A fresh approach to cyber security in the energy sector

industry super

By Michael Warnock, Australia Country Manager, Aura Information Security

As we approach the middle of 2019, organisations the world over are continuing to brace themselves for another busy year of cyber-attacks. For many, their natural defence mechanism is to deploy new technology and create better processes. Unfortunately, what most fail to recognise is that it’s actually their people that are often the weakest link in the cyber security chain.

Most people only really care about cyber security when they are a victim of an attack. And by then it can be too little, too late. The good news is there are fresh options to improve cyber awareness and improve the culture of the organisation.

In the energy and utilities sector, cyber security is becoming increasingly important – particularly as more operational systems move to digital.

Modern plants are a mix of operational technology (OT) and information technology (IT) systems, and while technological advancements have brought many benefits to the energy sector, they’ve also opened up a Pandora’s box for cyber security. With cross over of IT and OT systems, cybercriminals now have the ability to knock out a power grid, something that would previously have been isolated from IP-based networks, and they can do so from anywhere in the world.

Cybercriminals have two key objectives – getting their hands on personal and financial data and creating as much disruption (whether that be to a service, a business or an individual) as possible. It goes without saying that if cyber security is not managed properly, it will only be a matter of time before we see a large-scale interruption of a utility service.

Related article: AEMO instructs networks to start load shedding

The cultural change opportunity

There is a good opportunity for utility industry leaders to rethink their approach to cyber education and build that into the culture of the organisation. Cyber education is not something people should do every 12 months with a few questions, it needs to be continuously reinforced.

There are three pieces to cyber security resilience: people, process and technology. For the past 12 to 24 months there has been a big focus on processes and technology, but unfortunately people still click on things they shouldn’t.

Australian utilities are at risk so the conversation needs to be non-technical and presented to the business across all stakeholders. It also needs to be a key topic of discussion at the Board level, particularly as it’s the Board who can fall foul of the law when it comes to Europe’s General Data Protection Regulation (GDPR) and our Notifiable Data Breaches (NDB) scheme regulations.

There is also a risk of personal information exposure, and the punishment resides at the business owner level, however, as we have seen, contractors can slip up causing brand damage. In the SME market, businesses are often targeted by cyber criminals looking to use ransomware to extort money.

With many people still not believing cyber security to be a concern, there needs to be an all-in approach which can only be achieved by changing the organisation’s culture.

Related article: A perfect storm in electricity distribution

Raising the profile of cyber awareness

If security isn’t top of mind for most people, let’s look at a few ways to improve awareness and hence bolster resilience.

  • Start by giving people an education tool, which covers good practices for passwords and phishing, and allows them to consume it at any time. And make sure they do refresher sessions on a regular basis, not just once a year.
  • Complement that with visual signs such as posters around the offices to get people talking about the importance of cyber security.
  • An underutilised resource for cyber education is gamification. An online gamification approach to security makes cyber more social and adds to the visual reinforcement around the office to constantly remind staff that this thing is real.
  • The tried and tested workshop can also be good for communicating to senior management. But make sure you put war stories in front of them. General staff need some gamification and app-driven approach to make the experience fun, as opposed to going into a room, listening to presentations and then working out where to from there.
  • This may be simple, but put cyber security on the agenda. Every senior management or board meeting should at the very least address the topic of security and what is being done to ensure the organisation, and its people, are aware of the risk.

Keeping up with the dos and don’ts

With the right tools and awareness the culture of an organisation will change, but to maintain a good standing – and keep up with evolving threats – it’s important to develop a process for monitoring and managing your cyber health.

As the old saying goes, if you can’t measure it, you can’t manage it, so do some testing such as simulating a cyber-attack and review how it was handled and make appropriate changes if need be.

For example, by simulating phishing attack to users before and after the deployment of a cyber education platform you can measure a drop in the success of the fake scam. In my experience larger organisations understand this, but SMEs are still struggling due to lack of budgets or general security discussions.

Getting stakeholders from the business to review what’s happening in cyber and coming up with ideas to improve education and culture takes time, but making the environment “fun” does a direct effect on people’s willingness to learn.

In one good example, a large enterprise highlighted to staff who has done well in cyber in an email newsletter. Proactive rewards and recognition are good and your fresh approach should be rewarding and more “carrot than stick”.

You can measure staff participation for a learning management system and this should be done as part of an ongoing program. Also, make sure this information gets pushed out to the wider business.

It is possible to get good culture into other areas of the business, however, the owners must share success stories. Making sure the benefits are seen all across the business is imperative – there is no point having two organisational units with lax security as the bad guys can get in there too.

With new tools and a fresh approach, cyber security awareness should be easy to use, customised and deliver the ability to move education to front-and-centre of people’s working life.

Utilities keep Australia ticking so it is vital for these organisations to have systemic cyber awareness programs. Let’s keep the country running without the threat of disruption.