In the past decade, cyber has moved from being a fringe concern to a strategic threat, which the Australian Institute of Company Directors (AICD) now indicates is one of the top risks on the minds of boards3.
For energy and other critical infrastructure sectors, a catastrophic cyber incident has the potential to have a material societal impact. In one major ransomware incident where Deloitte was called in for support, it took over four weeks to restore core IT systems (e.g. asset management, maintenance, spares inventory), which started to present challenges to the continued operation of generating assets within their license conditions, illustrating the nuanced dependencies between core IT systems and operational processes.
For the energy sector, cyber threats primarily arise from:
- Criminal groups with a particular focus on ransomware-based campaigns that can cause unplanned downtime in energy organisations and infrastructure such as pipelines – primarily as leverage to obtain financial gain.
- Nation states actively pursuing cyber-initiatives for financial gain or as part of a multidimensional response to geopolitical tension, including hybridised strategies, where cyber-vulnerabilities may be created or used in conjunction with, or in preparation for, more conventional aggression4
One of most difficult aspects in managing nation state risk is the insidiousness or indirectness of the hazard, and the level of capability. Nation states have focused on infiltrating technology stacks and supply chains of industrials in a manner which is covert and latent by design. The widely reported Solarwinds and Log4j vulnerabilities are both examples of attackers (linked to nation states5) deliberately compromising the underlying code-base of widely used software as a vehicle to then infiltrate the organisations which use this software.
In the energy sector, it is common for Australian organisations to use non-sovereign technologies for generating, transmission, firming and distribution assets, which typically have a requirement for remote services, diagnostics and support that will sometimes involve direct offshore access by suppliers to core systems. Threat actors have responded to this by targeting organisations through their common suppliers.
The targeting of these suppliers is now clearly recognised by regulators as a potential attack path for accessing core infrastructure, and in our experience, presents a systemic risk to industry. In an illustration of this, it was noted as a key factor in the withdrawal of cyber insurance covering nation state attacks in policy renewals in 20236. Boards of energy organisations are now presented the question of how they must reasonably act to identify and mitigate risks that an insurer is no longer prepared to cover.