Infrastructure complexity a cybersecurity concern for Australian utilities
A side effect of the increasing complexity within the core infrastructures of Australia’s electricity and water utilities may make them more susceptible to cyber attacks, experts have warned.
In the case of the electricity grid, complexity is being created by the growing number of small producers feeding power into the grid. The output from wind farms and solar arrays must be carefully monitored and controlled to ensure that they do not have a detrimental impact on stability; however, this control may well be the subject of cyber attacks.
In the area of water supply, the growing number of sensors and automated controls is leading to more interconnected grids. Operators must juggle the challenges of maintaining supply and efficiency with preventing cyber attacks against essential infrastructure.
“What we are talking about is a rapidly increasing attack surface for cybercriminals,” said Ivan Fernandez, Industry Director at analyst firm Frost & Sullivan. “Infrastructures which, until now, have operated in isolation are being connected in ways never before imagined.”
The impact of renewable sources
Speaking during a roundtable discussion on cybersecurity in the utilities sector, Fernandez pointed to the fact that in the electricity sector, the growth of renewable generation is changing the game for providers. Around 700 MW of renewable generation capacity was brought online in Australia during 2017 and even more is being rolled out this year.
“Energy Networks Australia and the CSIRO estimate that more than 40% of customers will have adopted on-site generation by 2027,” he said. “In addition, the mainstreaming of smart meters opens up more security issues that will need to be addressed.”
In the water sector, Fernandez says water providers are increasingly shifting to decentralised treatment plants, more complex recycling and resource recovery systems, and smart water meters, all of which require increasing levels of connectivity for monitoring and control.
“We are likely to see a rising number of cyber attacks directed at the SCADA systems that sit at the heart of these infrastructures,” he said. “They will be open to threats with which they were never designed to withstand. It’s a clash between traditional operational technology (OT) and new information technology (IT).”
The IoT introducing new challenges
Giovanni Polizzi, Energy Solutions Manager at technology company, Indra, says the challenge of implementing effective security is becoming even greater with the emergence of the Internet of Things (IoT).
“You have a growing number of devices across the utility infrastructure that have never before been connected to the internet,” he said. “This may create security issues as it opens new opportunities for cybercriminals to launch attacks.”
Polizzi says operators of OT systems need to look to the IT world to understand the types of preventative security measures they need to put in place. “A close collaboration between IT and OT teams is the best way to understand the challenges being faced and the steps required to overcome them, but also a great opportunity to strengthen the security of the entire infrastructure – both IT and OT.”
Urgent action required
Phil Kernick, Chief Technology Officer at CQR Consulting, says the cybersecurity challenges within utilities are not something that will emerge in the future, but need to be addressed immediately.
According to Kernick, an economic imperative needs to be found for utility operators to get their cybersecurity up to scratch because, at the moment, this doesn’t exist.
“Utility companies are profit-driven and so why should they be expected to volunteer to spend more on IT security?” he asked. “There could be an argument that this is a situation where government needs to step in and wield a big regulatory stick.”
Carsten Rudolph, Associate Professor at Monash University and Director Oceania Cyber Security Centre, says while high-profile cyber attacks tend to gain the most attention from those in the sector, this is not where the minds of management should be focused.
“Utility companies need to be focused on identifying and putting in place the necessary protective mechanisms that will counter the threats,” said Rudolph. “Operators also need to be able to identify attacks as soon as they occur and undertake remediation. It’s not realistic to expect to be able to build totally secure infrastructures, so being able to react quickly is vital.”
Scott Robertson, Vice President Asia Pacific and Japan at security company Zscaler, says while the challenge can appear somewhat daunting, tackling the issue of cybersecurity doesn’t have to be a difficult process for utility companies.
“We are certainly not saying that they have to triple their spending on security measures,” he said. “Tools already exist that allow preventative measures to be put in place quickly and effectively. It’s a matter of establishing where the threats exist and selecting the best tools for the job.”
Roundtable participants agreed action is required across the utility sector if cyber threats are to be countered and disruption to essential services disrupted. “It’s an issue that needs to be addressed immediately,” said Fernandez. “Failure to do this could have dire consequences for the nation.”
BlueScope is backing the NSW Government's renewable infrastructure plan through a $20 million...
CSIRO signs new agreement with US partners for a transformational power generation technology.
Konica Minolta has partnered with Edith Cowan University to boost the university's capability...