How Jemena is preparing for Australia’s coming critical infrastructure cybersecurity obligations

Like most Australian utilities, energy giant Jemena —which owns and operates more than $11 billion worth of gas and electricity assets for more than 1.4 million customers across Victoria, New South Wales, and the east coast of the country—has been keenly watching the evolution of significant new legislation that will impose new cybersecurity obligations on critical infrastructure operators in 11 key industries.

While the details aren’t yet written in law, David Worthington knows enough about the new obligations that he has been working with business leaders ever since the Security of Critical Infrastructure (SOCI) Act was passed in 2018 and its Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced in December 2020. Worthington is the general manager for digital security and risk at Jemena.

Many of the proposed changes were reminiscent of the guidelines already embodied in the Australian Energy Sector Cyber Security Framework (AESCSF), whose development as a private-public partnership was overseen by industry regulator AEMO. AESCSF borrows heavily from existing cybersecurity guidelines, including the US Department of Energy’s Cybersecurity Capability Maturity Model (ES-C2M2), the NIST Cyber Security Framework (CSF), the Australian Cyber Security Centre (ACSC) Essential Eight, and the Australian Privacy Principles.

How Jemena is preparing for the new cybersecurity standards

Worthington’s team has been actively engaging with Jemena’s executive and board to raise awareness of the significant change in cybersecurity obligations, he told attendees of a recent Splunk webinar. “The energy sector overall has been prepping for this for quite some time. … It has gone well, and we have a good idea of what we need to do and where we’re at.”

While “by and large I think this is a positive step for the industry in terms of cybersecurity,” Worthington said, “in businesses that are quite lean [like utilities], across the whole business, it takes a lot of planning and a lot of time.”

In practical terms, he said, that has so far meant working with a “coalition of the willing”, which includes general managers across all impacted areas of the business who are working together on a “very high-level program of work” that includes intensive training of executives around cybersecurity, physical security, and other related issues.

“We are working through it slowly,” Worthington said, “but one of the key things that we’re looking at is working with the executive and the board around getting them to understand what the changes are, and what we need to do to address them.”

Board education has been a major issue for CISOs across Australia and New Zealand, with competing priorities and sometimes-sketchy grasp of cybersecurity concepts making it hard to get enough funding to drive major change.

Building on Jemena’s work to date implementing AESCSF—which has so far been voluntary and self-assessed, but is likely to become a mandatory compliance framework once the SOCI amendments and industry-led, co-designed standards take effect—the company is setting up the working groups and governance committees that will be necessary to support the likely new obligations.

Many of the “practically no- or low-cost” organisational adjustments simply accelerate many changes that were already on the cards, or add new urgency to ongoing work that is already in play. For example, escalating governance forums that are “three or four levels down from the executive”, Worthington said.

“We need [executive] support on moving forward on this, and they have a good understanding of risk management,” he added, “and risk and governance are really at the heart of what we need to do here. But subject matter expertise in these areas is going to be required.”

Australia is moving fast to protect critical infrastructure

The ongoing work inside Jemena is undoubtedly being replicated to some degree in every Australian utility company, after SOCI’s original passage in 2018 put them on notice to improve their cybersecurity operations in light of an increasing cybersecurity threat against critical infrastructure operators.

Yet the continuous evolution of the SOCI amendments has kept industry watching and waiting—most recently, through a Parliamentary Joint Committee on Intelligence and Security (PJCIS) report that recommended the legislation be split to fast-track new powers deemed urgently necessary to counter the “serious, considerable, and increasing” threat of “cyber-enabled attack and manipulation of critical infrastructure assets”.

That recommendation came in the wake of ongoing concern from many industry sectors, which have expressed concerns around issues such as potential liability for cybersecurity breaches and the implications of a mooted obligation to report potential compromises within 12 hours.

Fast-tracking the most urgent elements of the SOCI amendments will likely see them pushed through Parliament before it rises for the year on 2 December 2021. But the bulk of the work around the bill will bleed into 2022 as widespread industry interest drives complex ongoing discussions—the enquiry has already met with more than 1,000 individuals and received 129 submissions regarding its Exposure Draft.

That leaves Jemena and other operators in what Worthington termed a “hurry-up-and-wait situation”, although he heralded constrained availability of resources as a key challenge over the next 12 months. “I don’t have any great answers for this,” Worthington said, noting that even though many firms are tapping consulting businesses for the necessary skills “I don’t think that’s going to be an unlimited resource either.”

Those constraints may present challenges for companies that have so far adopted AESCSF as a best-practices guideline but may not have yet implemented controls at a level that would survive an audit.

“We’ve operationalised a lot of the things we’ve done in AESCSF,” Worthington said, “but have we done this in a way that is auditable? My gut feeling is that we’re going to be way off in a number of areas, and we’ll have go to back and reengineer some of the processes we’ve already got in place to make a more auditable and workable solution.”

Yet for all its potential requirements around new governance, the plodding progress of the SOCI amendments to date has left many executives comfortable that they still have time to spare.

Worthington is well aware that the perception of extra time may allow other business priorities to creep into the discussion, noting that “our priorities today are a bit different to what they will be when we have a deadline to meet. The challenge through this is going to be not just being compliant, but also being effective in managing the business side of risk for the long term,” he said. “There are always some people who feel that if you’re doing compliance you only do the minimum, and that’s enough—but as a lot of us have seen, in the cybersecurity space, that’s a mindset that has had some pretty dramatic results over the past years.”

Worthington added,“I’m not that excited about ticking compliance boxes. I’m not just planning to implement the rules, but to really use this as [a guide to] continue to manage the risk in the business in the future. Ultimately, that’s what the act is trying to do, rather than compliance.”

A different standard of risk governance for critical infrastructure

That degree of risk governance, technology lawyer Patrick Fair said, will become a key part of the new obligations on operators of critical infrastructure that will include data storage or processing facilities, higher education and research, and healthcare and medical.

“This is not like mandatory data breach reporting, where there’s a ‘serious harm’ test and it only involves the disclosure of personal information,” he said. “This is about cyber incidents that might have a relevant impact on your asset, defined to include the performance and availability of that asset.”

Under the SOCI amendments as currently posited, annual reporting obligations will force boards of critical infrastructure operators to sign off on their risk-management program, including reporting of any hazards that occurred during the year and an internal audit of the risk-management program. “This is designed to keep you focussed on the additional security obligations,” Fair said.