Hype surrounding the internet of things has intensified in recent years, but while AusNet is keen to embrace the trend, that won't extend to critical power infrastructure assets in Victoria.
Addressing the AISA national conference in Melbourne, CISO Babu Srinivas said protecting electricity distribution and transmission assets was a priority for AusNet.
"If you look at critical infrastructure, one thing we have to remember is what the non-negotiables are," Srinivas said.
"For us, it is electricity transmission and distribution. Of these two, electricity transmission is the top priority for us because if something happens to that, the whole state will have a power outage."
A regulated industry
A central factor in AusNet's approach is the regulatory requirements imposed on it by the state government.
"The Victorian government has the Emergency Management Act 2013, and as part of that, very recently, they have released the 'critical infrastructure resilience strategy'," Srinivas said.
"What the strategy talks about is how critical infrastructure should operate in Victoria, how they should interact with each other, what are the interdependencies.
"Infrastructure is further classified as vital, major, significant and local, depending on how important the infrastructure is and which part of the state it affects, whether it's the whole of Victoria or individual communities."
The legislation also contains clear guidelines from the minister in terms of what AusNet's obligations to the community are as a critical infrastructure operator, Srinivas said.
"It's a good framework, and based on it organisations have to come up with their own frameworks for emergency management," he said.
"Government officials and Victoria Police are the witnesses to a lot of these exercises. It has helped us over the past nine years to improve our posture in terms of managing emergency events."
Srinivas acknowledged there were use cases where IoT devices could potentially benefit end users.
He cited the advanced metering infrastructure (AMI) program, which was developed in 2006 and has seen the rollout of smart meters to residential and small business premises in Victoria.
"On the flipside, if you look at the smart meter as an example, that allows our customers to interact with their meters and with meter data, that is less critical," Srinivas said.
"If there is an issue, it is contained locally within that community or customer. [If there's an issue in] the transmission network, those issues are felt widely.
"So that's why we've segregated the network into information technology and operational technology, with either an air gap or segregation.
This separation also extends to internal networks and operational SCADA systems, which have been caged off from the rest of the company's IT infrastructure.
"We treat them as being two different networks," Srinivas said.
Where data from operational technology needs to be accessed from outside, Srinivas is keen to make sure the flow of information is in one direction only.
"How much of that data do you want to expose to the public?" Srinivas said.
"You need to have a mechanism where the data sits in the DMZ, and if end users manipulate it, the manipulated data can't come back."
According to Srinivas, long term planning in traditional IT environments usually takes into consideration the next five years.
By contrast, with critical grid infrastructure, planning needs to consider the next 20 years.
"We haven't done upgrades on these particular devices because the life of these devices is quite long, and innovation in [the SCADA] domain was pretty slow for many of those years," Srinivas said.
"But now we're seeing a lot of action in terms of improving those legacy applications or systems.
"In the past, some systems didn't have a lot of security in place, so we didn't upgrade those systems.
"The question is do the security controls meet our requirements, and if not, we need to look at what compensatory controls we need to put in place."
Srinivas said, as an example, while some transformers come with built-in web servers, suppliers have in some cases not been fully aware of the related IT risks.
"I can't ask the vendor to give continuous updates to the web server [in that transformer], because the vendor will say 'I gave you this web server as a convenience. It's your choice if you use it, or connect your laptop directly to the transformer instead'," he said.
"In such instances, we don't have a way forward. So we'll ring-fence those things, or we won't use that capability at all, and we'll dispatch staff to the site to collect the data.
"The newer products that we are getting are more proactive in terms of having better software built into them."
Correction: This article previously identified Srinivas as the CISO for AGL. He is the CISO for AusNet. We have updated the article and apologise unreservedly for the error.