SA Power Networks is working through a five-year cyber security strategy that it intends to review and update annually.
                                
                                
                                
Image credit: SA Power Networks
Speaking to the iTnews Podcast, head of cyber security and IT resilience Nathan Morelli said that this year is the first time the organisation has carved cyber security details out of a regulatory document prepared every five years, into its own standalone cyber security strategy.
Australian utilities must prepare a detailed business plan for approval by the Australian Energy Regulatory (AER) every five years.
The plan typically contains details of proposed technology spending but is not easily findable or read.
“The 80-odd pages in the detailed business case doesn’t present well externally [to the public and also] doesn’t give our team something to hold on to and say ‘I’m a part of this journey. This is what we’re doing, this is the roadmap for it, and this is why’,” Morelli said.
That belied the effort that went into producing the five-year business case for cyber security at SA Power Networks, spanning 2025 to 2030.
“It’s one of the most detailed justifications of funding in cyber security I’ve ever seen,” Morelli said.
“You go through a very detailed process, you get economists involved, there’s a lot to it.
“We didn’t want to waste that [effort].”
The result is the first publicly and internally accessible, standalone cyber security strategy document.
SA Power Networks already publicly publishes an annual review of its cyber security work, which Morelli said was well received.
“We’ve gotten a lot of positive feedback on the annual reports, and it’s something that really helped our team have a role to play in the cyber security community,” he said.
“We want the same [to happen] with the strategy.”
“The strategy is all public information because it’s based on that reset business case… but why not [also] make it a really presentable document at the same time?
“We [also] want to do the yearly update to it as well so people can see how it’s evolved, and how we’ve had to change it as well.”
Weeks after the inaugural cyber security strategy was published, Morelli indicated that the order of work outlined in the strategy would need to be “adjusted” due to changes in risk profiles and threats.
“We’re already at this point in time now, where if we had our time again, there would be a different ordering in the roadmap,” he said.
“We’re already adjusting that roadmap. [But] we [also] want to be able to go back out in a year’s time and adjust it.”
Similarities and differences
In the prior five-year period, the focus of cyber security was around insourcing the security operations centre (SOC) and rebuilding internal capability after a prior trend to outsource.
The period was also characterised by a focus on standing up endpoint and managed detection and response (EDR/MDR), on enabling behavioural analysis capabilities in security event and information management (SIEM) tooling, and by a greater focus on identity and access management.
Some of that carries through to the new cyber security strategy, while other strategic pillars are newer.
Identity and access, for example, is “really up front in the next five years of strategy work,” Morelli said.
Internal capability also continues to be a key area of focus.
“Having great, well-trained people that are well-exercised is always important,” Morelli said. “It was important in the last five years and will be important in the next five.”
An example of a newer focus area is on securing cloud-based networking and the network edge.
“We didn’t really have the maturity as an organisation in the last five years to think about SASE [secure access service edge] and cloud-based networking,” Morelli said.
“It’s something we’re really focused on now and [will be] focused on in the next two years to deliver that really well – making sure we’re integrating that into processes, and that people are getting a really good productivity outcome, but they’re doing it in a really secure manner.”
IAM priorities
Two of 12 key initiatives outlined in the cyber security strategy for 2025-2030 focus on identity: enhancing identity and access controls, and identity management. Already, the timeline for this work has been moved forward, compared to the dates in the strategy, reflecting the rapidly evolving threat landscape.
“We’ve got about 12-to-18 months of identity work that we’d planned to do but had originally pushed into the second half of the strategy. We’re now bringing it way forward,” Morelli said. “We’ve got to shuffle initiatives around based upon incidents and what we’re seeing.”
In the previous five-year period, SA Power Networks – among other activities – embedded identity as a core capability of its cyber security function. “We integrated and embedded that capability into the team,” Morelli said.
The company’s identity infrastructure comprises SailPoint Technologies, Ping Identity and Microsoft Active Directory (AD), although Morelli said AD administration is highly automated. “We try to automate as much of the role allocation and role governance process as we can.”
Among the work, SA Power Networks is looking to “decentralise a lot of access management” to system and data owners, considering them to be best placed to understand who needs what level of access. Cyber security would maintain a governance and education role in that model.
Cloud security
A key action item in the cyber security strategy also relates to cloud security. Specifically, the company will “implement a cloud security platform to enable the identification of vulnerabilities and misconfigurations specific to the cloud environment, such as unprotected storage, and to minimise the chances of attackers exploiting these cloud-related risks.
It’s only in the past 12-to-18 months that SA Power Networks has “started doing its own in-house proper modern developments” to run in the cloud, head of cyber security and IT resilience Nathan Morelli said.
It is now looking to ‘shift left’ some security responsibilities to software developers, rather than rely on the security team identifying concerns later in the development cycle.
SA Power Networks has drawn up some DevSecOps principles for development teams to follow, supported by a combination of guardrails incorporated into CI/CD tooling and new-found visibility into its cloud services courtesy of a recent adoption of Wiz software.
At the same time, it is also looking to move into the infrastructure-as-code (IaC) space as well to embed security and secure thinking into the way cloud services are stood up and scaled according to need.
While there is some native tooling in the Azure ecosystem, Morelli noted this tooling wasn’t necessarily as “intuitive” as Wiz, nor was it as helpful in identifying risk assets or potential attack paths.
“We’re a big attack path kind of team. We like that approach of [identifying] attack paths, where are your risk assets and what is the quickest way to get to them? Some of the work we’ve been doing in Wiz is around attack paths, and that’s just not natively available in Azure.”




