Reinforcing cyber resilience and data protection

Material
topics
Responding to climate change

Harnessing the power of technology

Building an agile, inclusive and sustainable workforce

Reinforcing cyber security and data privacy infographic

Year in review

Along the value chain in the electric utility sector, connected technologies such as cloud computing are increasingly being deployed to enhance the visibility of asset performance and improve efficiency.

Facilities such as smart meters and microgrids are collecting ever more information from pro/consumers. Unfortunately, this distributed energy landscape is also introducing new targets for malicious attacks. These attacks can occur in both CLP IT or OT systems:

Information technology (IT): the technology used to support normal business activities and processes (e.g. email, customer databases, finance systems).
Operational technology (OT): the technology used to control, monitor, support or manage systems and assets used to generate, transmit, distribute, deliver and manage electric power.

In a 2019 survey of more than 1,700 utilities professionals worldwide, 56% said they experienced at least one shutdown or operation data loss in the last 12 months. The focus has also shifted from attacks on IT to OT: respondents to the same survey agreed that attacks on their OT system have become a greater threat than those on their IT system. It was estimated 30% of attacks on OT systems remain undetected, and on average 72 days is required to respond to a malware attack.

CLP has had no instances of lost production or any operational shutdown due to cyberattack. However, in common with all companies in the Energy Sector CLP faces attacks on a daily basis, from criminals and other threat actors. In 2019, CLP stepped up its governance on cyber security. Cyber security is not a separate issue that is the sole responsibility of a dedicated department, but a business risk that needs to be managed holistically and integrated into daily operations . CLP's enhanced Group Cyber Security team acts as an in-house advisor and reviewer to help raise awareness amongst staff, and establish the system and tools required to protect information and other systems against cyber risks.

In 2019, there were no customer privacy or data loss cases reported in relation to the retail business of CLP Power Hong Kong. In Australia, four complaints were received, three of which have been formally closed by the Office of the Australian Information Commissioner with no further action required by EnergyAustralia.

Reinforcing cyber resilience and data protection - 2019 Key Metrics

Outlook

Cyber resilience is especially important for companies like CLP which provide critical infrastructure. A cyber breach could have a significant impact not only on the Company, but also on the environment and the economy at large.

As electric utilities become more connected and decentralised, the exposure to malicious attack cannot be eliminated. It is only by embedding cyber security into the mindset of all employees and their daily tasks, and continually enhancing organisational capacity that a company can defend itself or respond promptly should an attack occur.

CLP has been making good progress in building up internal expertise and a strong organisational awareness of the importance of cyber security. As the business evolves and the systems that underlie it change, new vulnerabilities arise.

Going forward CLP will be implementing a range of further cyber security measures at a level of people, process and technology, with the Audit & Risk Committee maintaining an oversight. The Group will also continue its awareness raising and emergency preparedness initiatives, so that employees remain continually vigilant.

Cyber resilience outlook - customer service hotline

Highlights

How CLP has enhanced its cyber security governance, built internal capacity in the area, as well as its performance in relation to safeguarding information protection.

Enhancing cyber security governance

The Audit & Risk Committee continues to maintain oversight on the cyber security governance structure, and has endorsed the CLP Group Cyber Security Strategy.

Integrating cyber security and defence into daily operations is essential.

As CLP's operations and value chain is increasingly digitalised, cyber security and defence have to be integrated and not treated as an add-on. This approach starts with a comprehensive governance framework, ensuring the effectiveness of existing and planned cyber security activities and investments.

One of the key responsibilities of the Audit & Risk Committee (ARC) is to assure that adequate risk management is in place and followed, and appropriate remedial actions are taken where needed. Cyber risk is considered as a top-tier risk for the CLP Group and is regularly assessed and reported to senior management through the risk management process. It is also embedded in all projects from the development phases to ensure cyber risks are considered at the early stages.

In 2018, CLP engaged external specialist cyber security consultants to review and make recommendations regarding CLP’s future governance structure to respond to the increasing threats. The key recommendations of that report were accepted by the ARC and Management team. In 2019, the ARC continued to monitor the implementation of these recommendations. The Committee was presented with a detailed analysis and a roadmap for the enhancement of the Group's mitigation measures against the potential threats identified. Most significantly, a CLP Group Cyber Security Strategy has been developed and endorsed. Greater collaboration between Group Internal Audit and the Group cyber security function and the development of a regular statistical cyber security report for the ARC are expected.

The Cyber Security team maintain management oversight of cyber security across the CLP Group . The centralised approach helps to ensure that best practices are consistently maintained across all operations.

Embedding cyber security practices

The CLP suite of cyber security policies and procedures guides the Company in protecting the information and systems, detecting anomalies early on and responding to any incidents to restore operations and services promptly.

The CLP portfolio is diversified across different countries in the Asia-Pacific. Nevertheless, they are all connected in cyber space. These connections are not necessarily through CLP's own systems but could also be through the systems of suppliers, customers, or even the personal devices of any stakeholders. It is therefore important to ensure sufficient cyber protection measures are in place consistently across all CLP business units, regardless of geographies.

CLP’s Information and Operational Technology Cyber Security policies and principles

In order to safeguard CLP’s information and operations in accordance with these principles, effective security controls, practices and procedures must be implemented by all CLP employees and related business partners at all level across the business. To ensure these technical needs support rather than hamper business needs, the Group Cyber Security team acts as a one-stop-shop in providing cyber security assessment and advisory to different Group functions before any new technologies are deployed. A standardised cyber security requirement has also been developed for vendors so that any procured or outsourced systems are compatible and consistent with those of CLP.

There is no perfect solution to protecting the business, given the rising sophistication and frequency of cyber-attacks and data breaches globally. Early detection coupled with effective response and recovery measures are essential.

The CLP Group Cyber Security Incident Response Process establishes a consistent response protocol upon detection of an incident. The process was tested in regular drills throughout the year.

Find out more about CLP security and cyber security policies and procedures

Protecting personal data

CLP continues to build a holistic approach to managing and protecting data through the implementation of a variety of processes, roles, controls and metrics.

Personal information is essential to CLP's day-to-day operations, helping it improve the services it provides. These include data from customers, employees (both current and former employees and prospective job applicants), contractors and service providers, in addition to data on business partners, shareholders, visitors and members of the public as they interact with the Company.

The CLP Privacy Principles set out the commitment to protecting personal data. There is also an accompanying CLP Personal Data Protection Compliance Manual that provides guidance to business units with operations in Hong Kong on what these principles mean in practice. Both of these documents are enhanced periodically to ensure they meet the latest regulatory requirements and continue to reflect the expectations of CLP stakeholders.

In 2019, the retail business of CLP Power Hong Kong had no customer data loss cases reported.

In March 2019, one of the Internet portals in Hong Kong was infiltrated. Although the impact was negligible, the incident highlighted the importance of bolstering the cyber resilience of all operations.

EnergyAustralia received notification from the Office of the Australian Information Commissioner (OAIC) in relation to three separate privacy complaints received during the 2019 calendar year¹. EnergyAustralia has provided the required updates to the OAIC and all three have been formally closed by the OAIC with no further action required to be taken by EnergyAustralia.

In addition, EnergyAustralia voluntarily reported eight separate instances of customer privacy breaches to the OAIC during the 2019 calendar year. One of these reported breaches has been formally closed by the OAIC and the Company awaits further instructions from the OAIC in relation to any actions required to be taken for the other seven breaches reported.

Building cyber defence capacity across the organisation

Upholding effective cyber security controls and procedures is the responsibilities of all staff. To this end, a range of awareness-raising activities were conducted throughout the year.

CLP is conscious that some areas of the business may be more vulnerable than others. As a consequence, the Group is investing significant time and resources in enhancing CLP’s internal cyber security capabilities. In 2018, CLP established a specialist team of cyber security professionals by training internal experts from electricity operations. This initiative will help embed cyber security practices into CLP day-to-day business. This year, the team had been further enhanced and empowered to maintain management oversight of cyber security across the CLP Group. CLP has appointed a new Senior Director – Group Information Security to oversee the Group’s cyber security strategy. CLP will also continue to increase the recruitment of information security experts to add to Group capacity.

A range of awareness-raising activities were conducted for employees throughout the year, including phishing drills, distribution of a regular publication, CyberNews, road shows on OT security across Group offices, and the hosting of Cyber Security Awareness Month during October 2019 in Hong Kong.

In light of the new mandatory data breach reporting obligations legislated under the Australian Privacy Act 1988 (Privacy Act), EnergyAustralia underwent an internal risk assessment to understand its ability to comply. Company-wide communications, employee training and briefing sessions with leadership were conducted to ensure all staff had current privacy and data management training. In addition, a Data Breach Response Plan was implemented, which included the establishment of a Data Breach Response Team to ensure the business has the capability and procedures in place to respond swiftly. The Plan aims to instil a heightened vigilance in CLP staff in relation to potential data breaches, whether in their work or in their personal lives.

Harnessing the power of technology Building an agile, inclusive and sustainable workforce