Sunil Sharma shares his thoughts about cyber security in the energy sector as presented at Australian Energy Week.
Digital transformation is on the rise within the energy sector. Smart grids and smart devices or Industrial Internet of Things (IoT), make the energy sector a highly attractive target for cyber-attacks aimed at disrupting operations. At the same time, the sector is still plagued with proprietary legacy technologies.
There is also a rapid move towards convergence of IT and Operational Technology (OT), while cyber and physical security has already converged. Unfortunately, this has resulted in a larger cyber threat footprint and increase in critical assets being vulnerable to cyberattacks.
Nine in 10 critical infrastructure providers have experienced cyberattacks that rendered their systems out of action in the last two years.
Tenable’s Ponemon Institute Survey 2019
The energy sector plays a critical role in the functioning of the modern economy. Theconsequences of a cyberattack on the energy sector could be catastrophic – disruption of electricity to businesses, industry and community; economic and financial disruption; loss of license; reputational damage; or even loss of life. Managing cyber risk in an interconnected electricity market is critical.
The risk is real
Whilst cyber criminals’ are looking for financial gains, rogue nation states are a significant threat to national security, targeting the energy sector and other critical infrastructures for political gain.
The cyberattack, allegedly by Russian actors, on Ukraine’s power grid in 2015 disrupted supply to more than 230,000 consumers. The petya and wannaCry malware attacks in 2017 cost AUD4-8 Billion in damages and loss of operations to large transport, manufacturing, energy and health organisations. Closer to home the recent breach on the Australian Parliament electoral system by “sophisticated state actors” triggered a special task force to strengthen against future attacks.
Governments are concerned
There is no doubt that governments around the globe are concerned about national security. The US federal government has already pledged more than US11 Billion dollars towards improvement around national cybersecurity and security around IoT.
The sheer scale and rising likelihood of major cyber-attacks made them the most pressing threat a country like Australia faces. Should a successful, major cyber-attack occur, it can cripple a society
Departing head of Australian Cyber Security Centre, Alistair MacGibbon
Buck stops with the board
Whilst government are starting to invest and facilitate improvements to cybersecurity, critical infrastructure providers and their CEO’s and boards need to do more and be ahead of the regulatory requirements. If not, they not only risk the inevitable of losing trust with their customers, business, industry and government, but have grave consequences on nation’s security and its citizens.
So, what next?
In an environment of both physical and digital connectivity, there will always be vulnerabilities. Mitigating evolving threats and being resilient to breaches are paramount for critical infrastructure protection.
Some of the key areas for consideration to manage the cyber risks include:
- CEO and board ownership: Leadership buy-in is critical. Cyber needs to be considered one of the top board risks. Governance and awareness needs to be driven across the organisation.
- Industry and government collaboration: Adopting a common risk framework and sharing of threat intelligence is key to preparing resilience plans.
- Understand your assets: If you don’t know what you have you will not know what and how to protect. Carry out a comprehensive asset discovery exercise.
- Establish a cyber risk strategy: Throwing in technologies to secure your environment does not result in better security. Assess baseline people, process, technology, 3rd part risk and physical security towards a pragmatic risk program – sponsored by the CEO.
- Security by Design: By embedding security upfront in all projects means that Select technology or IoT partners that have security built in.
- Seek help: With the shortage of security skills, leverage external security experts, ideally, with a combination of critical infrastructure operations, design and OT cyber risk experience.
GHD Digital can help
With over 90 years of technical expertise building infrastructure nationally and globally to solve client problems. GHD Digital have the cybersecurity and SCADA/OT expertise, and specialised technology partners to help you make the right strategic decisions to embed Security by Design. GHD Digital bring an ecosystem of partners with innovative cyber security solutions that help protect critical infrastructures. GHD Digital develops three-pronged (asses, protect and manage) cyber risk strategies.
For more information, connect with our professional:
Sunil Sharma
Digital Risk and Cyber Security Practice