Maintaining the security of critical infrastructure is a top priority for MainPower, a shareholder-owned electricity distribution company based in Rangiora, New Zealand. Responsible for delivering electricity to over 44,000 homes and businesses, MainPower faces increasing pressure to protect its IT and operational technology (OT) systems from evolving cyber threats.
MainPower regularly conducts security assessments of its IT infrastructure, but with the threat landscape changing (and growing), the company recognised the need for tougher evaluations than ever.
"We decided our next round of assessments should be based on an industry-standard audit, making it more comprehensive than anything we’d done before," said Nick Wakefield, Technology and Digital Systems Manager at MainPower.
This led MainPower to partner with Inde, a trusted leader in IT and cybersecurity solutions, to undertake a rigorous security audit. The goal was not only to identify vulnerabilities but also to create a forward-looking strategy that would future proof their operations against emerging threats.
"We’ve always taken security seriously, but this time we wanted to go deeper. Our plan was to move beyond standard assessments to benchmark ourselves against an industry-standard framework," Wakefield said.
Photo: www.mainpower.co.nz
Partnering towards security excellence
Inde’s ‘strategise and execute’ approach resonated with MainPower’s team, which was keen for actionable solutions.
"Inde is our preferred security partner. Their reputation in the market is strong and they brought an approach that wasn’t just about identifying issues, it was about taking practical steps to resolve them," Wakefield said.
Inde’s proposal to utilise the CIS Critical Security Controls framework was another key factor in the decision to partner with them.
The CIS framework uses implementation groups to illustrate where an organisation sits in terms of its security posture - IG1, IG2, and IG3. IG1 is foundational, essentially cyber hygiene. IG2 builds on those minimum standards, focusing on protection against common attacks, while IG3 is the gold standard.
That meant MainPower could easily see how to get from IG1 towards eventually achieving IG3.
"We started with a focus on foundational security and cyber hygiene, but our goal has always been to strengthen our defences against more advanced threats and continue progressing toward more robust and proactive security measures," Wakefield said.
A comprehensive security audit
The security assessment undertaken by Inde was designed to be both rigorous and comprehensive, encompassing all aspects of MainPower’s IT and OT systems. Inde’s team conducted the audit from the perspective of a skilled cybercriminal, simulating real-world attack scenarios to identify potential vulnerabilities.
“Merging a pragmatic controls assessment with practical adversarial testing means we expose weaknesses that cannot be picked up by a traditional tick-box audit. Our ultimate goal is to help organisations achieve true defence-in-depth and make their environment inhospitable to intrusion,” Tim Foxell, Security Director at Inde said.
This resulted in an extensive 130-page report, providing recommendations spanning from quick fixes to more complex, long-term initiatives.
“The report came with findings, what those findings meant, and what the remediation plan looked like. When I provided the board with the report they threw questions at me for an hour. That’s how seriously they took it,” Wakefield said.
“It became our security roadmap for the next 24 to 36 months.”
”It’s been a game-changer for our organisation”
The assessment enabled MainPower to implement a 12-month remediation plan that addressed critical vulnerabilities and laid the groundwork for ongoing improvements. Despite the extensive scope of the work, updates were managed with minimal disruption to day-to-day operations.
"In the operational side, staff likely didn’t notice much difference,” Wakefield said. “Our goal was to strengthen security without breaking the business, which I believe we achieved.”
Even better, the company saw measurable improvements in security benchmarks and scores showcasing their progress.
"We’ve seen significant improvements in our security posture and we’re now on track to reach the second level of the CIS Controls framework. It’s been a game-changer for our organisation," Wakefield said.
Photo: www.mainpower.co.nz
Partnership spells continuous improvement
Recognising the dynamic nature of cybersecurity, MainPower has committed to ongoing collaboration with Inde to address emerging threats and maintain its tighter security. Monthly meetings between the two teams provide a platform to review progress, discuss updates, and implement necessary changes.
"We trust Inde to guide our security decisions. When they recommend a change, we act on it immediately. That level of trust is invaluable," Wakefield said.
While MainPower plans to conduct its next security assessment with an independent third party to validate the progress achieved so far, Inde remains the key partner in the company’s broader security strategy, providing expertise and support whenever needed.
"Technology evolves quickly, creating new vulnerabilities. Inde helps us stay ahead, ensuring our systems remain secure as the landscape changes," Wakefield said.