How Veolia’s Head of Cybersecurity uses collaboration to combat targeted attacks on critical infrastructure
Veolia ANZ’s Head of IT infrastructure, Cloud and Cyber Security shares how he has leveraged collaboration with industry peers, fellow utility providers, and the Australian Cyber Security Centre to strengthen cybersecurity resilience through the pandemic.
Raghu has led the cybersecurity strategy and execution across 48 countries, and during this time of targeted attacks has been hypervigilant during this time of targeted attacks on national critical infrastructure.
By sharing learnings globally and locally, he is driving the improvement of policies, procedures, adoption of network detection technology, and automation capabilities.
Welcome, Raghu to ADAPT Security Edge. As we were talking about before, I understand that Veolia as a critical infrastructure company within Australia and New Zealand.
And we recently had a new cybersecurity refresh for the whole country that definitely impacts critical infrastructure companies.
What is the impact? What is the range of impact on your organisation right now?
Yes, Veolia is a global organisation. We work in 48 countries, providing essential services across water, waste, energy, recycling. We call ourselves the resources. That’s a tag that we go by.
And because of the nature of the business that we are in and the kind of services that we provide, especially in and around recycling and water treatment. A lot of these new regulations for critical sites apply to us.
So as you’ve seen recently, there’s been a Prime Minister’s announcement around targeted attacks on national critical infrastructure.”
These are the kind of things that actually brings a lot of those concerns to people who already have those concerns. People like us who already know this is a global organisation.
Any of those compliance changes and the collaboration that’s expected, all those things are something that we as an organisation participate in.
For example, the ACSC, the Australian Cyber Security Centre. They’ve got various techniques and how you protect your organisation and what you do and collaboration and sharing of that information.
All the kind of things is something we leverage as an organisation. And the sites that are critical that need to go the extra mile to make sure they comply with those standards.
It could be regulatory compliance, requirements from those kinds of entities. So, yes, it has an impact in the sense that we’ve got to do more and we’ve got to be more thorough in terms of how we facilitate and manage those expectations.
Ok, considering that you are across 48 countries and managing all of that must be really difficult.
How do you do that?
I think in some sense it’s a strength of Veolia globally because of the operations. We’ve got a huge community internally within Veolia. We’ve got a cybersecurity community.
And that’s growing in the sense there’s been a lot of emphasis on us collaborating globally.
So, for example, if there’s an attack in one part of the world with a specific kind of attack, then that’s something we all share and learn so that we don’t have to put up with the same kind of attack.”
We learn the learnings and then decide quickly how we stop ourselves and secure ourselves from similar kind of threats.
And there are a lot of things that come out as policies and procedures and standards. And there are expectations on how all countries need to kind of secure their own environments.
And as part of that, we all go with our learnings, share our experiences. It’s actually a very good position to be in where it’s a collective effort. And if you’re not fighting that by yourself and that applies to the same locally as well. We share a lot of information with similar like-minded people and build that network. It’s all about sharing knowledge.
First question, will you be introducing new processes and systems that align with the new cybersecurity strategy to comply with that?
In a sense, yes. For example, there are regulations to say that you need to have minimum standards achieved for certain kind of criticality so that we have to be mature and we have to comply with those regulations and requirements.
We actually enhance what we have got.
We’ve already got existing processes in place and then we improve on those to make sure that we meet those requirements and get better on that because we’ve got yearly audits to see how we are performing, and then, are we meeting the minimum requirements on and so forth.
That actually is a continuous improvement process for us.
So it’s not just bringing in a new thing, but what we do is we actually collaborate with the industry peers and the ACSC.”
For example, to make sure we learn of what ACSC tells us and also like-minded critical infrastructure, essential services or utility providers.
And if that kind of leads to processes and systems and efficiencies, then do your internal community replicate it across the 48 countries, does that ever happen just as a byproduct?
Absolutely. If a specific country has done something really, really good. For example, if they’ve automated a specific process.
I’m going to use some of the technical terms here. If there’s a network detection technology that they have, utilised in a part of the world and they have had good results.”
That story gets shared.
And then we take that story and then be implemented in our part of the world.
Or if you have got the automation capability that we have built, that is saving a lot of time and effort in our part of the world and it’s given us good results, then we share that with other counterparts in other countries as a success story.
And we actually go and implement and share that knowledge so that we learn of each other so that we’re not reinventing the wheel all over.
That’s very interesting. So far for next year, there has to be one focus or top three focus that you would like to talk about.
That’s a very interesting question. I think a lot of new projects and initiatives that are being delivered in terms of improving our cyber capability, in terms of technology and tools. So reviewing those and making sure that we’re implementing them in the right fashion. They’re actually being very effective. So, that’s one.
And then the last but not least, but continuous focus on educating our users to security awareness is a big thing.”
We take that very seriously and we’re putting continuous effort in terms of improving that knowledge and educating our users to help with our overall program.