Bridge over troubled data: confronting cyber threats hiding in Australia’s utilities sector

Nathan Gower, director of Boomi in Australia and New Zealand, stands wearing suit in a retail laneway
Nathan Gower (Image: Boomi)

By Nathan Gower, Director of Australia and New Zealand at Boomi

As inhabitants of The Lucky Country, Australians have come to expect certain things. Turn on breakfast TV and you’ll see David Koch. Head to KFC and you’re guaranteed a Zinger with all the trimmings. Turn on a tap, flick a switch, and you’ll have a glass of water and a room full of light.

Well, ‘Kochie’ has retired, chicken lovers recently swapped lettuce for cabbage during a shortage, and the safety and availability of water and power is coming increasingly under threat.

In its most recent annual report, the Australian Cyber Security Centre (ACSC) warned Australia’s critical infrastructure, of which utilities is a part, is increasingly being targeted by malicious actors. This supports the finding from the Australian Signals Directorate (ASD), that last year, electricity broke into the top 10 most attacked industries for the first time.

Both AGL and EnergyAustralia have experienced cyber-attacks, placing customer information in jeopardy.

Related article: Customer details exposed in EnergyAustralia cyberattack

The reputational, operational, and compliance implications to businesses can be crippling if cybersecurity risks are not addressed. But concerns should not be limited to incoming threats—decision makers also need to be aware of internal threats.

According to the Office of the Australian Information Commissioner (OAIC), 70% of data breaches in the second half of 2022 were the result of external threat actors. Another 25%  of activity in this period came down to internal threats.

Barriers to protect from attacks should also be supplemented with measures to correctly manage and govern data to avoid potential leaks or misuse of information from the inside. This is the side of cybersecurity that is too often forgotten—a framework that ensures data doesn’t inadvertently go astray.

The key to it is visibility. Providers need to understand what’s happening to their data, who has access to it, where it is stored, and how it’s being shared.

Missing piece in the data protection puzzle

Given utilities companies are entwined with our lives, any disruption to their services provides immense bargaining power to those capitalising on missteps in protective framework.

But what on the providers’ side is leaving them open to such an attack? When utilities infrastructure and technology was initially set up, it wasn’t necessarily done with data protection in mind.

On the other hand, the utilities sector has undergone rapid digitisation, with new forms of decentralised technologies, such as virtual power plants, smart grid infrastructure and remote monitoring devices sprouting up to make processes more efficient.

While the benefits are evident, this has also increased the surface for attack and added complexity to providers’ technology environments. With so much more data being generated, it’s much easier for sensitive or business critical information to end up where it shouldn’t be, or even in the wrong hands.

Here we arrive at the side of cybersecurity too often forgotten – the management and oversight of data.

In a hypothetical scenario, a utilities company could be storing mounds of unchecked and unused data on its systems. This is a very real risk, with an IDC report finding 68 per cent of an organisation’s data goes untapped or wasted – that is two-thirds of data going unleveraged and unaccounted for.

A hacker could gain entry to the company through a historical set of user credentials, for example, siloed and hiding on a legacy system. Once inside, they could move laterally through the system and gain control over the processes managing electricity generation and water distribution.

And all of this started with a small amount of ungoverned data.

Related article: Australian energy software firm impacted by cyberattack

To minimise risk of a data leak or breach, utilities companies must ensure the enormous volumes of data flowing through their waterways, electrical lines, and backend systems is visible, being accessed and used safely, and in compliance with national, international, and industry-specific regulations pertaining to data protection, such as the Notifiable Data Breach scheme.

Ultimately, the sector needs all the posture it can get to protect against leaks and misuse of critical information, even from well intentioned stakeholders.

Cyber capabilities are a nation-wide endeavour, and with a more comprehensive framework we can put our best defensive foot forward. In addition to cybersecurity measures in place, the importance of managing data cannot be overlooked when it comes to thwarting intentional threats or unintentional leaks.

If they don’t, a lot more than our comfort and hydration are at stake.

Previous articleScottish team gets funding to turn CO2 into stone
Next articleFortescue CEO Fiona Hick resigns after six months in role