In recent years, the critical role of cybersecurity in safeguarding our energy infrastructure has become increasingly clear.
The evolving landscape of digital threats has highlighted the importance of proactive and robust security measures for energy producers worldwide. In Australia alone, 2021 saw Queensland utility CS Energy’s corporate network struck by a ransomware attack, though electricity generation continued unaffected.
And in March 2024, New South Wales electricity network operator Ausgrid predicted in a submission to the Cyber Security Expert Advisory Board that a worst-case scenario shutdown of its infrastructure would have an economic impact of $2.9 billion per day.
More recently still, although the July 2024 global outage of tech systems caused by a faulty software update from cybersecurity provider CrowdStrike was not the result of malicious activity, its broad impact demonstrated just how much disruption can result when essential digital infrastructure fails.
The Australian energy industry is now more committed than ever to implementing comprehensive cybersecurity strategies, ensuring the resilience and reliability of power grids around the world.
This proactive approach not only safeguards infrastructure but also strengthens public trust and energy security for the future.
Assessing the landscape
ENGIE’s South Australian Pelican Point Power Station has worked with ABB to supply power to the state since 2000 when ABB developed, designed and installed the natural gas plant’s control system.
So when ENGIE, the plant’s operator, sought a cyber security risk assessment solution, it built on a relationship that had existed for close to a quarter of a century.
They have the best knowledge of the control system, says Tanvir Momin, Control System Engineer at ENGIE. They are aware of the potential issues and vulnerabilities, and they understand its compatibility with different types of IT.
While ENGIE would generally undertake these assessments internally, this project was unique and needed specialised skills, specific to that control system. ABB has that.
A comprehensive risk assessment will ensure that a company’s cyber security solution doesn’t get too complicated without remaining so simplistic as to be ineffective.
According to Khang How Yap, ABB Cyber Security Architect Leader, this approach helps ABB find its customers a solution that delivers a return on investment without stretching their budget beyond the costs warranted.
“The main focus is identifying the most critical vulnerability currently in a system,” he says. “A customer may already have some cyber security controls in place. For example, taking the most basic cyber security measure, they may already have an antivirus program or a monitoring system.
“If they have that existing system, we do not need to push the same solution to them. This is where the risk assessment comes in: we try to identify the weak points in their current system.”
That involves asking several questions:
- What is the customer’s current cyber security posture?
- Are the operation’s current security controls sufficient or do they need improvement?
- What critical vulnerabilities have been identified?
“It will consist of a series of interviews with their customers, their management, their operation and their engineering team,” Yap says.
“We try to understand their current management and maintenance practice, and how this aligns with local government cyber regulation as well as international practice.”
By asking the right questions and drawing on a global team's expertise, ABB delivers the risk assessment, as well as a remediation plan.
“Once we have the report available, then we move on to the next stage of the remediation,” Yap says.
“The ABB cyber security risk assessment report is not confined to ABB — we follow the IEC 62443 International Standard, which means that if the customer goes to another vendor, they can use the report as a guide.”
ENGIE’s Pelican Point Power Station is located about 20 kilometers northwest of Adelaide’s central business district in South Australia. 
ENGIE’s Pelican Point Power Station has a maximum capacity: 497 MW and was commissioned: March 2001.
Implementing comprehensive cybersecurity solutions
A risk assessment will also consider local regulations and the context of customer’s operations in its broader industry.
In Australia, the 2018 Security of Critical Infrastructure Act requires a plant like ENGIE’s Pelican Point to meet cyber security benchmarks. Conducting a risk assessment with ABB was one of these key requirements.
The Pelican Point Power Station is located north-west of Adelaide and has a maximum capacity of 510 MW. Operating via combined cycle gas turbine technology, it provides 17% of South Australia’s thermal generation needs.
Tanvir and the team are well aware of the risk a cyber attack poses to a plant with this profile.
“For power generation, the first risk would be ransomware — specific hackers or malicious entities targeting power stations for confidential information, locking out control systems, locking out operation, or gaining access to confidential information within the business, and then asking for ransom,” he says.
“They could maliciously operate the power plant in a way that sustains significant damage to the plant or personnel, jeopardising safety, the operation or the critical infrastructure within Australia.”
Tanvir suggests that Australia is not currently a high-profile target for malicious groups, though he cautions that vigilance is still essential.
When ABB works with an operator like ENGIE, the relationship is a genuine partnership. Protecting the install base is a long-term investment between the two entities.
So after the risk assessment has been conducted and a system’s weaknesses have been identified, the next step, Yap says, involves pursuing remediation from the findings.
We have several discussions ongoing currently with the customer on how we can improve its cyber security posture,” he says.
“It will not be a one-time remediation, because the cyber security landscape is changing every day, and the internet is coming up with new technology — we are talking about generative AI nowadays.”
Having that ongoing relationship matters, because an effective cyber security solution must be customised; there’s no off-the-shelf, one-size-fits-all model available to a plant like Pelican Point.
“A lot of people confuse cyber security with information technology only, and they never give a lot of thought to the operational technology — or the process industry in our case,” Momin says.
“The technology is different. It's not always Windows-based or IT-based, and we have different kinds of technologies installed on site.
“One-size fits all cyber security will not work in any process industry. It has to consider different threat levels and different threat actors. Not all the power plants are the same, not all process industries are the same.”
--------------------------------------------------------------
