Western Power Head of Cyber Security Richard Asch shares insights on protecting assets during an energy transition and hiring outside the box
Western Power is a state-owned electricity utility operating a grid servicing more than 2.3 million customers across Western Australia. It is part of an industry that is undergoing fundamental transformation, which Head of Cyber Security Richard Asch says is making his role security role all the more exciting.
“We’re going through a once-in-a-generation energy transition away from fossil fuels to renewables. Western Power is right in the middle of that, operating the southwest interconnected system,” he says.
“There is a lot of change happening at a macro scale and that requires a lot more technology in our environment doing things that we’ve never done as an organisation before. We’re actually leading the curve on a lot of it because of the unique aspects of our grid and the isolation factor we have here in WA.
“From a security perspective, this introduces many challenges and opportunities and that’s probably one of the biggest focuses we have.
A year and three months into the role, Asch has developed and is executing a new security strategy that is considerate of abundant technology changes abound, seizing opportunities to build security from the ground up as new systems are developed and deployed.
“We’re doing a lot of security-by-design thinking in collaboration with other players in the energy space in Western Australia, including Synergy, and AEMO the market operator, as well as various others,” he says.
“We also have to think about these things at an even broader scale with the original equipment manufacturers (OEMs) of devices like solar inverters, that get installed into households with all sorts of connectivity options. “There are also emerging technologies which are currently being trialled, like distributed energy resource management systems and virtual power plants, which is really exciting. The idea of software controlling the distribution of electricity in a microscale is mind-blowing and requires new approaches to security thinking.”
Western Power represents a major piece of critical infrastructure for the state of Western Australia, which no doubt adds pressure to the role of keeping it secure. However, Asch notes that the high level of visibility and the known importance of protecting critical infrastructure does have its silver linings.
“One is that the Australian government is doing a lot of policy reform on critical infrastructure legislation,” he says. “Earlier in the year a bill was passed to amend the Security of Critical Infrastructure Act.
“That’s going to go some way to maturing the way critical infrastructure operators protect themselves. It’s setting a higher bar that is federally mandated to achieve.”
The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 came into effect in April 2022 and introduced two key measures.
These measures aim to make risk management, preparedness, prevention and resilience ‘business as usual’ for critical infrastructure operators and seeks to improve information exchange between industry and government.
“Being in the electricity sector is quite interesting because you’re right at that core of critical infrastructure,” Asch says.
“That recently amended legislation recognises 11 different sectors. Electricity being one of them. There’s also gas distribution, health care, telecommunications, data processing and so on. “Ten of those sectors can’t exist without one and electricity is it. That adds a bit more focus to my day to make sure we are doing everything we can to protect such a critical asset to WA’s economy and way of life.”
Colonial Case Study
One of biggest critical infrastructure security stories in recent memory is the Colonial Pipeline ransomware attack, an event that saw gasoline and jet fuel carriage operations along 8850km of pipeline between New York and Texas suspended for several days.
The sudden halt in fuel supply caused upheaval around local flights, shortages at fuel stations, panic buying, and a spike in prices. The hack was reportedly facilitated via the exposure of a single password.
From that case study, Asch says it is important to remember just how significant IT systems are to a critical infrastructure operator, especially when so much focus is often on keeping the operational technology (OT) up and running.
“There are a lot of people who belong to the school of thought that OT, the operational technology controlling the gas distribution in that example, is the only thing that’s critical,” he says.
“A lot of reporting and much of the discussions happening in industry groups is highlighting that Colonial’s IT was hit, not their OT. But they still shut down their pipeline in an attempt to limit further collateral, which caused a state of emergency with gasoline shortages.
“When you think about how critical your IT is to your billing and everything else required to operate a gas pipeline, there’s no wonder they shut it down. “I think there are definitely some misnomers about the criticality of different systems in different sectors and then you have an incident like Colonial which brings it to the fore.”
Having spent almost two years with hard borders in place, Western Australia was even more isolated than it typically is. This certainly didn’t help when it comes to addressing the skills shortages in cyber security, which Asch says continue to be felt.
“We are affected just like everyone else unfortunately, it is a challenge,” he says.
“Something that goes under the radar a bit when we discuss the skills shortage, is the emergence of tech companies and organisations offering fully remote roles in the wider Asia Pacific region throughout COVID-19. These companies are actually taking workers out of the marketplace without physically relocating them.
“I’ve had peers of mine take up globally focused roles with security vendors that should be based in San Francisco or Washington, but they are working from their living rooms here in WA. While these are certainly great opportunities, in reality the full-remote hiring trend creates a challenge in that it further constrains a fairly small talent pool.”
Asch says alleviating the skills challenges requires a rethink around hiring and taking new approaches to capture people who are interested and able to carry skills across from other industries.
“Having less of a shopping list when going to market or being very prescriptive about all the qualifications or experience someone needs, and rather looking at cross skilling opportunities can help,” he says.
“Another one is investing in talent development through graduate programs. We’re very fortunate that Western Power has a strong graduate program and we’ve brought in a lot of good talent in into the security team through those sorts of initiatives.
“Like anything there’s no silver bullet, you have to take a multi-pronged approach, but a personal mission of mine is to change the way we think about hiring and to stop casting a very narrow net looking for unicorns that don’t exist.”
Asch says with the right passion and an ability to learn, cybersecurity professionals can come from all walks of life. “One of the best cybersecurity professionals that I’ve ever worked with studied philosophy at university, before going through many other roles from journalism to not-for-profits and eventually ended up in cybersecurity.”