Even with board support, Horizon Power’s CISO was in for a shock

Everything seemed like it was going well for Horizon Power, a Western Australian power supplier that had been actively updating its cybersecurity practices to support a major digital transformation project aiming to tap data-driven analytics to reinvent its customer service.

Led by an integrated project team, business units were working together on a digital transformation that had begun as incoming CEO Stephanie Unwin pursued ways to better use data-driven information technology (IT) systems to improve customer choice, and to streamline and secure the operation of its operational technology (OT) assets.

“What was surfacing for Horizon as an organisation is that people wanted the ability to choose different types of energy options, such as solar and storage batteries,” Horizon Power CISO Jeff Campbell said during a recent Rubrik webinar, in which he outlined the transformation of the organisation’s core systems.

“It was a great opportunity to look at cyber and how that would play a part,because now we’re talking about technology underpinning a lot of these new solutions. It was about consolidating the core and using it to enable the foundations of what we needed to do from a cyber and technology perspective,” Campbell said.

As distinct from conventional models that separate power generation, transmission, distribution and retail, Horizon Power is highly vertically integrated—forcing it to manage every aspect of power generation and delivery to 45,000 retail customers, connected by 8356km of transmission and distribution lines spread across 2.3 million square kilometres.

That vertical integration meant Horizon could, for example, tweak its energy products and generation based on better analysis of customer behaviour data collected at the retail level. And digitisation of asset-management functions would allow the energy giant to streamline the servicing of its generation network by optimising the movement of its skilled workforce.

“We were moving from IT excellence to business excellenceby hearing what the business wanted from technology and moving those complex and hard-to-use systems to digitally-enabled systems,” Campbell said

Getting the board on board

To build internal momentum for the project, Campbell and his colleagues had dutifully applied project management best practice, for example by breaking down the company’s current and desired states, then mapping that to a Zachman Framework that enabled project goals to be translated into plain-English mission statements, understandable even by those without technical backgrounds.

Given the growing cybersecurity threat to Australia’s critical infrastructure (CI) systems before and during wartime, and the new imperatives placed on CI operators by evolving legislation – has Gartner has predicted that 30% of CI organisations globally will experience a security breach by 2025—explaining and mitigating the risk to both IT and OT systems was a critical job for Campbell.

The use of Zachman Framework meant positive wins including getting better buy-in for the program and the initiatives Horizon was trying to achieve.

“We managed to get extra funding for the things that had been lacking, such as upgrading our security solutions; developing capabilities around the SOC and around endpoint vulnerability management; and bringing OT along for the ride,” Campbell said.

Regular external assessments suggested that the project was progressing swimmingly. Yet for all its success, the project entered a new phase when those same assessments identified that all the teams’ success to date had not yet managed to fix the weaknesses posed by the human element.

Despite having normalised cyber awareness training across the organisation, staff were still clicking through on links, entering credentials and entering their passwords

“Anti-phishing campaigns were not as effective as we had hoped lack of understanding of shared responsibility for cyber across the organisation,” Campbell said. “Even though we had board approval, and we had a strong technology foundation and infrastructure in place, and we had an awareness program, there was still that lack of understanding.”

How Horizon Power anticipated insecurity

For all its promise and success to date, the realisation that the project was facing all-too-common obstacles forced the cybersecurity team to rethink what they were doing as a cyber team. That meant going back to the basics to understand what the company was trying to achieve, and how it could better bake security culture into the organisation’s operations.

Although the team had adopted the industry-developed Australian Energy Sector Cybersecurity Framework (AESCF) to guide much of its cybersecurity work, it began revisiting its cybersecurity approach to consider how it could minimise its exposure to click-happy users.

A systematic risk-evaluation process saw the project team embrace the ASD Essential Eight guidelines, plotting out its existing capabilities against what has become Australia’s accepted best-practice approach to managing IT risk.

Ensuring a robust patching regime, for example, would minimise exposure to new vulnerabilities while capabilities like privileged access management and multifactor authentication (MFA) could not only reduce the potential for compromise, but minimise the blast radius when something slipped through.

“As we found out, staff will click on links that will allow their credentials to be leaked. The best way to protect against that is to multifactor everything internally, and to look at your privileged users and how you can layer MFA across the systems they access,” Campbell said.

Ultimately, it became clear that the best way to measure the company’s progress in hardening its endpoint interface was not just through self-evaluation checklists, but by engaging outside penetration testers and, Campbell said, giving them the “keys to the kingdom”.

“More often than not, you’ll see organisations come through and maybe do a blind pen test or a vulnerability scan, but this probably doesn’t provide a lot of value in terms of what you’re trying to understand in terms of protection. It’s better that you let them know your network, and where your critical assets are,because it’s better that you find out in a controlled way what your vulnerabilities are, rather than not knowing, or getting a pen test where they haven’t really gone as deep as they needed to,” Campbell said.

Cultural and technological changes

Years after Horizon Power began its transformation, Campbell said the company’s baseline security capabilities have improved considerably.

Outsourcing a range of operational functions to managed service providers, for example, has improved the company’s capabilities, improved the third-party companies’ security postures as well, and improved overall awareness through gamification approaches like security-awareness leader boards.

Redoubling the training focus on executives and their assistants has proved valuable, Campbell said, noting that “more often than not, they’re the ones that are targeted from open source intelligence; [by cybercriminals] understanding where the power lies within an organisation, those individuals can get targeted and leak quite sensitive information.”

As the CI sector continues to work through the implications of the government’s renewed cybersecurity mandates—fuelled by growing international unrest and concerns about the impact of a ransomware or other malware attack disabling Australian CI—Campbell said the utility has embraced the need for change.

IT and OT team members are regularly embedded in each other’s teams to foster mutual understanding, for example, while Horizon Power’s teams work closely with industry peers in what has become a far more open, collaborative approach than ever before.

“We no longer keep our cards close to our chest. We’re quite happy to share information about common vulnerabilities or threats that we’re facing and sharing approaches and tools that we’ve used—and what has worked, and what hasn’t. We do that together, and it has created a sense of really strong collaboration within our organisation. As we extend that out further, it’s clear that sharing knowledge has been a good thing,” Campbell said.