Cyber risk and the energy sector – what can we expect in 2022?

9 Feb 2022

Late last year, Brisbane based electricity company CS Energy narrowly escaped the full impacts of a sophisticated ransomware attack. Safety and operations at its Kogan Creek and Callide power stations were not impacted, nor was power generation and delivery, but had the attack been successful, power to millions of homes and businesses would have been disrupted. 

Unfortunately, ransomware attacks are increasing in number and sophistication, often with devastating effects. For example, the attack on the Colonial Pipeline in May 2021 saw the pipeline close for the first time in decades. With so many high-profile attacks targeting the energy sector overseas, it’s a valid question to ask if New Zealand’s industry is under threat as well.

Is New Zealand the next target?

This year’s NCSC Cyber Threat Report, released last month by New Zealand’s National Cyber Security Centre, reported that incidents affecting nationally significant organisations in the 2020/21 year increased by 15% year on year. What this increase indicates is that cybercriminals are looking to deliberately disrupt critical services, as a means of applying pressure to extort victims, usually for financial gain.

New Zealand can no longer be considered a safe haven from cybercrime – in this digitally connected world, we are as much of a target as the rest of the world. It’s more likely than not that we will see very similar attacks target New Zealand, in line with what we are seeing across the Tasman and globally.

Is the Energy Sector more vulnerable?

While any business or service can be vulnerable to a cyber-attack, there are certain factors to look out for that may make your business more at risk.

Industrial systems, like those in the energy sector, may not be updated or changed for many years due to the long economic lifetime of the assets – sometimes as long as 20 or 30 years. Hardware and software may operate too simplistically or lack the processing power and memory to handle the threat environment presented by modern network technology.

This often means there is a mix of security standards available in industrial networks. It’s also likely that the devices are highly specialised, and they rarely run on standard operating systems (like iOS or Windows), and instead require custom software to manage and monitor. These factors can make the security of these networks more challenging, but not impossible.

What should the focus be on?

Energy companies, like all New Zealand businesses, should focus on not only defending against an attack but also preparing to respond and recover efficiently should the worst happen. The Board of directors and leaders should be ensuring cyber security teams are evaluating and putting into place the right security measures to adequately strengthen your cyber security posture.

A full evaluation of your systems, networks and assets is critical to understanding your current position and identifying the weak points in your security. As part of this, it may be a good idea to assess whether current equipment can support authentication options, which can add a layer of protection. It’s worth noting that in the Colonial Pipeline cyber-attack, hackers gained entry through a remote connection, using a leaked password – perhaps the attack could have been thwarted by a multifactor authentication system.

It’s also critical to ensure any unusual activity is quickly identified and dealt with – often cybercriminals will spend time exploring your networks and extracting sensitive data. Constant vigilant monitoring may help you identify a breach before any damage can be done.

Cybercriminals are becoming more relentless, and no matter how strong your defences are, there is always a risk that your networks will be compromised. The key to a swift recovery is to ensure you have a robust, well-practised response plan, that will allow you to quickly get systems back up and running should you be taken offline. For a critical service, this should include network segmentation, adequate backups and communication plans to affected customers. CS Energy’s ICT systems and safeguards had layers of separation and protection, which enabled it to contain and protect its critical infrastructure to ensure continuity of power to Queenslanders – which highlights the importance of getting this important part of your cyber plan right.

Next Steps

If you’re looking for independent advice and support to ensure your cyber security posture is sufficiently up to standard, Kordia’s independent cyber security consultancy Aura Information Security can assist.

Kordia also offers a range of managed security services, including our Cyber Defence Operations, which offers 24/7 365 monitoring, as well as a suite of solutions to help you better manage your security.