Endeavour Energy is set to build a cyber defence and response centre to continuously detect and remediate sophisticated attacks against its electricity and IT infrastructure, one of 21 security-related projects to be delivered in the next five years.
Gijo Varghese (Image credit: Endeavour Energy/Facebook)
Speaking to the iTnews Podcast, information security manager Gijo Varghese said the centre would act as a “single environment” covering information technology and operational technology.
“At its core is the engineering network and then we’ll expand out into our IT environment,” Varghese said.
“That’s a very interesting journey that we will go through, which will help us detect sophisticated attacks in our grids.”
IT-OT integration is not new to Endeavour: Varghese’s team of “around 25-to-30 people” already operates across both the IT and OT domains.
Integrated security excellence is also one of the key goals of Endeavour Energy’s current five-year cyber security strategy, which runs until FY29.
“Essentially our cyber security strategy has three main goals that we want to achieve. The first goal is that we want to embed cyber safety so we can reduce the attack surface across people, process and technology as we move into clean energy transition,” Varghese said.
With energy flows increasingly bi-directional – between Endeavour and customers with rooftop solar – the company is prioritising preserving the security of that connectivity.
“The second goal of our cyber security strategy is to better detect and respond to sophisticated cyber attacks. We know that attacks [volumes] are going to be consistent, if not increase, and we want to be ready for those,” Varghese said.
“The third goal is more of an excellence objective, which is to be certified to ISO 27001 across IT-OT and [meet] the Australian Energy Sector Cyber Security Framework (AESCSF) requirements.”
Endeavour Energy took a big step towards that third goal by achieving ISO 27001:2022 certification at the end of last year.
This was the culmination of years of work that began in 2016 with Endeavour’s first cyber security strategy- predating the 2022 version of the ISO standard.
“A lot of the industrial networks still struggle with disparate understanding and security objectives across IT and OT,” Varghese said.
“We saw the value of progressing that alignment through [ISO certification].”
The formal process to prepare and certify took about 18 months to complete.
Endeavour worked with Cyber CX, with the actual certification performed by a third-party assessor.
The certification covers security for “20 physical locations, [including] 16 substations” along with control rooms, a data centre and a training facility.
Varghese highlighted three key outcomes from the ISO certification, including firstly that it has underpinned the establishment of “a continuous improvement mindset” with respect to security at Endeavour.
“We now have a process to identify risks and gaps in the environment, document them and then put a plan in place and track them,” he said.
“A continuous improvement register has been established. We have that across all portfolios of our technology operations and there is transparency in really understanding what our roadmap is.”
A second related outcome is “deeper understanding of the operational technology network, its interdependencies and the cyber risks associated with it, because we now have a documented risk register that we are managing and maintaining.”
Third, Varghese pointed to “significantly improved … third-party vendor management” after going through the certification process.
“We have vendors who manage our critical infrastructure components as well, and now we really understand what are our dependencies on third-parties? Who are these third parties? What access level do they have, and how do they use them in case there is a cyber attack?”
Varghese added that ISO certification has played an additional “vital role” in helping Endeavour Energy to meet some of its Security of Critical Infrastructure (SoCI) obligations.
“SoCI mandates every critical infrastructure organisation to build a critical infrastructure risk management plan (CIRMP).
“For this particular SoCI requirement, we were able to leverage the ISO 27001 standard and therefore enhance our cyber security posture.
“In addition, SoCI doesn’t just look at cyber – it looks for all hazards across security, which includes personal, physical, environmental and supply chain.
“ISO 27001 is holistic in also looking at those elements.”
Key achievements in FY24
Outside of ISO 27001:2022 certification, Varghese highlighted three other initiatives – of a total of eight run during the financial year – that had also been impactful from a cyber security perspective.
One of these initiatives improved network visibility for the OT environment; another involved running a multi-phase cyber incident response exercise; while a third initiative saw a continuous adversary simulation exercise implemented.
The multi-phase exercise “not only looked at testing our functional capability to respond to a cyber attack, but also we tested our executive leadership team and board of directors on how their decision -making processes would progress during a cyber attack.”
“That was a pretty interesting activity and we will continue to do that to strengthen our incident response plan,” Varghese said.
The simulation exercise, meanwhile, was a purple-teaming initiative for the OT environment and substations.