8 minute read 12 Apr. 2021
Cybersecurity wording featured on screen

How Australian utilities can strengthen cybersecurity ahead of regulatory changes

Authors
Richard Bergman

EY Oceania Cybersecurity, privacy and trusted technology Lead Partner

Lead partner for EY’s Oceania Cybersecurity, privacy and trusted technology practice.

Ryan Saunders

Director, Cyber Security, Privacy and Trusted Technology Practice

Trusted advisor on cyber delivery and operations. Classic car nut, junior basketball coach and family man.

Cody Kieltyka

Senior Manager, Cyber Security, Privacy and Trusted Technology Practice

Trusted advisor on cyber risk and industrial control systems security. Enjoys travel, music and the Australian sunshine.

8 minute read 12 Apr. 2021

Utilities can benefit by getting ahead of changes to regulations aimed at boosting the resilience of Australia’s critical infrastructure.

Proposed updates to Australia’s Security of Critical Infrastructure (SOCI) ACT 2018 are set to impose new Positive Security Obligations for a broadened scope of entities and Enhanced Cybersecurity Obligations for entities considered systems of national significance.

Utilities that are planning to take a “wait and see what gets ratified” approach will have a longer journey to compliance and will be exposed to more than just regulatory risk given the increase in number and sophistication of cybersecurity threats targeting them and the use of legacy systems. Getting ahead of proposed changes also allows utilities to spend the costs of addressing compliance gaps via a staged program, rather than one big expense at the end

We advise organisations to boost resilience against those threats and be ready to make the most of current digital innovation by embarking on, or doubling down on several “no regret” areas of focus. A holistic, and for many, long overdue cybersecurity program and secure-by-design initiatives should be sponsored by the boardroom and executive, and include three key elements:

  1. Framework - Build a control assurance framework aligned to your business objectives to understand your critical assets, the risk scenarios your organization faces, and the current state of your controls mitigating the likelihood and impact of these risks.
  2. Governance - Inform and educate the Board to enable them to be accountable for cybersecurity risk management.
  3. Incident Response - Build muscle memory in responding to cybersecurity incident, including the ability to monitor, respond and promptly recovery from any incident. 

Industry drivers are broadening the attack surface as cybersecurity threats increase

Australia’s power and utilities sector is transforming at breakneck speed. Three drivers are altering every aspect of operations:

  • Decarbonisation:  An increase in renewables is creating challenges around forecasting supply/demand, maintaining network stability and ensuring security of supply. Energy companies are reshaping to protect value chains in the long term.
  • Decentralisation: The declining costs of solar photovoltaic (PV) technology and battery storage are accelerating the uptake of distributed generation. As more customers become prosumers, the grid will need to accommodate increasing amounts of two-way energy flows.
  • Digitisation: Managing the implications of decarbonisation and decentralisation requires networks to invest more in digital technologies, including demand management tools and storage solutions, to ensure network stability.
The “3D’s” ─ decarbonization, decentralization and digitization ─ will continue to disrupt traditional ways of doing business

Source: IEA, Navigant, EY analysis

Together these forces are accelerating the cybersecurity challenge for utilities. Increasingly connected systems, including smart meters and sensors are broadening the attack surface along with the traditional and legacy OT infrastructure that is now converging with IT systems.  At the same time cybersecurity threats are growing in number, sophistication, and boldness in compromising critical infrastructure.

Publicly reported incidents over the past six years show how these trends are being borne out in the sector: 

These cybersecurity challenges created by ongoing business changes and an increased threat landscape have prompted the Australian Government to weigh in on how critical Infrastructure assets need to shift their cybersecurity focus. Part of their response includes the proposed updates to SOCI.

“No regret” cybersecurity focus areas

Despite some uncertainties around its scope and implementation, the Bill gives utilities a useful framework to evaluate their approach to cybersecurity and identify areas for improvement. Preparing to comply with the Act before its current expected introduction by mid-2021 now requires focusing on several key areas:

1. Build a control assurance framework

Though SOCI will require minimum baseline standards for specific industries, the first new obligation of SOCI is principally risk-based. Utilities should begin or continue to understand the cybersecurity threats to their most mission-critical assets and the most effective cybersecurity or physical mitigations to those threats. Beyond compliance, this will enable them to be cost effective with their limited resources.

Several industry resources can help enable this. The US Department of Energy Idaho National Lab (INL) has produced a methodology called Consequence-driven Cybersecurity-informed Engineering (CCE) and recently published a book on the subject.

Often the most critical assets for utilities are Industrial Control Systems (ICS) / Operational Technology (OT). We’ve observed Australian utilities underinvest in this area with budgets roughly one-third in comparison to what is spent on securing the corporate IT systems. However, security does not always call for complex or expensive solutions. 

Preventing vulnerable control systems from being exposed directly to the internet and requiring Multi-Factor Authentication for all remote access into OT environments could have prevented some of the attacks outlined above.

It may also be prudent for utilities to conduct an independent gap assessment and roadmap of their cybersecurity capability based upon the AEMO AESCSF and other cybersecurity standards (e.g. ISA62443 ICS security standards for OT assets and ISO27011 for energy organisations that also provide telecommunication services). These exercises can ensure utilities are considering industry best practices in addition to reassuring the regulator and government that key cybersecurity risks are being appropriately managed. 

2. Inform and educate the Board to enable their accountability for cybersecurity risk management

A key proposed update to SOCI is its intent to ensure “that the Boards of critical infrastructure entities have visibility of and are responsible for planning and actively managing security and resilience.”  EY’s 2020 Global Information Security Survey, however, found that:

48%

of respondents said their Board does not yet have a full understanding of cybersecurity risk.

54%

of organizations regularly schedule cybersecurity as a Board agenda item.

6 in 10

organizations do not have a head of cybersecurity at executive management level.

7%

of organizations would describe cybersecurity as enabling innovation; most choose terms such as “compliance-driven” and “risk averse.”

To overcome these obstacles and in lieu of appointing cybersecurity specialists to the Board, Boards will require a degree of cybersecurity education and awareness, as well as, fit-for-purpose cybersecurity risk and metrics reporting from management. Once they better understand cybersecurity risk, Board members can more effectively manage it as they do for all the other risks within the organisation.

3. Build muscle memory in cybersecurity incident response

With the addition of the Governance assistance regime, some utilities may be thinking that if they do have a serious cybersecurity incident, “don’t worry, the Australian Signals Directorate has it covered.” Others may be questioning whether the increased role of government in responding to cybersecurity incidents, as mandated by SOCI, will deliver the best outcomes for the company, its workforce, and customers particularly as each organisation has different processes, technologies and staff health and safety requirements. Regardless, utilities should be planning how they will respond to a cybersecurity incident. This should include gauging their ability to comply with the new mandatory reporting obligations.

Beyond planning, companies should also be rehearsing incident response and performing tabletop simulations. If you have not conducted one since the pandemic forced the majority of the workforce to work remotely, it may be a good time to dust off your incident response plan and see if it lives up to the new normal. Additionally, ransomware should be one of the top scenarios utilities should exercise. 

Building the digital energy firm of the future

SOCI’s proposed requirements for lifting cybersecurity processes and standards may appear daunting but the changes respond to an existing and growing need for companies to uplift the function. Strengthening capabilities to defend against new threats to a digitised, decentralised infrastructure should not be seen as a compliance exercise but an opportunity to lay the groundwork for greater digital innovation. Five years from now, the utilities will require very different cybersecurity capabilities from those of today. They will operate within a large complex, interconnected digital ecosystem. Protecting this ecosystem requires an approach that is simplified and automated where possible, and able to operate at scale with visibility of the converged risks across IT, OT and IoT. Investing in a cybersecurity program that plays catchup will not be adequate.

Those companies that act now to evaluate and improve their cybersecurity approach will build a resilient, intelligent utility fit for the future.  

Summary

Utilities can benefit by getting ahead of changes to regulations aimed at boosting the resilience of Australia’s critical infrastructure.

About this article

Authors
Richard Bergman

EY Oceania Cybersecurity, privacy and trusted technology Lead Partner

Lead partner for EY’s Oceania Cybersecurity, privacy and trusted technology practice.

Ryan Saunders

Director, Cyber Security, Privacy and Trusted Technology Practice

Trusted advisor on cyber delivery and operations. Classic car nut, junior basketball coach and family man.

Cody Kieltyka

Senior Manager, Cyber Security, Privacy and Trusted Technology Practice

Trusted advisor on cyber risk and industrial control systems security. Enjoys travel, music and the Australian sunshine.