Given its prominence as a provider of energy infrastructure and the technology-dependent nature of the electric utility sector, CLP's vulnerabilities to cyber risks are likely to remain. A structured approach to prevention, detection, reaction and enabling will help CLP continue to effectively manage and reduce cyber risks.
A 2020 McKinsey report highlighted the nature of cyber risks faced by electric utility companies. The report points out that increasing numbers of cyber threat actors find utilities to be an attractive target. Cyber criminals have been known to try holding utility companies to ransom using a variety of cyber techniques to disrupt energy supply. Similarly, “Hacktivists” have also been using such attacks to raise the profile of the special causes they are advocating.
Since any disruption to a power supply can have widespread and high-profile consequences, the report finds that nation states will naturally be attracted to cyber attack capabilities that offer them deterrence or retaliatory options.
The security situation for the majority of electric utility companies is exacerbated as energy assets are geographically dispersed across many sites and maintaining cyber visibility across both information technology and operational technology systems can be very challenging. CLP’s further expansion into distributed renewable energy will mean that this trend will only increase due to the broad footprint necessary to support these generation systems. The greater adoption of decentralised generation, feed-in-tariffs and other consumer-facing devices, especially those that are beyond the ownership and therefore control of the Company, has the potential to increase CLP’s vulnerability and the overall security of its energy system if not managed appropriately.
In 2021, CLP Group Security will further implement effective controls and supporting policies to help all regions apply robust cyber defence measures. A major review of cyber intelligence and security awareness resources will help the team understand where continual improvements and enhancements can be made. Opportunities will also be taken to improve cyber-culture, employee behaviours and to further expand cyber intelligence assessment and reporting.
Several other influential cyber improvement projects have also been approved, including: real-time vulnerability scanning, automated threat hunting, deployment of a single CLP-wide zero-trust solution, further enhancement of the cyber detection toolset and initiatives related to compliance with the regulatory rules in EnergyAustralia. Further recruitment is also planned to enhance the specialist and deeply technical capabilities of the team.