Australia’s east coast boasts the largest interconnected electricity network in the world, and our entire network extends around 918000 km.(1) As one of the world’s largest energy exporters, the nation’s critical infrastructure is already under threat.
According to research on securing the industry, cyber attacks on global critical infrastructure are trending upwards with a year-over-year increase of around 5%.  Even this gradual increase is particularly concerning because utility companies remain a top target for nation state actors seeking to disrupt Australian society.
Pressured by the ongoing Fourth Industrial Revolution and the constant need to meet the country’s high standards of supply, the utility sector is undergoing a massive transformation largely informed by Information Technology (IT).
While this will undoubtedly bring great improvements in performance and profit, what risks does this innovation pose?
The industry is rapidly modernising infrastructure and integrating digital solutions into operations in order to lower emissions, increase efficiency and continue to provide affordable power to Australian consumers. However, this digital transformation exposes critical infrastructure to a myriad of new cyber-threats, and the industry is particularly vulnerable due to their lack of security investments.
Like many organisations, attackers often find success in compromising critical infrastructure via the company’s corporate office or administrative environment. Once inside, they traverse into the operational technology (OT) environment by circumventing multiple security controls. With progressively sophisticated attacks frequently bypassing the low maturity security controls in place, the utility industry must strive to stay ahead of these cybercriminals. This has been a more difficult task than anticipated; securing unmaintained legacy systems and changing to digitally native technologies are proving to be particularly challenging. Furthermore, utility companies’ ability to detect and respond to attacks has traditionally been quite low, but with employees working remotely there has been more substantial opportunity for attack.
The true costs of cyber crime against utility organisations are extensive.
According to research conducted by the Ponemon Institute, 56% of utility companies report at least one major security incident that leads to a shutdown annually and 54% expect an attack in the next 12 months.  As previously mentioned, this sector is highly targeted by state-sponsored cyber actors and therefore, Advanced Persistent Threats (APT) are unfortunately quite popular. By nature, these attacks typically go undetected for extended periods of time.
The damage that a shutdown or safety incident can inflict extends beyond the confines of the plant operations and business efficiency. According to the Ponemon Institute’s report:
- 60% of incidents involve damage to equipment and cause physical risks to employees and contractors;
- 68% of attacks steal high value confidential information; and
- 69% causes major environmental incidents. 
As evidenced by these statistics, a shutdown threatens individual lives, the surrounding ecosystem, national security and sovereignty, and further, have reputational costs that can affect our global trade and economy.
Recommendations for the Industry
Reassess security spend and invest in Detection and Response.
With rapid modernisation further exposing organisations to an already relentless threat landscape, security investments cannot be an afterthought. It is essential that organisations have sufficient technology that actively looks for threats and eliminates them before they have the chance to cause outages. For more information on the benefits of detection and response, read our blog.
Obtain sufficient coverage for both IT and OT.
Less than a third of utility companies believe that their OT and IT security approaches align.  This indicates that there may be considerable room for exposure here. The sector should have full visibility over both their IT and OT environments and further, have adequate security controls for each.
Implement employee training and scout out skilled staffing.
In any organisation it is crucial to not only have right technology, but the right people to detect and respond to an attack. As we have discussed in a previous blog post, security training is one the most strategic security controls an organisation can implement. It can turn people from a security problem into a security solution and ensure critical operations are secured with heightened human defence.
Secure board involvement.
Following our post on the importance of management in any information security strategy, it is crucial that board members and executives recognise the critical nature of cybersecurity. When executives understand that cybersecurity is about managing risk and sustainability, this is more likely to lead to increased security resources and an amplified awareness throughout the business.
Utility professionals must work collaboratively with information security professionals.
As IT continues to drive innovation in critical infrastructure, information remains one of the most vital assets. Securing this data and the processes it upholds requires the right levels of both expertise and complexity. Utility and IS professionals should collaborate in order to craft solutions that meet the industry’s evolving issues.
 Ibid: pg. 14.
 Caught in the Crosshairs: pg.18.