SECURITY
ENERGY SECTOR CYBER READINESS
IS A CRITICAL CONCERN by Glen Gooding, EY Australia Partner, Cyber Security The fragility of the energy sector has been well known in cyber circles for many years. Technology across the sector has become more interconnected, where the once ‘isolated’ legacy systems of old have been merged with contemporary corporate networks. This convergence has grown a new set of vulnerabilities on both physical and digital-based assets. Combine this with the well-documented lack of skills in the cyber realm, amplified more so in the energy sector, an ever-growing reliance on third-party cloud providers, and you have an idyllic environment for proactive criminal organisations and nation-state actors to target.
I
n a post-COVID world, we have seen an increased rate of technology adoption to suit the needs of remote virtual working, and this has not made the stretched responsibilities of overworked cyber support personnel any easier. In fact, recent audit statistics from an appropriately regulated sector showed that organisations had not improved their cyber maturity levels at all, so much so that 2019 recommendations still have not been addressed. It’s not all bleak however, the Federal Government has taken well-defined steps to best reduce the impacts of cyber risk. This has come in the form of regulatory stopgaps; SOCI, Cyber Security Strategy 2020, ESB 2025. These measures are by no means comprehensive, nor will be that elusive silver bullet, but collectively there has been an attempt to provide a cohesive framework across a gaping range of capabilities within the sector. Along with these regulations, organisations need to not only address cyber risks as we have traditionally thought of them, but they also need to take a forward-looking, ten-year outlook and put a lens on the threats specific to how we will generate and consume energy in the future. Considering the uptake of renewables The proliferation of renewables and the distributed nature of the energy grid will expose an issue that will be hard to come back from. For those in the industry for the past three decades, we will begin to witness history repeating itself. At the turn of the century, with the growing acceptance and reliability of the internet, eCommerce systems were deployed with very little design thinking around security. This brought about a need to bolt security onto existing applications, which sured up some gaps, but still left many open.
50
March 2022 ISSUE 17
Forward the clock to more recent times, as we rely on third-party cloud providers to initiate a hybrid on-premise/cloud strategy. Again, we should have learned from our mistakes and looked to build in the correct security controls, and yet in some instances this improved, but mostly we continue to consider security as an afterthought. These examples are an effect more broadly around technology adoption for all industry sectors. Here is an opportunity in the energy sector, to adopt a secure by design approach when growing the new paradigm of energy generation. Consider a 2030 Australia, where we have a high percentage of PV panels supplying electricity for a large part of our population and there is a vulnerability exposed in that ecosystem. Taking out solar farms, and millions of household panels would put undue stress back onto the grid, which could bring a large city to its knees. To break this down simply, the IoT devices being installed and configured at our homes need to have security by design thinking right upfront. Cyber best practices need to be considered during installation, and the inverters and panels themselves need to have a published bill of materials that comprise the makeup of such devices. Shame on us if we are unable to right the wrongs of the past and instill a best practice cyber mentality correctly from the beginning.
Regulation is key In light of the pending disaster above, we are progressing, and to ensure that progression is in a forward motion, the voice from the top needs to be understood. Other regulated industries have placed direct accountability with board members and for the energy sector, impending regulations along with the tightening of the ACSC’s Essential 8 and awareness www.energymagazine.com.au
