As cybersecurity threats surge, Australia can look to international approaches shaping a more resilient energy future in other parts of the world.
One of the most dynamic sectors in the country, Australia’s energy industry is integral to the national economy.
The oil and gas industry alone supports around 80,000 jobs across its entire value chain, and renewable energy opens up a range of global market opportunities.
What’s more, the products that the industry delivers are essential for the functioning of society – powering our homes, hospitals, transport networks and beyond.
That criticality goes a long way in explaining why energy is so vulnerable to cyberattacks, even when compared to other critical infrastructure sectors. In fact, the Australian Signals Directorate’s Australian Cyber Security Centre ranked electricity, gas, water and waste services as the most reported critical infrastructure sector – representing a staggering 30 per cent of the cybersecurity incidents the Directorate responded to in FY2023–24.
High-profile cyberattacks on leading energy providers only serve to back up this data.
Of course, Australia boasts a robust framework for managing critical infrastructure security, thanks to the Security of Critical Infrastructure Act 2018 (SOCI).
But Australia isn’t the only country dealing with constant attack attempts on its critical infrastructure assets – peers in the US, UK and the EU face similar – and often even greater – levels of threat.
So what can energy providers in Australia learn from the frameworks other countries have developed to mitigate these security risks?
US: Cyber Incident Reporting for Critical Infrastructure Act of 2022
The pointy spear of regulation tends to be incident reporting.
Like the SOCI Act, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires critical infrastructure organisations in the US to report cyber incidents to the Cybersecurity and Infrastructure Security Agency.
CIRCIA also mandates reporting of ransomware payments, too – a requirement that was only added to SOCI Act with the passage of last year’s Cyber Security Act 2024.
One of the more forward-thinking provisions of CIRCIA, in my opinion, is the establishment of the Cyber Incident Reporting Council (CIRC). The Council’s mandate is to coordinate, deconflict, and harmonise federal incident reporting requirements, of which it found 52. This led to a proposed model definition for reportable cyber incidents, including timelines and reporting triggers, as well as recommendations on how to align the content of cyber incident reports and update and supplement those reports after the first incident notification is made.
EU: The Critical Entities Resilience and Network and Information Security Directives
Incident notification is important at the response stage of a cyber incident. Mitigation efforts are essential well ahead of time, though.
One of the most significant efforts that energy providers can undertake is developing a resilience plan to detail the measures taken to prevent, respond to and recover from an incident. In the EU, that step is mandated by law, thanks to the Critical Entities Resilience (CER) Directive, equivalent to the SOCI Act. The Directive, which came into force in January 2023, aims to strengthen the resilience of critical entities against threats such as natural hazards, terrorist attacks, insider threats, sabotage and public health emergencies.
More specifically, the Directive requires critical entities such as energy providers to carry out regular risk assessments – no fewer than every four years. Identified risks must then be addressed through appropriate technical, security, and organisational measures.
Meanwhile, the resilience plan itself must focus on the precise measures taken to prevent incidents from occurring based on risks identified.
The plan must also include provisions for: (1) ensuring adequate protection of critical infrastructure; (2) addressing the impact of and recovery from incidents; and (3) guaranteeing adequate employee security management.
In addition to the CER Directive, the EU has also promulgated the Network and Information Security (NIS2) Directive to deal specifically with threats to the network and information security of its critical infrastructure organisations. This Directive requires entities to take an all-hazards approach to the security risk management of their network and information systems.
Some measures critical infrastructure organisations must take include:
- policies on risk analysis and information system security
- incident handling
- business continuity and crisis management
- supply-chain security
- security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- basic cyber hygiene practices and cybersecurity training
- human resources security, access control policies and asset management
- the use of multi-factor authentication or continuous authentication solutions.
UK: Cyber Security and Resilience Bill
The final jurisdiction I’ll cover is the UK, where the government is expected to introduce its landmark Cyber Security and Resilience Bill later this year.
Interestingly enough, this Bill seeks to align the country’s existing Network and Information Systems (NIS) Regulations with the EU’s NIS2 Directive, while making it essential for regulated entities to follow best practices to ensure cyber resilience.
Acknowledging the importance of third parties in critical infrastructure protection, the Bill will also bring managed service providers who offer core IT services into scope, with the hopes of enhancing the security of IT infrastructure and reducing the risks of cyberattacks.
In a similar vein, the Bill will enable the government to set stronger supply-chain duties for operators of essential services and relevant digital service providers, while also giving regulators the power to identify and designate specific critical suppliers.
Key takeaways
Indeed, for Australian energy providers, there’s much to learn from global compliance best practice, particularly as attacks on energy assets increase.
At Noggin, we recommend introducing flexibility to critical infrastructure security risk management programs and procedures, to account for changing practices and new global compliance drivers.
For that reason, I’d also recommend investing in integrated resilience software to give your critical infrastructure risk management program the flexibility it needs.
Solutions such as Noggin’s empower energy providers to meet evolving compliance obligations by enabling their teams to work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions, and continually learn from insights to strengthen resilience.
For more information, visit noggin.io
