There are asset management gaps in the utility sector across Australia, which is opening it up to cybersecurity risks.
According to the Australian Energy Market Operator (AEMO), “Protecting the Australian energy sector against increasingly sophisticated cyber threats is a matter of national importance – not only to ensure the integrity and reliability of electricity supply via the grid, but also for economic stability and national security purposes.”
Adding to the complexity is the increasing convergence of IT and operational technology (OT) in utilities. While this convergence brings many benefits, it also increases the attack surface. Unsecured OT can also give savvy attackers a route back into the IT system that may be otherwise perfectly secure. And, when it comes to critical infrastructure such as the utilities, the risk to society is great.
Related article: A fresh approach to cyber security in the energy sector
A recent report from the Australian Strategic Policy Institute pointed to the fact that, among Australian critical national infrastructure providers, the level of maturity and understanding of the specific risks of OT systems lags behind that of IT systems. It reads, “There’s a shortage of people with OT security skills, commercial solutions are less readily available, and boards lack specialist knowledge and experience. Mandating or recommending standards could help boards understand what’s expected of them, but it isn’t clear which standards are appropriate for managing these risks.”
Forescout senior director systems engineering Asia Pacific and Japan Steve Hunter says, “While these risks have been growing for a while, there is now a driving force for addressing them, with the government and industry bodies taking steps to ensure action is taken.”
AEMO, in conjunction with industry and government partners, has developed the Australian Energy Sector Cyber Security Framework (AESCSF), which provides a foundation for the sector to be consistently assessed and the insight to uplift cybersecurity capabilities and strengthen cyber resilience.
Mr Hunter said, “This increasing pressure is putting new demands on CIOs and CISOs in the utilities sector now tasked with protecting this entire ecosystem. The reality is, however, that no organisation can be expected to understand that of which they don’t know, and a key part of addressing this knowledge gap is to have complete device visibility and control across IT and OT.
Related article: Are you an asset manager or an asset guesser?
“Cybercriminals often get access to OT through contractors and third-party vendors. Devices are installed onto the network to make workers’ jobs more efficient but the IT team either isn’t alerted to their presence or can’t see them via existing asset discovery processes. Vendors come in and do their job, then leave devices behind or leave decommissioned assets connected, creating rogue devices that aren’t managed and secured. This creates potential to take the organisation down with a single attack.”
Utilities can protect themselves by gaining full visibility into all the devices connected to the network, understanding what’s connected at all times and managing those connected devices to prevent unauthorised access to the network.
Steve Hunter said, “When it comes to asset discovery, utilities should carefully start with the system critical services and work in priority order to identify: what assets support the process; what hardware and software run on the assets; what network topology supports them; and what endpoints, devices, and non-network connected devices really constitute the asset in its entirety.
“Utilities should put in place a framework of controls from asset discovery, hardware, and software asset management, configuration management, and vulnerability management, to building a blueprint for efficient and measurable risk reduction.”