At CLP, one of the key responsibilities of the Board Audit & Risk Committee (ARC) is to seek assurance that adequate risk management is in place and followed, and that appropriate remedial action is taken where needed. Cyber security continues to be one of CLP's top-tier risks and is regularly assessed and reported to senior management through the risk management process.

In 2019, the ARC reviewed an analysis and road map for the enhancement of the Group’s mitigation measures against potential threats. Closer collaboration between Group Internal Audit and the Group cyber security function was recommended. Following these recommendations, an integrated single Group Security function was established in early 2020, with the mission to bring together existing capabilities into one integrated team in order to ensure CLP secures its assets to a level commensurate with the level of cyber and physical risk. 

Drawing on security professionals from across the Company and recruiting from wider industry, the Group Security team delivers a holistic and complementary security service to CLP by offering physical, personnel and cyber security capability and expertise. This team is led by the Senior Director – Group Security who reports directly to the Group Chief Operating Officer.

The integration of cyber security and defence into daily operations is central to operational resilience.

The fundamental – often highly effective – form of security is physical security, which maintains the integrity of sensitive locations such as data centres, control rooms or transmission and distribution sites. Safeguarding physical assets and company personnel embraces a range of activities including the provision of professional physical and personnel security advice for staff business travel, for CLP’s operating sites (in particular its critical assets), as well as auditing all potential projects and acquisitions from a security and social impact perspective. It also includes maintaining, delivering and improving the Group’s crisis management capability.

With the COVID-19 pandemic generating a drive towards large-scale remote working, the resulting technological changes have presented criminality and nation state actors with an unprecedented opportunity to exploit the situation. With so many communication, business and personal interactions moving online, cyber attacks have increased to levels previously unseen. They have involved: malware, where malicious software is secretly installed in systems; data theft, which is then ransomed; or denial of service.

No industry sector has been immune and there is every indication that this trend will continue to surge upwards, with potentially huge financial rewards for cyber criminals and further consequential costs to businesses as they try to operate in spite of attack, repair reputational damage, pay regulatory fines and upgrade their infrastructure and procedures, all while still facing the challenges of COVID-19.

CLP recognises the critical need to continually adapt and enhance its security posture to defend its operations against a complex and dynamic threat spectrum. Insight into the capability and intent of cyber attackers will help CLP develop situational awareness and give direction on what measures need to be taken to mitigate associated risks. Moreover, since prevention is better – and more economical – than cure, bringing focus to cyber security awareness, training and education will help prepare employees practise good “cyber hygiene”.

The Group has been developing its cyber intelligence and security awareness capability throughout the year. There has been an enhanced understanding of threat actors and their techniques, ensuring that the business gets the option to prioritise software patching or introduce other mitigation measures in a timely and effective manner. Security awareness activities at the employee level have included: simulated phishing emails, internal broadcast campaigns, briefings, videos and a popular cyber gamified competition.

The Group Crisis Management Plan is in place to help respond to emergencies and crises that may cause business disruptions. The plan is continually reviewed and enhanced to ensure it is in line with operational changes or the broader operating context.

Cyber security incidents are unique in that the attack occurs in a virtual space and may not cause immediate disruption, as in the case of data leaks, making them difficult to detect or trace. CLP continually monitors its IT systems and networks and seeks out threats to its Operational Technology (OT), which controls plant machinery and environmental systems. If suspicious activity is detected anywhere in the vicinity of approaching the IT or OT network environments, immediate actions are taken to investigate it and, if necessary, isolate the threat and lead the recovery action. State of the art detection and remediation systems have been employed, supplemented by constant research on threat types to support both IT and OT professionals to secure CLP systems.

As the first line of defence, when an incident arises the Incident Management Process (featured below), found in the Group Crisis Management Plan, is followed.

Setting the standard and having relevant and consistent policies is necessary to provide CLP project managers with a cyber reference point. Building from a strong established foundation, the Group is consolidating the associated policies and standards and has established a professional security architecture to support all corporate regions and entities.

Since it is more effective (and considerably cheaper) to incorporate security into the design of new projects than to add such measures as an afterthought, a dedicated team was set up to provide internal cyber consultancy services to guide departments from across the Group on how to adopt good cyber practice for their systems. For instance, as cloud-based applications are becoming more common, cloud security principles have been established to ensure that externally hosted services meet the security standards that CLP demands. The cloud architecture process provides a simple and clear checklist to help CLP’s service providers to understand the cyber security expectations of the Company.

With the policies and systems in place, an independent team within the Group Security Department helps verify that these measures are followed consistently and that associated cyber security risks are suitably mitigated. The department’s evidence-based reporting provides an important feedback loop that enables the Company to pursue continuous improvement. In addition, the team helps project managers and business leaders understand cyber security risks in the context of CLP’s business, and offers guidance on risk mitigation strategies.

Throughout 2020, the analysis of IT and OT risks has continued to improve, and the company now has a cross-regional picture of the cyber health of its critical and unique assets.

Electric utilities have access to a large amount of customer information, such as billing and itemised usage data. In addition to customer information, the term “personal data” includes information about: employees, both current and former employees and prospective job applicants; contractors and service providers; as well as business partners, shareholders, visitors and members of the public as they interact with the Company.

The CLP Privacy Principles set out the Company’s commitment and approach to protecting personal data. The accompanying CLP Personal Data Protection Compliance Manual provides guidance to business units with operations in Hong Kong on what these principles mean in practice. Both documents are updated periodically to ensure they meet the latest regulatory requirements and continue to reflect the expectations of CLP stakeholders.

Whilst the retail business of CLP Power Hong Kong had no customer data loss cases reported in 2020, the Company did become aware that a party was fraudulently using CLP’s name (among others) in email correspondence with some of its service providers. Fortunately, this was quickly detected, and the incident was reported to the Cyber Security Team in accordance with the established cyber security incident reporting process. In line with CLP’s commitment to protecting personal data, the Company quickly informed its service providers, other companies also targeted by the scam, as well as the general public in case of any further attempts. The notice to the public also provided advice on how people can verify any correspondence from CLP if they are uncertain as to its authenticity. 

EnergyAustralia reported to the Office of the Australian Information Commissioner (OAIC) nine privacy breaches in relation to customer personal information during the 2020 calendar year, in accordance with its mandatory reporting obligations under the Australian Privacy Act 1988. The breaches did not result in any penalty or sanction. EnergyAustralia has investigated the causes of the breaches and identified additional controls to prevent recurrence. This includes additional password protections for customers before accessing accounts and account information.

A key focus to further reinforce rules to protect customer information was on the prevention of unauthorised disclosures to malicious attackers or impersonators. Specific awareness activities, including communications, quality assurance assessment, coaching and additional training for front line staff, were carried out. Company-wide communications, employee training and briefing sessions with leadership were also conducted to ensure all staff understand current privacy and data management obligations. A Data Breach Response Plan is also in place, which establishes a Data Breach Response Team to ensure the business has the capability and procedures in place to respond swiftly to such incidents.