How Australian utilities can strengthen cybersecurity ahead of regulatory changes

Utilities can benefit by getting ahead of changes to regulations aimed at boosting the resilience of Australia’s critical infrastructure.

Proposed updates to Australia’s Security of Critical Infrastructure (SOCI) ACT 2018 are set to impose new Positive Security Obligations for a broadened scope of entities and Enhanced Cybersecurity Obligations for entities considered systems of national significance.

Utilities that are planning to take a “wait and see what gets ratified” approach will have a longer journey to compliance and will be exposed to more than just regulatory risk given the increase in number and sophistication of cybersecurity threats targeting them and the use of legacy systems. Getting ahead of proposed changes also allows utilities to spend the costs of addressing compliance gaps via a staged program, rather than one big expense at the end

We advise organisations to boost resilience against those threats and be ready to make the most of current digital innovation by embarking on, or doubling down on several “no regret” areas of focus. A holistic, and for many, long overdue cybersecurity program and secure-by-design initiatives should be sponsored by the boardroom and executive, and include three key elements:

1. Framework - Build a control assurance framework aligned to your business objectives to understand your critical assets, the risk scenarios your organization faces, and the current state of your controls mitigating the likelihood and impact of these risks.
2. Governance - Inform and educate the Board to enable them to be accountable for cybersecurity risk management.
3. Incident Response - Build muscle memory in responding to cybersecurity incident, including the ability to monitor, respond and promptly recovery from any incident. 

Industry drivers are broadening the attack surface as cybersecurity threats increase

Australia’s power and utilities sector is transforming at breakneck speed. Three drivers are altering every aspect of operations:

• Decarbonisation:  An increase in renewables is creating challenges around forecasting supply/demand, maintaining network stability and ensuring security of supply. Energy companies are reshaping to protect value chains in the long term.
• Decentralisation: The declining costs of solar photovoltaic (PV) technology and battery storage are accelerating the uptake of distributed generation. As more customers become prosumers, the grid will need to accommodate increasing amounts of two-way energy flows.
• Digitisation: Managing the implications of decarbonisation and decentralisation requires networks to invest more in digital technologies, including demand management tools and storage solutions, to ensure network stability.

To overcome these obstacles and in lieu of appointing cybersecurity specialists to the Board, Boards will require a degree of cybersecurity education and awareness, as well as, fit-for-purpose cybersecurity risk and metrics reporting from management. Once they better understand cybersecurity risk, Board members can more effectively manage it as they do for all the other risks within the organisation.

3. Build muscle memory in cybersecurity incident response

With the addition of the Governance assistance regime, some utilities may be thinking that if they do have a serious cybersecurity incident, “don’t worry, the Australian Signals Directorate has it covered.” Others may be questioning whether the increased role of government in responding to cybersecurity incidents, as mandated by SOCI, will deliver the best outcomes for the company, its workforce, and customers particularly as each organisation has different processes, technologies and staff health and safety requirements. Regardless, utilities should be planning how they will respond to a cybersecurity incident. This should include gauging their ability to comply with the new mandatory reporting obligations.

Beyond planning, companies should also be rehearsing incident response and performing tabletop simulations. If you have not conducted one since the pandemic forced the majority of the workforce to work remotely, it may be a good time to dust off your incident response plan and see if it lives up to the new normal. Additionally, ransomware should be one of the top scenarios utilities should exercise. 

Building the digital energy firm of the future

SOCI’s proposed requirements for lifting cybersecurity processes and standards may appear daunting but the changes respond to an existing and growing need for companies to uplift the function. Strengthening capabilities to defend against new threats to a digitised, decentralised infrastructure should not be seen as a compliance exercise but an opportunity to lay the groundwork for greater digital innovation. Five years from now, the utilities will require very different cybersecurity capabilities from those of today. They will operate within a large complex, interconnected digital ecosystem. Protecting this ecosystem requires an approach that is simplified and automated where possible, and able to operate at scale with visibility of the converged risks across IT, OT and IoT. Investing in a cybersecurity program that plays catchup will not be adequate.

Those companies that act now to evaluate and improve their cybersecurity approach will build a resilient, intelligent utility fit for the future.