Protecting the energy industry from cyber attacks: Brad Flanagan on cybersecurity
As businesses rapidly invest in technology to drive value and scale, the demand for specialists who can develop organisational resilience against cyberattacks grows. We spoke to Brad Flanagan, Head of Cyber Security at Essential Energy and a collaborative leader committed to organisational success, about keeping up with the rapid pace of change in cybersecurity.
Tell us about your background and how you ended up in cybersecurity.
I started out in technology in the implementation and project management space in South Africa at a time when the government was going through a large-scale digitisation project. So I was working with a team who were involved in transforming manual paper into technology processes and procedures. And then I made a move into an internal audit compliance function, where I spent 12 months really skilling up in the compliance aspects of technology, so controls and that kind of thing. From there there was a natural progression into the IT risk space, focusing on understanding what the risks were in relation to particular technologies and what controls needed to be in place. And this was just over a decade ago, before ‘cyber’ was a thing! Over time, the team I worked for evolved and became the cyber team at PwC, so that’s how I ended up in cyber! In many ways my journey to cybersecurity reflects the way technology has evolved to become a primary driver in the way organisations structure their processes and people over time. As that has progressed, having strict controls in place to ensure identity or access to systems became even more important, and over time these systems started to connect with each other more, requiring more interrelated controls and a bigger picture understanding of control landscapes.
Is there something that particularly attracted you to that cybersecurity space?
I’ve always been interested in technology and have loved having conversations about it, and being around it. And I think matching this with my experience in internal audit – where I developed a detailed understanding of compliance and regulatory requirements – led me to a discovery that I really enjoyed applying that in the real world. So things like working out what really makes sense for one organisation may not make sense for another, and really embracing the fact that cybersecurity is not a ‘cut and paste’ or ‘one size fits all’ solution was where things got really interesting for me. Working in partnership with clients to understand their needs while keeping across a changing landscape of threat actors is really satisfying work. Threat actors are getting smarter in the way that they conduct themselves or try to compromise organisations, so that means we’ve also got to make sure that we continue to educate ourselves and work out what’s needed to mitigate those continually changing risks and landscapes we’re all working in.
Let’s talk a bit more about that. Not only is technology always changing, but so is the regulatory environment and the hackers that threaten our organisations…how do you keep up with that pace of change?
The rapid pace of change is the one constant in cybersecurity! But what we really try to do to get a handle on that change is to break it down and simplify it. Perhaps the biggest challenge we face at the moment is that cybersecurity is often seen almost as an ‘unknowable’ entity – so when we speak to people who aren’t specialists in the field about cyber, they instantly think about technology because what they picture is a guy sitting on a PC trying to to hack into your your computer. Whereas actually that’s just one avenue that a threat actor might try. He might pick up the phone and call you and ask you to log on to something, for example…so the channels are changing and becoming more varied. Keeping everybody up to speed with those threats through education awareness programmes is really central to our efforts in cybersecurity because it’s people who are at the core of this. At least half of our effort is focused on the people side of the business, making sure everyone is aware of what’s happening out there and how to respond if someone does call you and ask you to enter your credentials onto some unknown website. We encourage people to go with their gut when something feels wrong – it’s the same as in your personal life, if someone you didn’t know asks you to log on to your bank account, you probably wouldn’t do it. Personalising that risk really helps people respond and act almost like a human firewall.
Tell us about your role at Essential Energy.
I am the Head of Cyber Security, so what that means is that ultimately I’m responsible for cybersecurity at Essential Energy. We run a sophisticated security operation centre with 24/7 monitoring and detection of any attempted or actual threats on our network, but we also complement this with two other really critical proactive programs of work. The first of these is a consultative stream to integrate cyber into the way we work across the board at Essential – so we work closely in partnership with others across the business to integrate cybersecurity efforts into what’s happening right across the organisation. This is a really key part of our strategic approach to ‘staying ahead’ of cyber risks. We also have a cyber program which is designed to uplift cybersecurity awareness and behaviour across the organisation, which is that people-focused approach I spoke about earlier.
What I love most about working at Essential is the complexity of our settings. At first glance you might think of us as ‘just’ a rural DNSP (distributed network service provider), but in reality we’re an IT organisation, and we’re an OT (operational technology) organisation, and we have critical telecommunications capabilities that other organisations rely on. So there’s many layers of complexity across our business, and we’re spread out all over New South Wales. When we’re thinking about cybersecurity and security more broadly, we have to think about every single one of those depots as a potential window through which a threat actor could get into the building.
What have been the key strategic areas of focus for Essential Energy from a cybersecurity perspective?
Our strategy is trying to achieve a number of key things. The primary goal is to ensure that all our efforts and everything we do within the cyber space is aligned to the business. And this is key to success for the cybersecurity function in any organisation. It’s all about understanding the core of the business and what it is trying to achieve. For us, we’re looking at smart meters, smart light poles, and a range of other ‘smart’ things that are emerging from this boom in the ‘internet of things’ (IoT) space – that’s the direction the business is trying to get to, which a lot of lot of organisations are in our space. What does that mean from a cyber perspective? So how do we ensure that we work with the business to confidently pursue a business strategy with the security in mind and ensuring that customer interactions are done in a safe and secure manner over time? As we look to enable the customer to access their information, to select various services preferences, how do we ensure that they do that securely and safely? So our cybersecurity strategy is really trying to align to the business. But the other part of it is also ensuring that we we appreciate or recognise the threats out there. So what does an organisation like ours need to need to respond to the threats for us compared to a bank or other organisation? The threat actors that want to hack into a bank to get money will operate very differently from those whose objectives are to compromise safety systems and critical energy infrastructure. So the threats are different and our risks are very different. And as I touched on earlier, there are risks around being very geographically sparse and mobile workforce; not every employee is sitting at a desk with a PC, so we have to consider how to enable our people in the field to recognise suspicious things on their mobile devices. So the strategy really takes those two pieces – the business and threat landscape – and puts them together in order to deliver a program over three years to get to a point where we are comfortable.
So people are really the key to understanding and mitigating cybersecurity risks. How do you have conversations with people who think of cyber as being technical?
It really comes down to the language we use and the way we demonstrate the potential outcomes of something bad happening. You know, it’s not just about a PC being compromised and them not being able to log on…while that might be an operational impact, we need people to understand that that compromise might allow somebody access to sensitive information which could be sold on the black market to a competitor. We need our people to understand that somebody getting into a control room and turning off a safety system while somebody is climbing up a pole might result in somebody getting fatally injured. So the language that we try and use is to make it understandable from a business perspective. It needs to be less technical and more business-oriented. It’s a skill (and an art) that we are all still trying to learn.
One of the things we hear about in the market a lot is the convergence of OT and IT. Can you take us through what that means?
I think it’s important to start by clarifying that the domains of OT and IT have been segregated for very real and serious reasons around safety. Having a segregated network provides critical certainty around misuse that you just can’t get on a corporate network where you’re more open to the internet via the cloud and other gateways. So when we talk about convergence, what we’re talking about is the governance of those two environments. What governance procedures do we want from an enterprise perspective and can they be dealt with in parallel? So the management of domain access to systems through identity, for example, is a process that happens in both OT and IT. Could a converged process or governance model around identity management for onboarding or offboarding of employees ensure consistency in controls, monitoring and response? It’s really about finding consistent and efficient ways to approach things across both domains.
The other convergence that people refer to is the use of data from OT space. For example, using data collected from smart meters to target services to particular customer segments. There is convergence there in a sense in how you manage the controls and measures across both domains as you bring that data across.
The growth of smart meters and IoT in the marketplace is pretty significant. What does this mean for threats and security?
Traditionally, the ownership and management of applications placed quite a lot of control in the hands of the organisations applying these solutions, so you knew exactly which processes were in place and who was managing them. Now as organisations adopt cloud-based services, we see a movement towards more of a shared responsibility; where the need to rely on your cloud provider’s security controls becomes a factor in your overall cybersecurity approach. It requires a level of contract management and understanding that is quite different, and it’s really easy to overlook this. Many organisations assume that just because a product is from a well-known provider like Microsoft or Amazon means that it has the best controls in place for your environment. They give you a good baseline, but you need to supplement that with additional controls that reflect your risk profile. So it’s things like conducting an independent security assessment or negotiating the right to audit or conduct penetration tests with your provider. It’s about coming to a level of assurance that aligns with your organisational risk profile.
Tell us about what Essential Energy does to proactively reduce risk?
So we break down our proactive measures into three key areas: detection, monitoring and response, and recovery. In those first two areas, making sure we have the right tools and the right people using those tools, is a critical first step. And then it’s about making sure you’ve got really clear and robust processes and procedures in place to guide your response to the detection of an incident. But most importantly, you need to understand that what you’ve put in place really does work in practice. So for us, that’s where simulations play a critical role as a proactive measure. We run planned and unplanned simulations so we can test our ability to respond in different ways, and we test not just our security operations team, but the whole organisation. In a recent example our Chief Risk Officer ran an unplanned whole-of-organisation ransomware simulation, which included our executive leadership team. We learned really important things about where we can improve our plans in preparation for a genuine event. The final area, recovery, is one that is neglected by many organisations, and that really covers off on your ability to restore operations. So in the event of a catastrophe, how do we continue with operations from a business perspective? Our proactive measures in this space are around how our team works with system owners to ensure they have processes in place to restore or spin-up a server if required. What we do is help the business think about the flow-on effects in recovery, like what processes need to be in place to make sure that we do pull up a new set of servers that the website doesn’t drop out, or another service doesn’t become disconnected.
Can you speak about the relationship between Essential Energy and the Australian Energy Market Operator and the industry standards around cybersecurity?
The energy sector sits in a really interesting regulatory landscape, which is part of what makes a role like mine so rewarding. AMEO released the Australian Energy Cyber Security Safety Framework a few years ago now, and at that time it was not mandatory. However almost everyone in the sector adopted it immediately because it was based on international standards which most of us were using anyway, and it provided an insight across the market on which we could baseline our maturity, allowing us to understand where we sat from a sector perspective. Meanwhile, the Critical Infrastructure Act is currently undergoing amendments to include components of cybersecurity, and that signals a likely shift that will see things like the self-assessment and cybersecurity framework fall under the purview of the Department of Home Affairs. So we are anticipating the introduction of annual positive obligations to report to the Department on our cybersecurity approach in the near future, and although AMEO will no longer ‘own’ the cybersecurity framework, the work they’ve done in the sector in recent years has already set a standard of sorts across the sector.
What advice would you give to graduates or IT professionals considering a career in cybersecurity?
This is an interesting one, because even just five years ago you would have been lucky to find a cybersecurity post or course out there. There might have been a module in one of the years that you were doing your technology degree in cyber at most. And that’s changed significantly now. So if people are passionate about cyber, they’re now able to take specific studies at university-level. Reflecting on my experience with graduates at Deloitte and PwC, it was those who possessed an inquiring mindset, a mindset of curiosity, who did really well in cyber. So having technical foundations is one thing, but having the process and compliance understanding and the intrigue to understand how organisations can comply is really important to success in this area. If you’re passionate about technology and you have an enquiring mind, you’ll do well!
—
If you’re looking for a cyber security or technology professional to take your organisation to the next level or seeking a new position, reach out to Clare Weir today on 0438 412 252 or email clare.weir@gwg.com.au.