Energy and utility companies operate critical infrastructure that increasingly depends on IT systems. From SCADA networks controlling power generation to smart meters on customer premises, the IT and operational technology landscape in utilities is vast, distributed, and subject to stringent security requirements. Disposing of this equipment properly is both a security imperative and a regulatory obligation.
Critical Infrastructure Considerations
Energy and utility companies are classified as critical infrastructure under the Security of Critical Infrastructure Act 2018 (SOCI Act). This classification imposes specific obligations around the security of systems that support essential services, including requirements around risk management, incident reporting, and the protection of critical systems data.
These obligations extend to IT asset disposition. Equipment from critical infrastructure systems contains configuration data, network architecture information, and operational parameters that could be exploited to disrupt essential services. The SOCI Act’s risk management obligations require entities to identify and manage risks across their supply chain, which includes ITAD providers handling critical infrastructure equipment.
Apply the highest destruction standards to equipment from systems classified as critical infrastructure. Physical destruction is the recommended approach for storage media from SCADA systems, energy management systems, and network equipment controlling critical operations.
OT and IT Convergence
Utilities face the same OT/IT convergence challenges as manufacturing, but with the added dimension of public safety. Operational technology controls power generation, transmission, distribution, water treatment, and gas supply. As these systems become increasingly connected to IT networks, the data on OT devices becomes more sensitive and the consequences of a breach more severe.
When decommissioning OT equipment, work with the system vendor to understand specific sanitisation requirements. Industrial control systems often use proprietary storage formats and configurations that require specialist knowledge to properly sanitise. Standard IT data destruction tools may not effectively address all data on OT devices.
Smart Meter and Field Equipment
Utilities deploy millions of smart meters, remote terminal units (RTUs), and field sensors across their networks. When these devices are replaced, the reverse logistics of collection, data destruction, and recycling at scale requires systematic processes similar to telco CPE management.
Smart meters contain customer energy usage data that is personal information under the Privacy Act. Ensure that meter data is securely destroyed before meters are recycled. For meters that are collected in bulk during upgrade programs, establish a documented destruction process that can be applied at scale.
Substation and Remote Site Equipment
IT equipment at substations, pump stations, and other remote utility sites faces similar challenges to mining operations. Equipment may be in harsh environmental conditions, sites may be in remote locations, and collection logistics can be expensive. Use the utility’s existing maintenance and logistics operations to move decommissioned equipment to central locations for batch processing.
Regulatory Compliance
Beyond the SOCI Act, utility companies must comply with industry-specific regulations from the Australian Energy Regulator (AER), state-based energy regulators, and the Privacy Act regarding customer data. Environmental regulations including Victoria’s e-waste landfill ban apply to all electronic equipment from utility operations.
Utility companies subject to the National Electricity Rules or National Gas Rules have specific obligations around information management and security that may affect ITAD practices. Review your ITAD procedures against all applicable regulatory frameworks.