Top Five Tips for Security Management in a Utility Business


The links between infrastructure in the utilities sector and security vulnerabilities are becoming increasingly complex. This is becoming more evident as once air-gapped critical utilities infrastructure relies more on converged information and operational technologies.

While information technologies remain far from secure, operational technologies represent a far greater point of weakness. Apart from being typically under-protected and overlooked for updates and patching, the operational technologies supporting critical infrastructure usually comprise outdated software and operating systems. 

The harsh reality is that these technologies are highly vulnerable to infiltration and cybercriminals that gain access can perpetrate undetectable, uncontrollable and unrelenting actions. Whatever the criminals’ objectives are, it is inevitable they will achieve them.

To manage these risks, it is crucial that security is well planned and receives strong executive and board support. Up to date security management is vital for every organisation and this article provides key tips on what any company in the utilities sector needs to include in their planning.

Continuous infrastructure breaches cause huge human and financial cost

Gartner states “continuous cybersecurity breaches against critical infrastructure industries will result in environmental events exceeding $10 billion, catastrophic loss of life and new regulation, globally, by 2019.” 

With most critical infrastructure depending on other critical infrastructure services to operate, an attack on any physical or virtual system, asset or network could disrupt an entire country’s critical systems. Not only does this have the potential to be detrimental to Australia’s economy, it poses as a serious physical risk to civilians.

The Australian Government’s non-regulatory approach to critical infrastructure resilience means the nation’s social and economic wellbeing relies on business-government partnerships. Under these partnerships, public and private operators and owners of critical infrastructures are entrusted to independently assess their operational risks and determine the most appropriate mitigation strategies.

While many owners accept that ensuring the security of their assets is a cost of doing business, the lack of minimum cyber security frameworks can tempt industries to opt for cost-effective rather than all-encompassing strategies. Defective systems may instigate unauthorised actions, disrupted operation, equipment shutdown and supply outage leading to environmental flaws. Second to the catastrophic, potential endangerment of human lives lies the risk of financial penalties, regulatory investigation and reputational impact.

People central to infrastructure security

The Australian Government has recognised the issue of technology security in utilities and in May 2015 launched the Critical Infrastructure Resilience Strategy. This strategy comprises two core policy objectives:

  • for critical infrastructure owners/operators to be effective in managing reasonably foreseeable risks to the continuity of their operations; and
  • for critical infrastructure owners/operators to be effective in managing unforeseen risks to the continuity of their operations through an organisational resilience approach.


While the theory underpinning the strategy is strong, the strategy’s effectiveness relies heavily on people working in critical infrastructure to be proactively involved in information sharing, furthering education and taking action to continually improve security.

To ensure the overall strengthening of the utilities sector, all operators and owners have a responsibility to maintain the security of their assets and the safety of the wider community.

Through my years of experience providing information security management and strategy development and implementation, I have established the following five tips for sound security management:

1. Education and awareness: Develop and implement a comprehensive program of activities to build a strong security culture. Your program must extend from the board to frontline employees. To create an organisation-wide shift, ensure that key stakeholders understand the challenges, issues and risks. Awareness empowers change.

2. Enterprise security architecture: Ensure an enterprise-wide security structure is developed. This structure needs to link business objectives and business attributes to security principles, then to threats, risks and controls. The structure must extend from information technology to operational technology to minimise risks and support convergence.

3. Service provider governance: Ensure all key external parties and service providers clearly understand the security controls they are responsible for. If anything needs to change from a security perspective, ensure they are included in the Education and Awareness program described in Point 1.

4. Security in projects: Ensure there is a well-defined and repeatable process for managing security through project life cycles. Harvest good results from projects to improve the efficiency of the process.

5. Build a suitable team: Develop a case to get support for your security team either by adding external help or internal headcount. A good option is to have a number of disciplines available on demand, such as security architects, security testers, security operations experts and security managers. You may never have the need for full time resources, but getting support will be important in building and maintaining the momentum of your strategy.

In conclusion, as information and operating technologies converge, the complexity of maintaining security increases. Over the next five years, the utilities sector will see the volume of security risks climb sharply and consequently, more pressure will be placed on executives and boards to effectively manage these needs.

Regardless of increasing security demands, growing communications and awareness of information security in utilities sees inadequate management of systems and assets as inexcusable. With safety as the number one priority and the knowledge that prevention is better than remediation, the responsibility is everyone’s and the time to act is now.

This article was brought to you by Enex TestLab, content directors for CSO Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags Security Managemententerprise securityUtility Business

More about CSOEnex TestLabGartnerResilience

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Jones

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts