Cyber Intel Report  |  March  2021

Australia & New Zealand Energy and Utility Industry Threat Report

Potential to View Cyber Security as Compliance ‘Tick and Flick’

As operators of critical infrastructure and/or contributors to down-stream critical infrastructure (such as hospitals) and military bases, Australian Energy and Utility organisations have long been aware of the importance of cyber security and were among the first industries to respond with requirements to implement cyber security regulations.

“Australian Energy and Utility organisations have long been aware of the importance of cyber security and were among the first industries to respond with requirements to implement cyber security regulations.”

The expectation and requirement for cyber security maturity amongst these organisations is further implored by the propensity for kinetic and social consequences if compromised. This has been subject to significant public discussion following the release of Australia’s Cyber Security Strategy 2020 which announced an increase of specific legislative and regulatory cyber security requirements for critical infrastructure operators through amendments to the Security of Critical Infrastructure Act 2018.¹ The amendments predominantly relate to a broadening of organisations considered to be critical infrastructure, now also encompassing the energy sector (amongst others) in addition to the electricity, gas, water and ports sectors.²

In light of this legislative and regulatory environment, organisations may falsely view cyber security as a simple compliance item and adopt unrealistic expectations of technical controls at the cost of neglecting the human element of cyber security. All too often organisations haphazardly seek to solve their security issues by prematurely purchasing expensive security products that they are not ready to implement at their level of cyber maturity. This often coincides with organisations not having a strong Cyber Security Strategy that includes an architectural engagement. It also typically coincides with cyber security policy suites, intended to govern user behaviour, becoming gradually outdated and only being updated in a piecemeal fashion. The issues associated with overlooking the human element are exacerbated in Energy and Utility organisations, as operational technology (OT) staff work in unique environments and therefore require additional specialised cyber security awareness and training.

¹ https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf
² https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/security-coordination/security-legislation-amendment-critical-infrastructure-bill-2020