Jemena embarks on journey to ISO27001 compliance

Power lines

As one of Australia’s leading utility companies, Jemena owns and operates a diverse collection of energy and water transportation assets across the nation. The company delivers gas, electricity and water services to millions of domestic and business customers via pipelines and networks valued at more than $10.5 billion.

Jemena’s Australian infrastructure includes a range of assets including an 11,000km-long electricity network in Victoria, a 25,000km gas network in New South Wales and gas pipelines in both Queensland and a second pipeline connecting Victoria’s Gippsland Basis to Sydney. Jemena is jointly owned by the State Grid Corporation of China and Singapore Power.

Securing operational technology assets
As a utility company, Jemena is reliant on the SCADA systems that monitor and control its numerous networks. Data generated by these operational technology (OT) systems is relayed to the company’s data centres in New South Wales and Victoria and processed by a fleet of 70 servers and 30 workstations.

“Having effective security in place is vital to ensure we are able to meet the needs of our customers at all times,” says Calvin Li, Jemena’s SCADA security engineer. “If any problems occurred in our control systems it could cause disruption to our customers.”

To ensure the security mechanisms and methods in place were the best possible, a decision was taken in early 2017 to attain internationally recognised ISO27001 certification. “We knew we had a range of security elements in place but we wanted to be sure they were operating together as a cohesive whole,” says Li. “Also, as there is no recognised security framework for operational technology, we felt ISO27001 would be the best fit for us.”

Assessing the gaps
As a first step in the compliance process, the Jemena security team undertook a gap analysis designed to determine where any weaknesses might exist. This involved a thorough assessment of everything from the physical security within the data centres to the hardware and software supporting the SCADA systems.

Li says CQR’s extensive experience in the utilities sector, together with sound knowledge of what’s required to reach fully ISO27001 compliance made the decision a simple one and work began in mid-2017.

Achieving compliance
Working alongside the Jemena security team, CQR reviewed each identified gap and advised on the steps required to close it. CQR also conducted training for team members to ensure they understood what was required to not only achieve certification but retain it in the longer term.

Work then focused on building the frameworks, strategies and workflows that would be needed to meet the requirements of IS027001.

“Once we believe we have undertaken all the steps, CQR will conduct an internal audit to determine whether there are still any gaps that needs to be addressed,” says Li. “We will then complete any remedial work before our final, formal audit which we are aiming to take place by October.”

Business benefits
Once ISO27001 certification has been attained, the Jemena SCADA management team will be confident it has in place proper guidelines and best practices to ensure the highest possible security standards are in place.

“We will also have a comprehensive, documented security framework in place that all staff can follow into the future,” says Li. “Our senior management is keen to have this as a standard approach that is followed across the company.”

Li says that, because energy companies are heavily monitored by the Australian energy regulator, having compliance will be clear evidence that Jemena has taken all steps necessary to ensure the security of its critical SCADA infrastructure, and is operating in alignment with a recognised international standard.

Further benefits will be attained once the company attains compliance with the ISO55001 asset management compliance later this year. This will serve to further strengthen security and ensure Jemena is best placed to meet any future issues that might arise.

“Our challenge will then be to ensure both certifications work together as a cohesive whole and CQR is working to help make sure this happens,” says Li. “There is no point having two frameworks in place that are not tightly integrated.”