Strengthening cybersecurity maturity and improving operational resilience

A large energy distributor in Australia, supplies electricity to over 200,000 residential and business customers and 146,000 gas customers. They also provide 24/7 emergency response during blackouts and disasters. 

As the power utility’s critical infrastructure becomes increasingly digitalised, the more exposed it becomes to security threats and malicious attacks that can compromise operations. Breaches in their electricity and gas assets could lead to prolonged downtime and financial losses. Failure to comply with industry regulations could result in fines and penalties. They wanted to perform a high-level architecture review to uplift security across their systems but were left wondering where and how to start.

GHD Digital’s Cyber and Risk CoE was engaged to understand their current cybersecurity posture and help address regulatory obligations, including those outlined in the Security of Critical Infrastructure (SOCI) Act. 

First, we assessed the power utility’s current state maturity against the Australian Energy Sector Cyber Security Framework (AESCSF). While the AESCSF is a voluntary assessment program, it is also a framework that organisations can select to comply with to meet their SOCI obligations. The AESCSF developed for the Australian Energy Sector closely aligned with other industry standards for operational technology (OT), that provides owners and operators of energy assets a framework and guidance to evaluate and strengthen their cyber practices.

Our cybersecurity consultants, who achieved the International Society of Automation Cybersecurity Expert Certificate, examined the client’s current technical controls (hardware and software components) and their effectiveness against the International Electrotechnical Commission (IEC) 62443 Security for Industrial Automation and Control Systems standard. The IEC 62443 is part of a series of standards endorsed by the United Nations that define the requirements to address the cybersecurity of OT and industrial automation control systems. 

The framework and capability assessments helped us develop a risk-based roadmap that detailed priority areas and investments to close gaps and achieve the client’s targeted level of maturity. This roadmap aimed to guide the power utility to future-proof their assets and strengthen their frontline of defence against threats that are becoming more sophisticated.

The assessments resulted in a more detailed picture of their system vulnerabilities and corresponding countermeasures. 

Through this partnership, the electricity and gas distributor now has an in-depth cybersecurity strategy with a clear list of priorities towards achieving their desired maturity level. They have better visibility of their regulatory obligations and ideal courses of action to mitigate risks. In addition, the roadmap informs their management practices, future planning and investment decisions.

As our client bolsters their cybersecurity posture, they become better equipped to protect assets from diverse threats and improve operational resilience, enabling a more reliable supply of electricity and energy to their stakeholders.  

Connect with us and take the next steps to improve your cybersecurity posture and build operational resilience.