Cyber security at Stanwell: Keeping the lights on

11 August 2021

Cyber security is vitally important to Stanwell. As a major participant in the National Electricity Market (NEM), Stanwell generates more than a third of all electricity in Queensland. Stanwell’s sites are classed as critical infrastructure by the Australian Government, and as part of Home Affairs’ efforts to protect the country, it is included in its 2020 Cyber Security Strategy.

As something so important, cyber security is something we prioritise – especially when it comes to having the right people in place, with the right tools and support to succeed.

Our Architecture and Cyber Security Governance Manager, Chris Pennycuick, is wise beyond his years. He began working in information communication and technology (ICT) nearly 20 years ago, after being recruited in his first year of university for a business-sponsored scholarship program, working full-time while completing his degree at night.

Unofficially, he’d already made a start in high school, building his school’s website, and handing its ICT team a list of security holes in the systems that he’d uncovered once he graduated.

Today, Chris heads up the team responsible for Stanwell’s architecture governance and cyber security and he has been called on as a guest lecturer on cyber security at universities and security forums.

Around the world, the scale and sophistication of cyber threats continues to increase from both state- and non-state actors. Stanwell, alongside other participants in the energy industry, isn’t immune to these threats and has been targeted in the past.

“In my role, I’m in charge of two different functions,” Chris said.

“The first is Architecture Governance, ensuring solutions align to our corporate and technology strategies. It ensures our technology investment is impactful and achieves business outcomes in a commercial and sustainable way.

“The second is Cyber Security, ultimately securing the reliability of the power that Stanwell supplies Queensland.”

Chris wasn’t always a cyber security specialist — he began his career as a programmer before transitioning into consulting and enterprise architecture.

“I’d always dabbled in security and had some adventures in my schooling years,” Chris said.

“I came across the space while working in consulting and personal projects, with my current position being my first permanent security role.

“Stanwell has been a fantastic place to grow into a security management role — I’ve had the opportunity to set direction, implement security, and influence policy thanks to a supportive management team.”

Chris says moving from a technical role into a managerial role has had its challenges, however it’s been very rewarding.

“It sounds clichéd, but making the transition from being a technical contributor working on self-directed projects for long hours, to taking on more managerial responsibilities concerned with people management, policy, and strategy, has required a different skill set,” he said.

“Learning to set and drive an agenda is very different than programming. Transitioning from taking direction to setting direction is a big learning curve. At first it is daunting to set direction for a team – I had to battle through impostor syndrome and become comfortable with making decisions based on available information. It is difficult to override perfectionist personality traits and make a call.

“After setting the agenda, I had to learn how to ‘sell’ cyber security, to be an effective advocate for why the work we do is important, why it’s worth investing in, and explaining the value to the business.

“I enjoy working at Stanwell because it’s great to contribute to something that affects everyone, like reliable power supply, and there’s always something happening in the energy industry — whether it’s technology, the markets, or both!” Chris said.

Working in an industry like power generation means that you’re operating in a very public industry. Being so publicly visible can also make you a target.

“One major test of our cyber security came in 2019 when Meandu Mine was the subject of a three-month long, ultimately unsuccessful, phishing campaign that we learnt came from Emotet, the same group who had successfully launched a cyber-attack on a hospital system in Victoria,” Chris said.

“There were a few sleepless nights, but I was very proud to see that our controls held strong and we made it through unharmed with no infections.”

It’s an interesting time to be working in the cyber security space, and it’s still a relatively young field Chris says. When asked what his top concerns in cyber security today are, Chris cited two.

“The first is that criminals will continue to monetise hacking in any way they can, disregarding the damage they cause,” he said.

“The second is that geopolitical tensions could see offensive security targeting critical infrastructure.

“International norms on this aren’t yet set — it’s a very interesting time to be defending critical infrastructure.”

Architecture and Cyber Security Governance Manager, Chris Pennycuick