Western Australia is to review the cyber security capabilities of its entire energy sector in the face of “significant” risks.
iStock
The agency Energy Policy WA has called in experts to assess the sector’s critical infrastructure, operational technology and internal IT systems over a six-month period.
The consultation, which is the first of its kind for WA’s energy industry as a whole, is intended to inform any future cyber security risks and “mitigate cyber risks” in the sector.
Energy Policy WA sits under WA’s Department of Energy, Mines, Industry Regulation and Safety with the remit of “leading [the state’s] energy transformation”.
“Cyber security is a growing threat to all critical infrastructure, including the energy sector,” an agency spokesperson told iTnews.
“Energy Policy WA expects this consultation will identify priority areas for focus in cyber security for the energy sector in Western Australia.”
Last month, the Australian Signals Directorate raised concerns that one in 10 of cyber security incidents last year involved critical infrastructure, with state-sponsored actors targeting the country's government, infrastructure and businesses.
Although Australia’s energy sector is under the federal governance of the SOCI Act and the Australian Energy Sector Cyber Security Framework (AESCSF), Energy Policy WA said it hoped the consultation would give it sufficient insight to select “the appropriate level of regulation”.
According to a request for tender, cyber consultants will be tasked with risk assessing the sector in three tranches: electricity, gas and liquid.
The review will investigate people, practices and infrastructure in relation to their “critical risks” and “likely threat vectors”.
While it is expected the review will largely focus on operational technology, it will also examine whether “cyber security practices are applied to retail systems, customer data and corporate systems”.
“Any disparity between internal cyber security practices and external ones (for example, internal standards for connected equipment versus requirements for externally provided equipment that connects to an energy system) should also be considered,” according to the tender’s statement of requirements.
The document also noted that while critical infrastructure operators “generally have a high level of cyber security maturity”, there is less visibility and understanding of the cyber security capabilities of smaller ‘non-critical’ infrastructure operators.
