by Christopher Allan, Journalist, Energy Magazine
A recent industry panel at the 2022 Digital Utilities summit has taken a fresh look at opportunities and challenges for cyber security in the utilities sector. The panelists represented a diverse range of cyber security experiences in the utilities sector, including perspectives from water and energy corporations, government departments as well as technology companies. Here we revisit some of the key discussions that emerged from the panel – from embodying cyber security organisation wide, to getting to know the next generation of cyber security workers.
The panel was held as part of the Digital Utilities summit and was chaired by Jessica Dickers, Editor of Infrastructure and Utility magazines. The four participating panellists were Marianna Vosloo, Executive General Manager, Digital, Energy Queensland; Anafrid Bennet, Water Sector Interim Chief Information Security Officer (CISO), Department of Premier and Cabinet Cyber Security Branch, and Head of IT & Security Operations, Greater Western Water; David Worthington, General Manager – Digital Security and Risk, Jemena; and Craig Scott, National Manager, Sales & Marketing, Madison Technologies.
Against the background of converging IT and OT, greater uptake of new technologies and vast digitalisation of industries, the panel ignited a fresh dialogue on what cyber security looks like at the level of the utility.
A challenge for the energy sector in particular will be embedding cyber security teams and practices within this new digital landscape, ensuring both physical and digital infrastructure are resilient to new threats and disasters.
The current state of cyber – are we doing enough?
When asked about the current state of cyber security in Australia’s utilities and whether there was more to be done, the panellists built a clear picture of current issues and opportunities for doing more when it comes to cyber. Anafrid Bennet offered a globally minded understanding of the cyber security landscape.
“When it comes to the current state of cyber, I think change is the only constant, and that also applies to our evolving threat landscape,” Ms Bennet said.
“The different ways of working that we have, the current climate and geopolitical tensions, the pandemic, vast digital transformation, convergence between IT and OT, next generation technologies – all these contribute to the evolving threat landscape.”
Ms Bennet identified ransomware and risks relating to multi-cloud and hybrid cloud security as specific threats needing response.
“As an industry, we kind of play catch-up – It’s our security mindset that has to change, and we also have to start looking at investing in our next generation to bridge the skill gap.”
Marianne Vosloo shared that the responsiveness to cyber security at the board level speaks to a willingness in industry to take cyber seriously, before emphasising opportunities to improve cyber security responses moving forward.
“It’s not possible to protect an organisation 100 per cent. While we are spending a lot of effort and time on the protection and detection side, it’s just as important to focus on the response – what we do with it, and how comfortable we are with it,” Ms Vosloo said.
“If I look at Energy Queensland Limited, we are excellent in responses to a particular emergency event like a flood or a cyclone – we need to get as fluent in our responses from a cyber perspective.” David Worthington emphasised the co-evolution of security and threat actors.
“None of us are doing less technology at the moment,” Mr Worthington said.
“The other side of the coin is there’s another group of people who are involved in this issue – we have a lot of threat actors out there that are pretty active.
“They’re getting smarter and they’re getting better – so there’s a continual need to improve, operate and maintain what we’re doing.”
Craig Scott supported previous remarks on the current state of cyber before touching on workforce factors.
“We know that we are dealing with aged infrastructure, but we also have a very mature workforce, and part of that workforce is an aging workforce,” Mr Scott said.
“The transfer of knowledge to a younger generation coming through will certainly help in the cyber security and resilience space.”
From building a cyber team to organisation-wide safety
When it comes to building a cyber security team in the utility sector, Mr Worthington shared from his experiences at Jemena that finding organisation-wide success goes beyond the mere size of the team.
“We have a reasonable sized team – about 15 or so internal staff alongside contractors and partners that we regularly work with and help with 24/7 coverage and instant response,” Mr Worthington said.
“But you can’t just grow a nice, big cyber security team and think that will solve all your problems. That’s not really how this works – it really is a whole-of- business problem.
“If you’re a rotating plant engineer at a gas network and you’re buying a turbine – well, now you have requirements around cyber security, and you need to have some skills in that space.”
Ms Bennet drew on her experiences at both Greater Western Water and the Department of Premier and Cabinet to share the value of “building security champions across the business” that act as “the eyes for the security team”.
“We all speak about DevSecOps, but we cannot have a DevSecOps capability sitting only within the security team – you have to also build that capability within the development team.”
Ms Vosloo shared that at Energy Queensland, organisation-wide cyber security involves a “virtual team” built from different departments including IT, OT and physical security.
“The important part here at Energy Queensland is that we look at these different teams and we work together,” Ms Vosloo said.
“We need to be linked to the hip and form a virtual team to ensure that we protect in the right way, and that when an incident happens, we can respond similarly and everybody knows exactly how they play in different spaces.”
Mr Scott shared from his role at Madison Technologies that awareness is a continuous conversation when fostering cyber safety across teams and organisations.
“The teams within Madison Technologies do conduct annual awareness training, and we are also constantly tested by our IT department to see whether we’re actually keeping up to speed on things,” Mr Scott explained.
“They’ll throw us small curve balls just to test our knowledge, through email phishing attacks and this type of thing. Sometimes we get it right, and sometimes we might get it wrong – what it does is keep cyber security front of mind.”
Your people are your first line of defence
When responding to the phrase ‘your people are your first line of defence’, Ms Bennet reiterated that people are the cornerstone and “cultural foundation” of building cyber resilience within the business.
“People are definitely our assets – they are the first line, the last line, and the best line of defense.” “We encourage our people to talk more on cyber security matters to bring that awareness closer to their homes, families, and life. “Our goal is to make sure that cyber safe practices are not only done within a corporate environment, but it is kind of a second nature to our people, where we create cyber champions.”
Ms Bennet gave the example of how developing engaging cyber awareness programs can help foster cyber champions. “We created a bespoke cyber game where one can achieve what they want while also learning safe cyber practices and tips useful in both their corporate and personal lives.”
For Mr Scott, the phrase ‘your people are your first line of defence’ reminds us that digital technologies are still at the mercy of objectives and strategies devised by people. “When you think about it, that piece of hardware and software is ultimately a dumb device without people implementing with clear objective and strategy – without people providing their own level of skill, brain power and competence.”
For Mr Worthington, ‘your people are your first line of defence’ is less about cyber awareness and more about building upon the existing skills that many of us have.
“Awareness is a term I’m not super fond of – I’d prefer to use the term skills,” Mr Worthington explained.
“I think we’re doing a disservice to what people are learning in this area if we call it awareness. If you’ve got children in school, they’re already learning about these kinds of skills from prep onwards – It’s now seen as a life skill for people.
“We can do the best we can in cyber security, but if someone goes and buys a product that’s completely insecure and puts it on the network – that’s a problem. Cyber will always be about people.”
From Ms Vosloo’s perspective, ‘your people are your first line of defence’ means recognising existing skills while also catering to the different interest levels and engagement patterns that people have in cyber.
“Recently we’ve partnered with Mimecast to do a set of awareness campaign videos – small, no longer than two minutes, very funny – videos that get people just thinking about simple things in cyber awareness,” Ms Vosloo explained.
“Our awareness campaigns were going down well, but we found that we had less than 50 per cent of the organisation looking at these videos on a timely basis – so now every month we release one.
“It was definitely clear that we had to find different channels to get people to respond and think about cyber in a different way.”
Ms Vosloo also shared how establishing a cyber share at the start of meetings is another strategy to engage a broader set of the organisation on cyber issues and knowledge.
Soft skills and the next generation of cyber professionals
To conclude the panel, each panellist gave comments on the soft skills required of the next generation of cyber professionals.
Mr Worthington said, “From a technical skills point of view, I think for most cyber professionals, that’s pretty well covered coming from a technical background but maybe they don’t have the soft skills needed to really push forward.”
“You can always learn technical skills, but those soft skills are going to be the real thing that’s needed in the future.”
Ms Vosloo said, “I think the persistence to be able to influence is definitely one of the most important soft skills that’s needed, and maybe curiosity as well – to be able to ask the right questions around behaviour and how people are looking at the cyber world.”
Mr Scott said, “I just take my very own kids, for example: You do some things at home and they’re quick to say, ‘Hey, that’s not cyber safe,’ – they’re quick to call you out.” “I believe that the professionals of the future will have cyber security as an innate part of their nature, and from that perspective, I actually think cyber going forward is actually looking good.”
Ms Bennet said, “Good communication skills, empathy, an ability to work in a team and independently where needed, critical thinking, and analytical skills – these are the skills that are really required.”
You can watch this panel session in full, and all of the other presentations from Digital Utilities 2022, by heading to www.digitalutilities.com.au