How Jemena is preparing for Australia’s coming critical infrastructure cybersecurity obligations

The transition from voluntary best practice to auditable government requirement may expose gaps in critical infrastructure operators’ risk management.

australia electric utility towers shutterstock 2049243227
SkazovD/Shutterstock

Like most Australian utilities, energy giant Jemena —which owns and operates more than $11 billion worth of gas and electricity assets for more than 1.4 million customers across Victoria, New South Wales, and the east coast of the country—has been keenly watching the evolution of significant new legislation that will impose new cybersecurity obligations on critical infrastructure operators in 11 key industries.

While the details aren’t yet written in law, David Worthington knows enough about the new obligations that he has been working with business leaders ever since the Security of Critical Infrastructure (SOCI) Act was passed in 2018 and its Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced in December 2020. Worthington is the general manager for digital security and risk at Jemena.

Many of the proposed changes were reminiscent of the guidelines already embodied in the Australian Energy Sector Cyber Security Framework (AESCSF), whose development as a private-public partnership was overseen by industry regulator AEMO. AESCSF borrows heavily from existing cybersecurity guidelines, including the US Department of Energy’s Cybersecurity Capability Maturity Model (ES-C2M2), the NIST Cyber Security Framework (CSF), the Australian Cyber Security Centre (ACSC) Essential Eight, and the Australian Privacy Principles.

How Jemena is preparing for the new cybersecurity standards

Worthington’s team has been actively engaging with Jemena’s executive and board to raise awareness of the significant change in cybersecurity obligations, he told attendees of a recent Splunk webinar. “The energy sector overall has been prepping for this for quite some time. … It has gone well, and we have a good idea of what we need to do and where we’re at.”

To continue reading this article register now

Microsoft's very bad year for security: A timeline