that progression is in a forward motion, the voice from the top needs to be understood.
Other regulated industries have placed direct accountability with board members and for the energy sector, impending regulations along with the tightening of the ACSC’s Essential 8 and awareness campaigns are continuing to raise the importance of cyber at senior executive levels.
Government mandates have not been defined by the brains trust at specific departments. A great example of this was the public consultation process that was undertaken to ultimately release Australia’s Cyber Security Strategy 2020 – 215 written submissions culminated in a plan that has been well received by industry.
Similarly, the Security of Critical Infrastructure (SOCI) Amendment Bill, with over 3,000 points of view, has allowed the Australian cyber community to voice their input into improving the resilient nature of our critical infrastructure.
Regardless of your opinion of SOCI and without debating the details, this reform will elevate the importance of cyber within industry sectors and further to entities within those sectors to the senior executives, where important evidence-based funding decisions need to be made.
A collaborative approach to protect critical infrastructure
If our baseline best practices have provided some foundational first steps, and there is a vision on sector-wide governance on standards relating to DER technology, then we also need to address our ability as a nation to provide a coordinated response to a complex, multijurisdictional cyber-attack.
Our emergency management arrangements are well understood in the case of a flood or bushfire, however, I would like to see this mimicked in the case of a comprehensive cyber-attack on our nation. The exercising of our cyber response capabilities gets a good workout in well-coordinated simulation activities, but more synergy could be achieved by forming a collaborative community initiative, led by an agency team, that is purpose-built to respond effectively.
The energy sector, in its current state, practices a reactive recovery mindset, with improvement opportunities driven from a compliance perspective.
We should consider a more collaborative energy sector that can come together with the aim to mitigate future attacks on our nations critical infrastructure, that manages to move the needle from a disjointed, siloed approach, with an aspirational goal of enterprise resilience to allow a holistic, risk-based response in the event of a complex, multi-jurisdictional threat to the sector.
This integrated approach will require executive support at a government and industry level; an innovative approach to validating the composition of future energy technologies; a well-drilled cyber operations capability ready to respond and ultimately, an ever- present awareness from all citizens to be resilient in providing that first line of defense.
We have begun the journey, but we still have a lot of distance to cover.