"For the energy sectors and critical infrastructure sectors, particularly around electricity, we are concerned about nation-state actors," says Tim Daly, chief security officer (CSO) for the Australian Energy Market Operator (AEMO).
"Nation-states are looking to have capability and implants that are persistent within critical organisations," he told the Gartner Security and Risk Management Summit in Sydney on Tuesday.
"We are concerned about Australia being targeted by that kind of activity," he said, because ransomware and other attacks are increasingly being targeted at specific industry verticals.
In the US, municipal governments have been targeted, and the energy sector could be next.
AEMO is working to make sure individual organisations are improving their cyber resilience, as well as considering how they would respond to a coordinated attack against the energy sector.
Supply chain security is definitely a concern, Daly said. Potential problems range from attacks on suppliers such as in the PageUp data breach, to the CloudHopper campaign against managed service providers.
Another challenge is the changing nature of the electricity grid, with the introduction of distributed energy resources such as rooftop solar.
"That's millions of devices, potentially Internet of Things, internet connected, all different kinds of vendors, so that's a fairly wicked supply chain issue that we need to lean into," Daly said.
"It's going to be a challenge over the coming years."
It's about people and culture change, as always
In Western Australia, Horizon Power is already working on improving cyber resilience in its distributed energy resources.
They've been tackling some of the cultural issues while developing their Distributed Energy Management System (DERMS), which is now part of their core strategy.
Horizon serves more than 49,000 customers spread across 2.3 million square kilometres. It handles all three of the elements -- electricity generation, distribution, and retail -- for 38 separate systems across the state.
Advanced smart meters have also been deployed to its customer base.
"We've moved away from that centralised generation and transmission [model], to very discrete units or microgrids which provided electricity to those areas," said Horizon's chief information security officer (CISO), Jeff Campbell.
"We saw customers embracing this concept of being in charge of their own electricity, potentially feeding into connected grids, that they could manage and trade electricity," he said.
The introduction of smart meters has meant that Horizon now has sensors to monitor outages and other faults at every endpoint, in addition to gaining a way to get the telemetry needed for trading. It has also meant they can offer pay-as-you-go billing.
Knowing each customer's usage patterns has proved useful for managing the system as a whole and for predictive maintenance.
On the customer side, customers might have their own devices -- like air conditioners and swimming pool pumps -- behind their smart meters that could be used to access and trade data in order to help make decisions on energy use.
The challenge in using smart meters, however, was integrating everything into microgrids as these new devices were not initially part of the network's SCADA-based operational technology (OT).
"The OT team, initially, when they saw some of this stuff were a little bit resistant from a cultural perspective," Campbell said, but some management actions have proved to be useful.
First, they embedded some of the SCADA team within the DERMS project.
"I think a lot of us in the security space tend to have a good corporate IT knowledge around security, and we try to apply that in SCADA. It doesn't quite work," Campbell said.
"We kind of did the reverse. We took [someone with] an engineering background, someone that was familiar with the SCADA systems, [and] embedded them in the IT corporate system, in the security team."
Horizon also started taking OT engineers to briefings at the government's Joint Cyber Security Centre (JCSC) to bring them up to speed on current threats.
They've also been "a little bit less stringent" in their hiring practices. A recent engineering graduate with "the right attitude and the passion for the work" might work better than someone who's already set in their ways and won't change.
Horizon has hired a number of engineering graduates, sent them to SANS Institute courses on the security of industrial control systems, and transferred them into the IT security team.
"It's amazing the insight they can bring just from their basic engineering background."
When Campbell first started at Horizon, the company didn't do police checks, or even any security vetting for employees in positions of trust. That was changed.
"You've seen all the breaches, and seems to me that it's either a disgruntled employee, or someone that's had access before, or someone internally, or largely malware getting through, and it always seem to happen in the corporate environment," he said.
"If we can start to provide a stronger vetting process around those individuals that manage and access, particularly in the outsourcer space, it provides that extra assurance and governance around how we look after our environment."
Adopting the cloud forces an upgrade path
As with many complex operational environments, Horizon does face the problem of legacy systems.
"There are some systems which we just can't touch," Campbell said.
"If we go and patch them it'll break something. But I think as we move to cloud, and we start to adopt more of the cloud services, it kind of forces an upgrade path to move out of legacy systems.
"In some instances we've looked at data diodes, just to protect some of those critical systems. That would be, I guess, a deployment of last choice. But you have to be flexible enough to look at different toolsets and different paradigms of how you deploy some of these controls."