To overcome these obstacles and in lieu of appointing cybersecurity specialists to the Board, Boards will require a degree of cybersecurity education and awareness, as well as, fit-for-purpose cybersecurity risk and metrics reporting from management. Once they better understand cybersecurity risk, Board members can more effectively manage it as they do for all the other risks within the organisation.
3. Build muscle memory in cybersecurity incident response
With the addition of the Governance assistance regime, some utilities may be thinking that if they do have a serious cybersecurity incident, “don’t worry, the Australian Signals Directorate has it covered.” Others may be questioning whether the increased role of government in responding to cybersecurity incidents, as mandated by SOCI, will deliver the best outcomes for the company, its workforce, and customers particularly as each organisation has different processes, technologies and staff health and safety requirements. Regardless, utilities should be planning how they will respond to a cybersecurity incident. This should include gauging their ability to comply with the new mandatory reporting obligations.
Beyond planning, companies should also be rehearsing incident response and performing tabletop simulations. If you have not conducted one since the pandemic forced the majority of the workforce to work remotely, it may be a good time to dust off your incident response plan and see if it lives up to the new normal. Additionally, ransomware should be one of the top scenarios utilities should exercise.
Building the digital energy firm of the future
SOCI’s proposed requirements for lifting cybersecurity processes and standards may appear daunting but the changes respond to an existing and growing need for companies to uplift the function. Strengthening capabilities to defend against new threats to a digitised, decentralised infrastructure should not be seen as a compliance exercise but an opportunity to lay the groundwork for greater digital innovation. Five years from now, the utilities will require very different cybersecurity capabilities from those of today. They will operate within a large complex, interconnected digital ecosystem. Protecting this ecosystem requires an approach that is simplified and automated where possible, and able to operate at scale with visibility of the converged risks across IT, OT and IoT. Investing in a cybersecurity program that plays catchup will not be adequate.
Those companies that act now to evaluate and improve their cybersecurity approach will build a resilient, intelligent utility fit for the future.