The energy industry was one of the first sectors to which the original Security of Critical Infrastructure (SOCI) Act applied. Subsequent amendments to the SOCI Act brought more industries into the fold, but they also ratcheted up the compliance burden on energy providers.
Just last November, for instance, the new Cyber Security Legislative package introduced new ransomware payment reporting obligations. Entities must now report within 72 hours of making a ransomware payment or becoming aware that a ransomware payment has been made.
What’s more, the reform package also gives government greater powers to direct regulated entities, such as energy providers, to address risk management program deficiencies.
How then can Australian energy providers continue to comply with critical infrastructure regulations as they evolve?
Here are the six ways integrated resilience software can help:
- Consolidate and streamline information capture – One of SOCI’s key requirements is reporting asset information to sectoral regulators. Software can help ensure compliance by consolidating information about assets and owners/operators, including descriptions, locations and key functions.
- Pinpoint gaps – Energy providers cannot comply with the SOCI requirement to develop critical-infrastructure risk management programs without first identifying gaps. Software helps in this respect, performing vulnerability assessments to pinpoint gaps that may expose the entity to threats. With those findings in tow, the energy provider can determine areas where additional resources are needed.
- Take a proactive approach to risk management – As mentioned, the critical-infrastructure risk management program is the cornerstone of SOCI. But as risks evolve, it’s often hard for energy providers to keep up. That’s where software comes in, enabling providers to take a proactive approach to identifying and mitigating material risks, including cyber and information, personnel, supply chain, physical and natural risks – all using a standardised methodology to ensure consistency.
- Increase preparedness – Regulation has increased as the threat picture has deteriorated; so, it’s vital that software functionality keeps up, too. Integrated resilience software does just that, enhancing preparedness by enabling energy providers to create incident response plans using automated plans and checklist functionality that they can then leverage to conduct regular exercises to test general preparedness, mitigation, and response capabilities. Added threat intelligence functionality also helps, keeping energy providers ahead of potential threats. Meanwhile, situational awareness dashboards consolidate feeds from multiple sources to streamline threat detection and improve the incident response process.
- Improve incident response times – Of course, there’s no getting away from SOCI’s incident response requirements. Software can help, generating automated notifications when information changes to ensure updates are shared with regulators in a timely manner. Powerful workflows also function to allocate personnel to complete mandatory reporting, then assign tasks, record decisions and share updates before using investigations to identify controls to prevent reoccurrence.
Finally, recent cyberattacks on critical infrastructure assets demonstrate why the compliance burden is so steep on the industry. Where then should energy providers turn?
Integrated resilience software providers – like Noggin – empower energy providers to meet evolving compliance obligations in a centralised workspace where teams can work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions and continually learn from insights to strengthen resilience.
Subscribe to Energy Today for the latest project and industry news.