Across the globe, countries are transforming their critical infrastructure industries, as the physical and digital worlds continue to converge at an astonishing rate. At the same time, global cyber threats are becoming increasingly sophisticated, with threat actors developing an eye for bigger and bigger targets. In this context, several experts have pointed out that Australia’s electricity sector is concerningly unprepared for a cyber-attack. 
The electricity market is part of Australia’s critical infrastructure, designated as an asset that is vital for the functioning of our economy and society. Essentially, an unsafe and unsecure electricity market would have unprecedented and far-reaching consequences for the entire country’s social and economic wellbeing. Unfortunately, as the Australian Energy Market Operator (AEMO) puts it, “the maintenance of the security of the power system against malicious cyber-attacks is a vexing and growing reality of our times”.
There is no doubt that the cyber threat among the electricity industry, and many other industries for that matter, is severe and intensifying. Rachel Noble, head of the Australian Cyber Security Centre explains that “the scale and impact of malicious cyber activity, by those seeking to harm or disrupt Australians, is increasing”. Specifically, Australia is home to one of the longest single electricity grids – spanning over 5,000 kilometres from Port Douglas to Tasmania – that delivers power to the majority of the country. On top of this, Australia is one of the biggest energy exporters in the world, and holds the unfortunate record of being one of the first nations to experience a cyber-attack on critical infrastructure after the Maroochydore sewage system attack in 2000.
In this context, the “opportunity to conduct a high-impact attack is significant”, Accenture explains. In a 2018 report, consulting firm Accenture confirmed that studies indicated a “very high chance that a targeted attack against a major Australian critical infrastructure operator will inevitably have a significant impact and could occur at any time”. Unfortunately, the report yet again found that the industry was “unfamiliar with the threat environment, understaffed to meet the challenge and underprepared to respond”.
Dr Alan Finkel, Australia’s Chief Scientist, conducted a review in June 2017 into the Future Security of the National Electricity Market. In his review, Dr Finkel explains that, as Australia braces for the massive industrial and technological changes facing our electricity system, we must focus on being well-prepared to ensure security, reliability and affordability. He went on to suggest that “Australia has a once-in-a-generation opportunity to reshape our electricity system for the future”, making a series of recommendations aimed at improving the industry’s currently lacklustre cybersecurity policies and attitude.
In 2018, the Security of Critical Infrastructure Act 2018 was passed with the aim to “manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure”. By 2018 the first annual report from the AEMO was released, and there was hope that significant improvement must have been made. However, this was not the case. Indeed, the AEMO “completed a stocktake and concluded that the current provisions in the national energy regulatory framework are inadequate to address cyber security risk to the National Electricity Market”.
Then in late 2018, in response to AEMO’s insistence on improved security maturity, the organisation teamed up with the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) to develop a nationwide program of cybersecurity resilience and response activities for the electricity industry, actively working with both energy sector organisations and government agencies. Throughout 2019 the program engaged with 100 participants from 50 industry partners and government agencies, including through “cyber security incident response and exercise training, information exchange sessions on operational technology systems, and presentations on government cyber security arrangements, red teaming and industry uplift programs”.
The significant cooperation, coordination and response to this evolving threat from within the industry is notable, and only time will tell if the industry will continue to address these problems effectively. Either way, the concerted response is unfortunately uncommon. Many organisations fail to prepare, invariably choosing to be reactive rather than proactive when it comes to the cyber threat, and simply not understanding the value that comes from effective cybersecurity integration. On the other end of the spectrum are the organisations that have paid attention to cybersecurity and acted accordingly, only to forget their responsibility to continuously revise and evolve their strategies. The task of cybersecurity is daunting and endless. Fortunately, this is where experts such as Agilient come in – we work closely with our clients to understand, prioritise and manage their cybersecurity needs in order to address the issues of today, while also preparing them for the challenges of tomorrow. Contact us today to find out how we can help you improve your cybersecurity practices.
Author: Elsa Chapple