Nathan Morelli knows the importance of staying vigilant as the Head of Cyber Security and IT Resilience at South Australia Power Networks, the state’s sole electricity distributor and leader in the Energy industry.
In the lead up to the FST Government South Australia 2022 event, we sat down with the SA Power Networks Head of Cyber Security and IT Resilience to discuss how the company stays agile and prepared for potential threats, the unintended benefits of lockdowns, and the constantly evolving cyber security environment.
FSTGov: SA Power Networks has a unique perspective as you are ‘government adjacent’ and can see how both the public and private sectors handle attacks, risks and threats.
What do you see as the biggest differences and similarities between the two, and what can they learn from each other?
Morelli: There are probably more similarities than differences. Across the whole cybersecurity industry, we are a set of professionals trying to do the best to enable our business to perform as well as possible. Whether that be for us as a power network in distributing power to the state or an agency that provides a service to the people of South Australia.
I think what we have at SA Power Networks is a real tangible outcome. We are part of critical infrastructure, and that means that we have a very impactful responsibility, which we can tie everything back to. Whereas a government agency providing a service may not be so tangible, for example education is, one of those important services where if is not available, there is a reputational damage but, fundamentally people still live.
When we talk about handling cybersecurity incidents we try and identify threats and minimise the impact of them. Some of the differences between the public and private sectors might be how we’re budgeted and resourced. That is significantly different in between us as ‘government adjacent’ and being privately owned, we have that ability to tie things back to profit and returns to shareholders. Whereas that is not something you see in governments, it is all about expenditure of the public’s money. There are different ways we budget, which means that we get different outcomes, and we might be better resourced. But I think fundamentally our core role and responsibility is the same; to protect information, enable organisations to provide services, to minimise the impact of a cybersecurity incident on our customers and citizens, and not be on the front page of the papers.
FSTGov: We have seen recent examples of cyber attacks making the front page and being huge disruptions to businesses, customers, and governments. What are the some of the biggest threats and challenges SA Power Networks, and the wider public sector, are facing?
Morelli: I think the continually evolving and diversified adversaries, which are getting smarter, working harder, and have a lot less red tape and fewer barriers to change than we do. Cybercrime is a multi-billion-dollar industry around the world and there are more and more gangs coming up, which creates more demand, and different types of cyber criminals as well. You have also got nation states trying to on intellectual property and trying to get a competitive advantage or trying to advance their nation faster.
One of the bigger evolutions we have seen, in the cyber cybercriminal world, is that there are now adversaries that are just there to be brokers for access. You now see these middlemen or middle brokers make these businesses even more efficient and effective. Whereas you’ve got the rest of industry, both public and private, trying to protect and minimise the impact of that. We’re doing the best we can with the people we can find and keep. But these adversaries are advanced, they’ve expanded their business models, and we haven’t had the ability to do the same. I think that’s the biggest advancement.
FSTGov: How will SA Power Networks adapt to keep up with these evolving threats, trends and challenges?
Morelli: What we’ve really focused on is understanding that there are threats and adversaries that will never go away, which has become common across all of cybersecurity change. We’re always fighting somebody. So, knowing your threats is fundamental in being able to adapt and evolve through all those changes; knowing who’s going to attack us, how they’re going to attack, what they’re going to focus on, and then working out how we’ll respond to that. Now, we recognise that we are not as advanced as the threat. We may not have all the tools and capabilities that they have, but we can minimise their impact rather than try and stop them.
At SA Power Networks we have a threat led cyber security program, and through that we know our top 10 security threats. We know their assets, what they’re focuses are, and their previous activities. We know what they’re doing, how to detect and respond and here we can see these top 10 threats are probably going to follow these 80 procedures and look at common things that they all do across all of their attacks. That threat led, intelligence-based approach means that we can evolve as the threat and the adversary gets better. All of those key concepts and focuses are what are you looking after, they are your crown jewels. Once you know your crown jewels, you’ll know how to better protect them and that’s how you minimise their impact.
If we can detect and respond to 80% of these attacks and recognise these techniques, then we know on a bad day, we did enough. Because all we can do is enough. We can’t do everything.
Two years ago, we knew we were too reactive to cyber security threats. We knew that we were at the wrong end of the incident, because by then the malware’s executing. We need to see it before that. We need to see it when the fishing email comes in. We need to see it when the sender with the poor reputation is coming. We need to detect and respond earlier.
FSTGov: What would you suggest government agencies can do to optimise their security systems?
Morelli: Focus on your people. Focus on skilling them and enabling them to make change. You’re always going to have people, so make them great people. With great people come, great processes and with great process come great outcomes. Don’t always chase the next cyber security tool, focus on enabling your people to use your tools the best way they can, most cyber security tools will do a good job at something, make sure you’re doing the best with what you’ve got, then look at how you’re going to improve.
When I come into a team, I always look after cybersecurity people first and ask, how can we retain and skill up? How can we use the tools the best we’ve got? How can we leverage the people around us? How can we help them understand their role in protecting the organisation? What I like to lean into is understanding the people that are around us and helping them understand their roles. They have a part to play, and that is following good cybersecurity process, but also identifying where cybersecurity processes don’t exist. When you think about the Optus incident where human error caused nine million customer records to be out in the wild and a really expensive next two years for them. There may have been great cyber security process in place and there might have been great governance in place, but somebody made a mistake. There’s a people element, and an end user element of ‘think before you click’. In an administrative perspective of you have a big responsibility in carrying employees, customers, other organisations information in a supply chain. You’re a custodian of that information and your responsibility is protect that information.
Cybersecurity can only educate and help make somebody aware of their role in being a custodian of information in that chain of events. It doesn’t require additional resources, it requires a conversation and engagement, which you always have at your disposal. They are tools that are in your back pocket that people around you can do really well if you think it through. So, you don’t always need great tools. You don’t always need a massive budget. Money is tight, but you can always engage and help other people along the journey.
FSTGov: You’ll be speaking on the upcoming FSTGov South Australia Cyber Security Panel in December. What do you hope to discuss with your peers?
Morelli: My plan is to walk through how we’ve gone from reactive to proactive, and how we’ve moved to using threat led intelligence and other different tools and people in the process rather than thinking, “Hey, I need the big fancy thing that’s in the top right-hand corner of another organisations’ website, or else my cybersecurity’s bad”. That’s okay for a point in time, but to truly evolve requires focus on people, process, strategy and program. It requires a team effort, and just the cybersecurity team. I’m hoping that what I’ll be able to talk through how taking a threat led approach enables you to bring people on a journey to uplift process, to enhance your tools, to have a better focus on what you should be working on today versus what you thought you were working on.
Being threat led enables us to prioritise better and then justify the need for the fancy tools that might be coming up next. So, I think through one of the ways that we are uplifting our security baselines across environment and is through breach simulation, which are great fancy tools that sit on devices in your network and simulate the adversary moving through your network. We use this breach simulation tool to test us against that heat map, the 80% of the tools, procedures and the ways that an attacker will attack us. We can run a potential threat across our breach simulation platform and know that for 80% of our environment, we would’ve detected that within the first three stages of that attack or what areas need improvement.
Our whole program is able to then be translated, because its threat led, into language an executive can understand, and we can respond with the same feeling. We’ve got confidence in our environment because we test it against those kinds of threats. And we do that every week and we are doing better. You can come back to those top 10 threats and ask what are they probably going to do against us? We then uplift those controls, become better at preventing and then when the bad day does come, you’ll detect it earlier. That’s what I’m hoping to get across.
FSTGov: As we get used to this ‘new normal’ post pandemic, what trends and tools do you see becoming IT Security?
Morelli: We are focusing a lot on lifting up the baseline of the devices our employees use but we’ve also got a very diverse workforce. During the pandemic, we let everybody go home and we all allowed a little bit more cybersecurity risk to enable that to happen. We weren’t prepared for the workforce to be so remote. We’re all very used to the traditional walls and security boundaries of the office, of closed doors, and a closed network. We can allow people to do whatever they want when they’re in that network because we trust them. So now we’ve got zero trust, which inherently means that we don’t trust as much as we used to. We almost have to see every device, that connects to our networks, as hostile.
The biggest evolution that we’ve got to bring our team on next is, yes, we understand our threat but how can we push that that control closer to the end user, and particularly those end users that we don’t control. Those being contractors, using their own devices and mobile phones, each of them is a different threat at a different level. The principles of zero trust say it doesn’t matter what device that is, you just don’t trust them. You put controls in place, you do your posture assessment, you do multifactor authentication for different risk-based scenarios. So that’s probably the next evolution for us is getting closer aligned to those zero trust principles, and I think a lot of organisations are on that journey. Fundamentally it is about trusting that end device less. Thinking like the adversary and that everything is hostile. How am I identifying that hostile behaviour? How am I protecting myself from those hostile networks? It is a very negative way to think but it’s a great mindset for cybersecurity teams to have.
One of our fundamental challenges is that we have a diverse workforce, diverse in location, IT skills and age. We have a lot of great workers, people who are very skilled at keeping the lights on, very skilled at repairing things when they break. But they didn’t grow up perhaps like this current generation of using social media and understanding that there is a threat on the other end of a SMS, phone call or an email that isn’t trustworthy.
We’ve got to bring them on a journey and teach them about mistrust, incidents and risks. We do that through a lot of awareness. What we’ve been doing through October, as it’s cybersecurity awareness month, we’re running “lunch and learns” where people in our organisation dial into a teams meeting with our awareness professionals for a short 10 to 15 minute presentation that are open for questions. On our first “lunch and learn”, we had 650 people, that’s a third of the organisation, dial in just to learn about how to make a stronger password they understand the impact of losing a password. We’ve got a demand where people have heard about Optus, have heard about cybersecurity in our organisation because we’re pretty open internally. We held a briefing recently and had 500 of people dial into that just to learn about cybersecurity and how it impacts the wider world. Our people have a real thirst for knowledge.
Younger generations have become complacent at times as well. We probably are complacent about our information being out there in the world because we’ve seen so many attacks and incidents. We know that our personal information is out there in the world but don’t know the impact of identity theft yet. So, we’ve got to show our generation as well, where you might be a bit blasé about your information being out there, what identity theft feels like on the other end and there are stories of lived experience after these attacks that I want to bring in the next phase of awareness. Many people from our generation have lost their identities because of this through previous breaches and the amount of effort, like it is six to 12 months work to fix identity theft after the incident. So, that is what I want to bring into the future as well is don’t also be complacent just because it’s happened so many times to us already. There are two different elements to focus on in the future: there’s upskilling and there’s removing complacency.
FSTGov: There has been a shift in the way IT security is seen within organisations. How does SA Power Networks plan on adopting security and resilience into day-to-day processes for users and employees?
Morelli: That’s probably one of our biggest challenges, not letting cyber security disrupt the organisation so much that it becomes hated. In the past cyber security teams have probably over applied controls without considering user experience. We’ve chased the quick win of adding MFA to every single system which ticks a box that you are authenticating every single user. But now they are also being authenticated 10 times, which means that they don’t look and they don’t react properly to each MFA. They just click it. So, you’ve actually made the situation worse by not considering the user experience first and considering that process as a whole. Now we work hand in hand with the UX and data teams so we understand the users experience and what they’re trying to access so that we can better build around a persona approach. For example, we’ve enabled data a lot on our devices that the field crew use and if you’re a field worker and you access this set of data, you probably only need to MFA for that set of data at these points in time rather than every single time you access pieces of data or a system that is a lower risk, then you don’t need to MFA it. You can trust other methods of authentication to do that. We enable biometrics like the Windows Hello system doesn’t need another point of identification if they’ve logged in with their Windows Hello, which is their eyes. They can access a lot with that. We can enable a lot of trust in that process and only when they access super sensitive information it will trigger the MFA. Rather than first logging on, which is frustrating and makes it hard, as they might be up in a cherry picker, and they’ve got to do an MFA on their mobile phone which is still in the truck because they’re not allowed to take the mobile phone up. Understanding the user experience is really important while also knowing what your most sensitive pieces of the data are and putting an additional control in place just to protect the most sensitive data enables your users to then make a purposeful choice at that point in time.
With the zero trust model as well, you’re building more invisible controls and you’re trusting more other processes because you’ve uplifted them along the way. That’s how I think that we’re adopting resilience into day-to-day processes for our users’ employees whilst also uplifting our maturity baseline. It’s a bit of a slower burn, but people and process changes take longer, but if you can get them right, it’s longer lasting.
FSTGov: One of the common obstacles with process and system evolution is building understanding and awareness. Has there been difficulty with simplifying and explaining these programs for the average person?
Morelli: Our end customers don’t understand yet that if we don’t put cybersecurity controls in place at the right time, when they’ve got power lines falling down, this will be the case for the next 50 years. They’ll have power lines falling over on their street and mums and dads will be concerned that they can’t let their kids out of the house because their power line down. But that’s what it means and that’s the biggest link we’re trying to make now. Cyber security investment isn’t just about having lots of people in a room looking at screens, it’s outcome for a consumer is that the service they expect, happens when they expect it.
We had recently where the winds were really bad the night before and we had 14,000 customers out. The number of systems that a response worker needs to schedule, to put crews out, to turn power off, to make sure it’s safe after it’s reconnected is about 140 different systems and applications. That’s a big resilience outcome. We’ve got to have backup in place, we’ve got to make sure that those systems are trustworthy, and we’ve got to make sure that they’re available. There’s a lot of knowledge in our responder heads that they can go, ‘Oh, that doesn’t feel right’, and they can query and resolve it.
Consumers don’t understand that investment piece in keeping those systems resilient, secure and trustworthy. But if we can translate that to, we had 14,000 customers out and they all were back on within 24 hours because of these systems, because of the risk and resiliency work. That’s where we need to take our conversations next.
That’s why we take on these roles, to make important change and we’ve got a really good mission. That’s the other reason why I like SA Power Networks because every organisation’s got a mission, but we can really engage with this one because we keep the lights on and that’s a real big outcome. For people, for our families, for the next generation of young we are trying to inspire to maybe make a choice to stay in cyber.
Working with us means you get to, keep the lights on.
FSTGov: What do the next few years look like for SA Power Networks?
Morelli: We will continue to try and be closer to our organisation’s outcomes. The state of South Australia is a big renewable state, and we are really well positioned and well advanced in how we take renewables and we distribute them through the energy grid. Traditionally, hundreds of years ago we transmitted power across a power line to an end consumer. It was a one-way network. We now have to build a two-way network and distribute energy differently.
Our role in that is to put cybersecurity in place at the right points of that network and to allow them to do that. And there’s a lot of data that’s needed for that and a lot of two-way connectivity that involves advanced technology that might not have the cybersecurity expectations of it. For example, you talk about inverters, solar and roofs, those suppliers and organisations might not have the teams, the technology and the cybersecurity in place yet. So, we’ve got a role to help uplift that part of the environment that then connects into our systems so that we can make really advanced decisions on how we distribute power. So that would be a solar panel to an inverter back into our network where we go to a control system that says, ‘Wow, there’s a lot of solar in our network. We have to turn off generators, we have to say generators go elsewhere’. They go to the eastern seaboard, and we distribute that solar coming off a consumer’s roof with consumer grade technology making a decision around the signals that are coming out of that to then make a control decision for a state. There’s a lot of cyber security risk in that process.
So our next two to five years is enabling that transformation to occur, and enabling that environment to not only be supplying the state but being so large that it can supply the country. And we are making great trusted decisions on our control systems and our distribution management systems that we trust data coming from those environments. And that comes with a lot of cyber security risk. So that’s where we see our team evolving and supporting innovation to help us be more of a renewable state, to help us evolve as a distributed energy company but also being a leader around the world. So that’s cybersecurity’s role is to minimise risk, to enable trust in signals coming from rooftops, solar and bigger solar farms as well. You’ve got organisations like SA water building massive solar plants. You’ve got other organisations that are commercial building, massive solar plants. We need to trust that information and you know, those organisations have got more time, more budget to make them secure. But we need to give them guidelines and frameworks to ensure security as well. Ultimately all we want to do is enable the business to continue to evolve and innovate, and have a role to play in 50 years.
We’re just here to govern and minimise risk. It’s pretty simple when you bring it back to questions like, ‘will the power be on tomorrow?’ Yes. It will. ‘Will we be able to make good decisions about the power that we have available to us?’ Yes. We will. ‘Will we be able to make sure that if a power line goes down, our crews have the right information to go out to site at the right time. And is that available to them?’ Cyber security risk inherent in all of those processes. Let’s minimise the risk.