The status of remote working is an interesting and dynamic one. On the one hand, employees do appreciate the flexibility and potential for work-life balance, and being able to work remotely frequently appears as a top priority in job searches.
On the other hand, there are some significant challenges to grapple with to enable that, especially around cyber security, and the energy sector is definitely feeling that.
Why is the energy sector vulnerable to cyber attacks?
One of the big challenges that the energy sector faces is that it’s not just remote work that’s driving holistic change across businesses and their use of technology. The entire sector is going through some massive transformations.
As noted by EY: “As the nation’s energy landscape transforms at high speed, adding new types of generation, battery energy storage systems and smart grid technologies, the importance of cybersecurity has never been more pronounced. Businesses in the sector must not only embrace innovation but also fortify their defences against evolving cyber threats.”
All of these transformations also involve the adoption of new technologies and business models, such as renewable energy sources, smart metering, distributed generation, and virtual power plants. These, in turn, rely on the digitisation of operational technologies (OT), which control the physical processes and equipment in the energy system.
Take for example, industrial control infrastructure. Traditionally, it might take a field engineer days to be able to drive out to a location and adjust the valves. This OT technology is being connected to network systems for remote access for very good reasons – the efficiency in being able to manage the valve remotely enables a more efficient and responsive business.
It also means that bad actors could reach the control from anywhere in the world if it’s not secured well. This is a big problem, because OT systems are often not traditionally designed with cyber security in mind, and may have vulnerabilities that can be exploited by these malicious actors.
How does remote working increase the cyber security challenges?
So, essentially, the energy sector is in transition. It’s adopting new technology for the first time, and OT teams are, often for the first time, grappling with the reality that they’re now exposed to cyber security threats.
Remote working becomes a problem because the IT and OT teams, which have typically been siloed, now need to collaborate, and they don’t necessarily speak the same language. Or, alternatively, the OT team is also tasked with managing the IT environment without necessarily being prepared to support decentralised IT environments, from a cyber security perspective.
Letting them work remotely subsequently throws up problems, such as:
- Phishing and social engineering: Teams may receive fraudulent emails or calls that attempt to trick them into revealing sensitive information or clicking on malicious links or attachments. The risk of this is higher when teams are interacting with other lines of business that they’re less familiar with to their own.
- Unsecured devices and networks: Employees may use personal devices to log into the network, or public Wi-Fi networks that are not properly secured or updated, exposing them to malware or interception. These can compromise the integrity or availability of the data or systems they access or transmit.
- Insider threats: One of the biggest risks, particularly in decentralised environments in sensitive sectors is that employees may intentionally or unintentionally leak or sabotage the organisation’s data or systems, either for personal gain or under coercion. The risk is, again, higher that this can cause significant damage when collaboration between teams means that data and applications are opened up to more people.
- Third-party risks: Employees often rely on external service providers or vendors that have access to the organisation’s data or systems, with networks that might be hostile, and in interacting with those services, the providers become a weak link in the organisation’s cyber security chain, and expose it to breaches or incidents.
These are all security challenges that all organisations face. However, the risk is substantially higher when workers are remote and collaborating without adequate monitoring, policies and controls in place.
How can the energy sector address the cyber security challenges?
The energy sector needs to adopt a holistic and proactive approach to cyber security, especially in the context of remote working. Some of the key steps include:
- Conducting regular risk assessments and audits to identify and prioritise the cyber security threats and vulnerabilities facing the organisation, and implementing appropriate controls and mitigation strategies.
- When working with partners, only grant remote administrative access to Australian companies, and their personnel who have undergone rigorous vetting procedures. Remote administration from overseas unvetted assets can cause unacceptable risk to the integrity of Australia’s generating capacity.
- Developing and enforcing clear and consistent cyber security policies and procedures that cover all aspects of remote working, such as device management, network access, data protection, incident response, and user awareness and training.
- Investing in cyber security technologies and solutions that can enhance the protection and resilience of the organisation’s IT and OT systems, such as encryption, authentication, firewall, antivirus, backup, and recovery.
- Collaborating and sharing information and best practices with other stakeholders in the energy sector, such as regulators, peers, customers, and suppliers, to improve the overall cyber security posture and readiness of the sector.
- Engaging and educating the employees on the importance and benefits of cyber security, and the roles and responsibilities they have in ensuring the cyber security of the organisation and the sector.
It’s also important to be able to source services and technologies from around the world, while remaining compliant with standards such as AESCSF, SOCI and FIRB. A partner like Excite can help organisations with OT be globally competitive and adopt best-of-breed technologies and practices, while also meeting their strict regulatory obligations.
As critical infrastructure, Australia cannot afford for the energy sector to take on excess risk. For some workplaces in the energy sector this may well mean the end of remote working, or at least a gradual phasing out. But that will make recruitment a greater challenge. There’s no reason that remote work cannot be a feature of the energy sector, as long as it’s managed well and proper consideration is given to the unique dynamics around IT and OT that provide such an opportunity and challenge.
