Safeguarding cyber security
Like other utilities around the world, we are facing increasing security risks as assets are becoming smarter and more connected. In addition, more personal information is being stored on electronic devices and online. In 2015, a power grid in Ukraine was crippled by a malware attack, causing blackout in over 100 cities in the area. Similar attacks have happened although few have drawn public attention, hence ensuring cyber security becomes a priority.
Awareness of cyber risks and readiness against cyber-attacks are critical for infrastructures such as power grids and generation plants. The physical asset that generates and delivers energy to our communities depends increasingly on the security of the operational technology that supports it. Any disruption to that technology poses a significant threat to our operations. To maintain CLP’s cyber resilience, we continue to build our operational technology security programme and policy, as controls currently applied in information security might not be practically applicable to operational technology. Embedding a strong cyber safe culture across our daily business operations works towards a secure and sustainable future for Hong Kong.
We have continued our focus on the most significant risks of network intrusion resulting in disruption of energy supply, and potential theft of sensitive data leading to regulatory breaches (e.g. data privacy law) and brand impact. At the staff level, we also place strong emphasis on targeted attack emails or fraud emails against CLP, some of which relate to cyber-criminal fraud, and others could cause infection of CLP’s computers. Examples of how we enhance cyber security includes:
- Raising staff awareness through cyber security programmes. Since 2014, we have been holding the annual cybersecurity awareness campaigns across all regions;
- Applying different technologies to manage network perimeter defense, data loss, cyberspoofing, distributed denial of service attack, mobile devices and monitor suspicious cyber activities with regular testing and verification of controls by third parties; and
- Ensuring segregation between CLP’s IT network and any asset information systems.
As the technology - on both the attack and defense sides – is highly specialised and is advancing rapidly, we need to look up and look out to ensure we are abreast of the latest developments. This is where we highly value the power of partnership and collaboration to learn from our peers as well as experts in the field.
Given the “clear and present” threats of cyberattacks, the proper risk management approach is no longer just about how we keep cyber criminals out, but also how we know when our assets or systems are compromised, and how we recover in the shortest time possible with the smallest impact.
In 2017, we have been working to establish a threat detection capability for our industrial control systems. Meanwhile, we have made progress in establishing a brand monitoring and protection service at the Group level including digitally managed online asset protection.