Endeavour Energy to construct a cybersecurity defense and response hub
Endeavour Energy is gearing up to establish a cybersecurity defense and response center to consistently identify and address advanced attacks on its electricity and IT systems, as part of 21 security-focused initiatives slated for completion over the next five years.
Gijo Varghese (Image credit: Endeavour Energy/Facebook)
During an interview with the iTnews Podcast, Gijo Varghese, information security manager, mentioned that the hub would act as a unified area covering both information technology and operational technology.
“At the heart of it is the engineering network, which will then extend to our IT landscape,” cited Varghese.
“This will be a fascinating journey for us, aiding in the detection of sophisticated attacks within our grids.”
Endeavour’s familiarity with IT-OT integration is robust: Varghese’s team, numbering around “25-to-30 individuals,” already functions seamlessly across IT and OT sectors.
Achieving integrated security excellence stands as a key objective within Endeavour Energy’s ongoing five-year cybersecurity strategy, stretching until FY29.
“Primarily, our cybersecurity strategy has three major objectives we aim to fulfill. Our initial goal entails embedding cyber resilience to reduce vulnerabilities across personnel, processes, and technology as we transition towards clean energy,” Varghese explained.
Given the increasingly bi-directional energy flows between Endeavour and customers with rooftop solar, the company emphasizes safeguarding the security of these connections.
“The second objective of our cybersecurity strategy is to enhance the detection and response capabilities against sophisticated cyber threats. We anticipate consistent or escalating threat volumes and seek readiness against such events,” Varghese outlined.
“The third objective is an aspiration for excellence, seeking certification to ISO 27001 across both IT and OT landscapes while meeting the requirements of the Australian Energy Sector Cyber Security Framework (AESCSF).”
Endeavour Energy positioned itself closer to the third objective by obtaining ISO 27001:2022 certification at the conclusion of the past year.
This achievement culminated from years of effort that commenced in 2016 with the launch of Endeavour’s initial cybersecurity strategy – predating the 2022 iteration of the ISO standard.
“Many industrial networks still grapple with disparate perspectives and security goals across IT and OT,” remarked Varghese.
“We recognized the value of advancing that alignment through [ISO certification].”
The official process, from preparation to certification, required approximately 18 months to complete.
Endeavour collaborated with Cyber CX for support, while the certification was carried out by an external assessor.
The certification envelops security for “20 physical sites, including 16 substations,” alongside control rooms, a data center, and a training facility.
Varghese accentuated three vital outcomes arising from the ISO certification, the first being that it laid the groundwork for instating “a culture of continuous enhancement” regarding security within Endeavour.
“We now have a mechanism to spot risks and deficiencies in the environment, document them, and then take action with a tracked plan,” he articulated.
“A register for continuous improvement has been initiated. This spans all portfolios of our technology operations, fostering transparency in comprehending our roadmap.”
A second consequential outcome revolves around “a heightened insight into the operational technology network, its interrelations, and the associated cyber risks, thanks to the documented risk register under our management,” Varghese noted.
Lastly, Varghese highlighted “significantly enhanced … third-party vendor management” post the certification process.
“We engage vendors overseeing our critical infrastructure components; we now grasp the depth of our reliance on third parties, their identities, their access rights, and their usage in incidences of cyber assaults,” he stated.
Varghese added that the ISO certification played a crucial role in assisting Endeavour Energy in fulfilling some of its Security of Critical Infrastructure (SoCI) obligations.
“SoCI mandates every critical infrastructure entity to devise a critical infrastructure risk management plan (CIRMP).
“For this particular SoCI mandate, we could leverage the ISO 27001 standard to enhance our cybersecurity posture.
“Furthermore, SoCI does not simply address cyber concerns; it encompasses all risks, ranging from personal, physical, environmental, to supply chain vulnerabilities.
“ISO 27001 takes a holistic approach in considering these aspects as well.”
Milestones in FY24
Aside from securing ISO 27001:2022 certification, Varghese highlighted three other endeavors – out of a total of eight conducted in the fiscal year – that significantly impacted cybersecurity efforts.
One initiative focused on enhancing network visibility for the OT ecosystem; another entailed executing a multi-phase cyber incident response drill; while a third initiative introduced a continuous adversary simulation program.
The multi-phase drill “not only evaluated our functional responsiveness to a cyber incident but also scrutinized the decision-making processes of our executive leadership and board during such events,” Varghese elaborated.
Furthermore, the simulation initiative constituted a purple-teaming exercise for the OT landscape and substations.
About Author
