Responding to climate changeHarnessing the power of technologyReinforcing cyber resilience and data protectionBuilding an agile, inclusive and sustainable workforce
CLP Sustainability Report 2020 / Material topics / Reinforcing cyber resilience and data protection

Reinforcing cyber resilience and data protection

Reinforcing cyber resilience and data protection

Year in review

The electric utility sector is particularly vulnerable to cyber threats and the wide adoption of digital technology raises additional concerns around data privacy. The COVID-19 pandemic further compounded such challenges with remote working becoming commonplace, creating additional channels for cyber attacks.

As CLP transforms into a Utility of the Future, the Group previously recognised the critical need to reinforce its cyber resilience. It is focused on developing its security risk management strategy to deliver holistic, coordinated protection to the Group’s operations, and to apply new leading techniques and technologies as appropriate. Integrating the management of cyber security and physical security into a single organisation, CLP Group Security further strengthened its capability, reach and responsiveness.

Appointments of senior global subject matter experts in the past year have strengthened CLP’s cyber security planning and organisational capabilities, allowing the Group to implement an integrated, joined-up approach to counter rapidly evolving threats across its assets in the Asia-Pacific region.

This has been a record year for cyber attacks on industries across the globe and CLP monitors and investigates all suspicious incidents that are relevant to its operations. CLP has reinforced its preparations for any increase in cyber activity against its corporate infrastructure, and is poised to respond to any change in its threat landscape. In addition to the monitoring of live cyber threats, the Group continues to enhance its security assurance capabilities so that it can quickly identify any potential cyber risks to the Group’s business and operational processes, thereby seeking to mitigate these risks in concert with the relevant business functions. Comprehensive security awareness and training programmes were delivered throughout the year, thus building a cyber risk-aware culture and encouraging staff to play their part in protecting the Group’s physical and digital assets.

Key metrics - Reinforcing cyber resilience and data protection


Given its prominence as a provider of energy infrastructure and the technology-dependent nature of the electric utility sector, CLP's vulnerabilities to cyber risks are likely to remain. A structured approach to prevention, detection, reaction and enabling will help CLP continue to effectively manage and reduce cyber risks.

A 2020 McKinsey report highlighted the nature of cyber risks faced by electric utility companies. The report points out that increasing numbers of cyber threat actors find utilities to be an attractive target. Cyber criminals have been known to try holding utility companies to ransom using a variety of cyber techniques to disrupt energy supply. Similarly, “Hacktivists” have also been using such attacks to raise the profile of the special causes they are advocating.

Since any disruption to a power supply can have widespread and high-profile consequences, the report finds that nation states will naturally be attracted to cyber attack capabilities that offer them deterrence or retaliatory options.

The security situation for the majority of electric utility companies is exacerbated as energy assets are geographically dispersed across many sites and maintaining cyber visibility across both information technology and operational technology systems can be very challenging. CLP’s further expansion into distributed renewable energy will mean that this trend will only increase due to the broad footprint necessary to support these generation systems. The greater adoption of decentralised generation, feed-in-tariffs and other consumer-facing devices, especially those that are beyond the ownership and therefore control of the Company, has the potential to increase CLP’s vulnerability and the overall security of its energy system if not managed appropriately.

In 2021, CLP Group Security will further implement effective controls and supporting policies to help all regions apply robust cyber defence measures. A major review of cyber intelligence and security awareness resources will help the team understand where continual improvements and enhancements can be made. Opportunities will also be taken to improve cyber-culture, employee behaviours and to further expand cyber intelligence assessment and reporting.

Several other influential cyber improvement projects have also been approved, including: real-time vulnerability scanning, automated threat hunting, deployment of a single CLP-wide zero-trust solution, further enhancement of the cyber detection toolset and initiatives related to compliance with the regulatory rules in EnergyAustralia. Further recruitment is also planned to enhance the specialist and deeply technical capabilities of the team.


CLP has enhanced its cyber security governance, built internal capacity in the area and improved its information protection.

Back to top