Rob Anderson, PSC’s Cybersecurity lead, had a virtual sit down with Brad Flanagan, Head of Cybersecurity at Essential Energy, to talk about securing power utilities’ SCADA environments, the impact of new security legislation for critical infrastructure and the Australian Energy Sector Cybersecurity Framework (AESCSF).
RA: Applying IT-based cybersecurity practices to critical infrastructure to protect OT (Operational Technology) systems is in many ways an avant-garde approach. What was your career path into your current role?
BF: My background is in technology. I joined PWC South Africa as a technical consultant in 2003. In that role I mostly worked on large-scale transformation programs – effectively working in both technical and non-technical roles. This included a large project to digitize South Africa’s social security identification system.
When I transferred to Australia, I joined PWC’s audit team, which is where I picked up a lot of experience in standards and compliance. From there I moved into the technology risk team, which fell under the cybersecurity team. My focus wasn’t super technical. While I was happy to roll my sleeves up to do things like firewall reviews, I mostly worked in governance and strategy.
Based in Brisbane, many of my clients were large mining operations and utilities, which gave me a lot of practical exposure to SCADA (OT) environments, essentially performing security testing in PLC environments. It was pretty interesting and challenging since every SCADA (OT) system is very different and unique. Working in these environments makes me feel like a perpetual student of OT.
That was my journey until now. Mostly very consulting based, so I was keen to join an organization where I could be part of the end-to-end journey. Effectively being able to help an organization get to their eventual endpoint by implementing a robust cybersecurity strategy that improves the organization’s overall cybersecurity posture.
RA: You are stepping into the role of Head of Cybersecurity at Essential Energy, at a time when the government is driving new legislation that is effectively angled at securing critical infrastructure, or as they put it, systems of national significance with a big focus on OT security. How are you planning on approaching the legislative requirements and more specifically how are you looking at approaching cybersecurity in OT?
BF: It’s no longer about security technologies and platforms. That is an undeveloped and dated way of looking at cybersecurity. Cybersecurity has moved on from that kind of thing. My approach is to mature Essential Energy’s cybersecurity posture by setting a solid cyber strategy and implementing the necessary governance. I only joined Essential in July so it’s early in the process. But an essential part of the process that we are working on now is in educating the business and working with stakeholders to bring them along for the journey. Effectively educating process and system owners on the risks to their systems and processes is fundamental early in the process. There is additionally a ‘re-badging’ of the cybersecurity team to make sure their efforts are focused on threat identification and mitigation, and not being distracted by technology implementation and platform support functions.
RA: So how does AEMO’s AESCSF fit in with this?
BF: We are using the AESCSF security standard as a baseline. We’re preempting that we will need to comply with that, that it will be legislated. However, we’re also adopting and aligning our OT SCADA systems with the IEC62443 standard. Engineers are better at working to IEC frameworks, they are a better fit in these environments.
RA: So you’re taking a dual approach? AESCSF for Corporate IT and IEC for SCADA?
BF: The plan is to have a single function that manages both. We will use common administrative and logical controls where possible.
The AESCSF is good for IT and telco, but the IEC62443 is better in OT. The plan is to apply the AESCSF holistically and use the IEC62443 standard to give us the granular detail we need in OT. The trick with IEC62443 though is not to implement all of it since you’d end up gold plating an environment that doesn’t necessarily need it. We will look to use the parts of the IEC62443 that get us to the desired maturity level and leave it at that.
RA: Have you evaluated your maturity against AEMO AESCSF?
BF: Yes. For the past three years in a row.
RA: What do you think about industry uptake of the framework considering governments’ push for cybersecurity in systems of national significance?
BF: I think the uptake has been good. If you’re a cyber person that’s been saying ‘there are problems in this sector’, the government’s push for regulation and the pending legislation speaks to this. Having a consistent framework is beneficial. It’s helpful to have a common understanding.
RA: Do you think the industry is sufficiently resourced to implement AESCSF if it becomes mandatory?
BF: No. Achieving ML3 (Maturity Level 3) requires a large amount of effort, money and resources. If you’re a smaller energy player, there’s a lot of effort involved. I’m not sure how smaller players will manage it.
RA: What do you see as the key issue in using IT cybersecurity controls in an OT environment?
BF: OT by its nature is specialized to its industry and application. Using standard IT cybersecurity tools or approaches can therefore present problems. For example, running a standard vulnerability scanner in a legacy OT environment will highlight hundreds of vulnerabilities and fixing these vulnerabilities will not be trivial, since these systems cannot be simply patched or taken offline. This is an industry-wide problem and is not a simple fix.
RA: And then the complications of protecting assets that were previously air-gapped and built to last 60 plus years running 30-year-old digital technology?
BF: Yes. OT systems weren’t built with cybersecurity in mind, and some of these components were built to last many decades. There are also cultural and technological differences that complicate things further. For instance, you can’t just patch in an OT environment. Remediation for each asset becomes a project in itself. This needs to be done in a very careful and thoughtful way.
RA: What are your overall thoughts about cybersecurity in the electricity sector?
BF: Up until a few years ago cybersecurity functions within organizations were siloed. Cybersecurity practitioners in OT didn’t talk to their counterparts in IT and vice versa. This is now changing as organizations begin to see the benefits of OT/IT convergence. Convergence is a way we govern the environments consistently. The importance of having good IT and OT cybersecurity communication and governance ensures that weakness in systems on either side of the fence can’t be exploited and weakness on one network can be exploited to gain access to downstream networks on the other side of the fence. This requires IT and OT to be communicating and working together.
RA: And attacks are becoming very sophisticated, aren’t they?
BF: Yes. We are actually now seeing attacks that specifically target the electricity sector.
RA: What would be your key takeaway for anyone looking at cybersecurity in the electricity sector?
BF: Cybersecurity is about mitigating risk, much like any other risk an organization must address, whether its health, safety, reputation or corruption. The best approach has strategy and governance at its heart. Cybersecurity is not a technology or platform thing. It touches on every part of an organization and requires a clear set of goals that everyone can understand and work toward.